使用docker-compose + Nginx 搭建pkg.go.dev 的镜像站

Nginx 配置文件

upstream 相关设置

upstream pkggo {
    server pkg.go.dev:443;  
    keepalive 32;
}

代理服务器相关设置(server 字段)

域名和本地服务相关

    listen 443 ssl http2;
    server_name wchajl.fun;

ssl 安全相关

    ssl_certificate /var/www/cert/wchajl.pem;  # ssl pem证书位置
    ssl_certificate_key /var/www/cert/wchajl.key;  # ssl 密钥位置
    ssl_protocols TLSv1.2 TLSv1.3; # ssl 使用的协议设置 可以使用的协议版本有[SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];

        ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /var/www/cert/wchajl.pem;


    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 60m;
    ssl_session_tickets off;

• ssl_trusted_certificate:
  Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
  指定用于验证客户端证书的pem形式的ca机构证书。 如果ssl_stapling启用的话，则会验证OCSP 响应。

• ssl_stapling:
  Enables or disables stapling of OCSP responses by the server.
  For the OCSP stapling to work, the certificate of the server certificate issuer should be known.
  If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.
  For a resolution of the OCSP responder hostname, the resolver directive should also be specified.
  一般用于自签证书？

• ssl_stapling_verify:
  Enables or disables verification of OCSP responses by the server.
  For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

• ssl_ciphers:
  Specifies the enabled ciphers.
  The ciphers are specified in the format understood by the OpenSSL library

• ssl_prefer_server_ciphers:
  Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.

• ssl_session_cache:
  Sets the types and sizes of caches that store session parameters. A cache can be of any of the following types:

  • off

  • none

  • builtin
    shared

• ssl_session_timeout:
  Specifies a time during which a client may reuse the session parameters.

• ssl_session_tickets:
  Enables or disables session resumption through TLS session tickets.

路径相关

• 路径设置 ```nginx location / {

}

<a name="71e473e0"></a>
#### 代理相关

```nginx
    location / {
               proxy_pass https://pkggo; # 将请求转发给upstream pkggo中定义的服务器。 即路径转发规则
              proxy_redirect https://pkg.go.dev https://wchajl.fun; # 处理被代理服务器响应中的Location 和Refresh

        # 调整HTTPS中的请求
        proxy_set_header Host pkg.go.dev; # 设置请求头中的Host为 pkg.go.dev
        proxy_set_header Accept-Encoding "";
        #proxy_set_header Connection "";

              # 处理响应字段
        proxy_hide_header referrer-policy;
        proxy_hide_header content-security-policy;
        proxy_hide_header Strict-Transport-Security;
        proxy_hide_header set-cookie;   # 不会设置cookie
        proxy_hide_header x-pjax-url;   

        add_header x-pjax-url "https://wchajl.fun$request_uri";
#add_header X-FastGit-Node "azure-ea-0";

        proxy_http_version 1.1;  # 设置使用的HTTP版本
        proxy_connect_timeout 10s;  
        proxy_read_timeout 10s; 

        # Not supported when installed from Debian source
        # proxy_socket_keepalive on;

        sub_filter "\"https://pkg.go.dev" "\"https://wchajl.fun";
        sub_filter_once off;        
    }

proxy_redirect

• Sets the text that should be changed in the “Location” and “Refresh” header fields of a proxied server response.

设置被代理服务器响应的头字段中的 “Location”和”Refresh”字段 ，用于处理HTTP的响应。当被代理的服务器返回响应时，将响应的路径替换为指定的路径。

• Location: 表示客户应当到哪里去提取文档。Location通常不是直接设置的，而是通过HttpServletResponse的sendRedirect方法，该方法同时设置状态代码为302。

• Refresh： 表示浏览器应该在多少时间之后刷新文档，以秒计。 除了刷新当前文档之外，你还可以通过setHeader(“Refresh”, “5; URL=http://host/path")让浏览器读取指定的页面。`注意Refresh的意义是"N秒之后刷新本页面或访问指定页面"，而不是"每隔N秒刷新本页面或访问指定页面"。因此，连续刷新要求每次都发送一个Refresh头，而发送204状态代码则可以阻止浏览器继续刷新，不管是使用Refresh头还是＜META HTTP-EQUIV=”Refresh” …＞。`

• Suppose a proxied server returned the header field
  “Location: http://localhost:8000/two/some/uri/”.
  The directive

  proxy_redirect http://localhost:8000/two/ http://frontend/one/;
  

will rewrite this string to “Location: http://frontend/one/some/uri/”.

• A server name may be omitted in the *replacement* string: proxy_redirect http://localhost:8000/two/ /;
  then the primary server’s name and port, if different from 80, will be inserted.

• The default replacement specified by the default parameter uses the parameters of the location and proxy_pass directives.Hence, the two configurations below are equivalent:

  location /one/ {
    proxy_pass     http://upstream:port/two/;
    proxy_redirect default;
  }
  location /one/ {
    proxy_pass     http://upstream:port/two/;
    proxy_redirect http://upstream:port/two/ /one/;
  }
  

The default parameter is not permitted if proxy_pass is specified using variables.

• A *replacement* string can contain variables:
  proxy_redirect http://localhost:8000/ http://$host:$server_port/;

• A *redirect* can also contain (1.1.11) variables:
  proxy_redirect http://$proxy_host:8000/ /;

• The directive can be specified (1.1.11) using regular expressions. In this case, *redirect* should either start with the “~” symbol for a case-sensitive matching, or with the “~*” symbols for case-insensitive matching. The regular expression can contain named and positional captures, and *replacement* can reference them:

  proxy_redirect ~^(http://[^:]+):\d+(/.+)$ $1$2;
  proxy_redirect ~*/user/([^/]+)/(.+)$      http://$1.example.com/$2;
  

• Several proxy_redirect directives can be specified on the same level:

  proxy_redirect default;
  proxy_redirect http://localhost:8000/  /;
  proxy_redirect http://www.example.com/ /;
  

• If several directives can be applied to the header fields of a proxied server response, the first matching directive will be chosen.
• The off parameter cancels the effect of the proxy_redirect directives inherited from the previous configuration level.
  • Using this directive, it is also possible to add host names to relative redirects issued by a proxied server:

    proxy_redirect / /;
    

proxy_pass

• Sets the protocol and address of a proxied server and an optional URI to which a location should be mapped.

  设置被代理服务器的协议和地址，以及可选的应用被映射的URI地址

• As a protocol, “http” or “https” can be specified.

• The address can be specified as a domain name or IP address, and an optional port:

  proxy_pass http://localhost:8000/uri/;
  

or as a UNIX-domain socket path specified after the word “unix” and enclosed in colons:

proxy_pass http://unix:/tmp/backend.socket:/uri/;

• If a domain name resolves to several addresses, all of them will be used in a round-robin fashion. In addition, an address can be specified as a server group.

• Parameter value can contain variables.

  • In this case, if an address is specified as a domain name, the name is searched among the described server groups, and, if not found, is determined using a resolver.

• A request URI is passed to the server as follows:

  • If the proxy_pass directive is specified with a URI

    • when a request is passed to the server, the part of a normalized request URI matching the location is replaced by a URI specified in the directive

      当请求被发送到服务器上时，符合location的匹配规则的部署并被替换指令中的URI地址

location /name/ {
    proxy_pass http://127.0.0.1/remote/;
}

• If proxy_pass is specified without a URI

  • the request URI is passed to the server in the same form as sent by a client when the original request is processed, or the full normalized request URI is passed when processing the changed URI

    当原始请求被处理时，请求的URI 会按照原本客户端发送的样子被传递到服务器上。 或者说，符在处理改变的URI 时，完整的正常的请求URI会被传递。

location /some/path/ {
    proxy_pass http://127.0.0.1;
}

• In some cases, the part of a request URI to be replaced cannot be determined:

  • When location is specified using a regular expression, and also inside named locations.

    当location 使用正则表达式进行定义，并向在命名location的内部时

  - 

In these cases, proxy_pass should be specified without a URI.

在这种情况下，proxy_pass不应该添加URI

• When the URI is changed inside a proxied location using the rewrite directive, and this same configuration will be used to process a request (break):

  当URI 在被代理的location中使用了rewrite命令时候，相同的配置会被用于处理请求（break)

location /name/ {
    rewrite    /name/([^/]+) /users?name=$1 break;
    proxy_pass http://127.0.0.1;
}

• When variables are used in proxy_pass:

  • 当在proxy_pass中使用变量时

    location /name/ {
    proxy_pass http://127.0.0.1$request_uri;
    }
    

  - 

In this case, if URI is specified in the directive, it is passed to the server as is, replacing the original request URI.

在这种情况下，如果URI 在命令中被定义，则其将会按原样传递给服务器，替换原始请求的URI

proxy_hide_header

• By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-…” from the response of a proxied server to a client.
• The proxy_hide_header directive sets additional fields that will not be passed.
• If, on the contrary, the passing of fields needs to be permitted, the proxy_pass_header directive can be used.

• 用于处理被代理服务器的响应，将一些不希望传递的字段隐藏掉。

HTTP_SUB_MODULE

The ngx_http_sub_module module is a filter that modifies a response by replacing one specified string by another.

ngx_http_sub_module 是一个过滤器，用于将响应中的指定字段替换为另一个字段

        sub_filter "\"https://pkg.go.dev" "\"https://wchajl.fun";
        sub_filter_once off;

sub_filter

• Sets a string to replace and a replacement string.

  设置使用一个字符串去替换另一个字符串

• The string to replace is matched ignoring the case.

  被替换的字符串匹配时忽略大小写

• The string to replace (1.9.4) and replacement string can contain variables

• Several sub_filter directives can be specified on the same configuration level (1.9.4).

• These directives are inherited from the previous configuration level if and only if there are no sub_filter directives defined on the current level.

sub_filter_once

• Indicates whether to look for each string to replace once or repeatedly.

  用于说明查找指定字符串并替换的操作只执行一次，还是一直执行。

sub_filter_type