end

4 years ago · c13ef5230f
6 changed files with 102 additions and 0 deletions
--- a/conf/ipwhitelist.conf
+++ b/conf/ipwhitelist.conf
@ -0,0 +1,2 @@
 allow 146.19.174.104;
 allow 103.20.235.147;
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -0,0 +1,79 @@
 user  root root;
 worker_processes  auto;
 error_log  /var/log/nginx/error.log notice;
 pid        /var/run/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /www/wwwlogs/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    #gzip  on;
    server {
      listen       80;
      listen  [::]:80;
      server_name  localhost;
      #access_log  /var/log/nginx/host.access.log  main;
      location / {
          root   /usr/share/nginx/html;
          index  index.html index.htm;
      }
      #error_page  404              /404.html;
      # redirect server error pages to the static page /50x.html
      #
      error_page   500 502 503 504  /50x.html;
      location = /50x.html {
          root   /usr/share/nginx/html;
      }
    }
 }
 stream {
  log_format proxy '$remote_addr [$time_local]:$proxy_protocol_addr '
               '|$ssl_preread_server_name  '
               '|$protocol |$status $bytes_sent $bytes_received '
               '|$session_time |"$upstream_addr" '
               '|"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
  access_log  /www/wwwlogs/tcp-access.log proxy;
  open_log_file_cache off;
  # 加一组 map，根据规则过滤 $ssl_preread_server_name （也就是请求的 SNI）
  # 将过滤过的 SNI 存入自定义变量 $filtered_sni_name，
  # 如果没有匹配到任何规则，则默认为一个 443 端口没有服务的本地回环。
  map $ssl_preread_server_name $filtered_sni_name {
      include /etc/nginx/unlock.conf;
      default "127.255.255.255";
  }
  server {
      resolver 1.1.1.1;
      listen 443;
      ssl_preread on;
      include /etc/nginx/ipwhitelist.conf;
      deny  all;
      # 只代理经过 SNI 过滤的流量，
      # 其他流量都被丢入不存在的地址
      proxy_pass $filtered_sni_name:443;
  }
 }
--- a/conf/unlock.conf
+++ b/conf/unlock.conf
@ -0,0 +1,8 @@
 ~^(.*|)netflix\.com$ $ssl_preread_server_name;
 ~^(.*|)netflix\.net$ $ssl_preread_server_name;
 ~^(.*|)nflximg\.com$ $ssl_preread_server_name;
 ~^(.*|)nflximg\.net$ $ssl_preread_server_name;
 ~^(.*|)nflxvideo\.net$ $ssl_preread_server_name;
 ~^(.*|)nflxext\.com$ $ssl_preread_server_name;
 ~^(.*|)nflxso\.net$ $ssl_preread_server_name;
 ~^(.*|)fast\.com$ $ssl_preread_server_name;
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,13 @@
 version: '3'
 services:
  netflix-unlock:
    container_name: un-nf
    image: nginx
    ports:
      - 8443:443
    privileged: true
    volumes:
      - /data/NFNginx/conf/nginx.conf:/etc/nginx/nginx.conf
      - /data/NFNginx/conf/unlock.conf:/etc/nginx/unlock.conf
      - /data/NFNginx/conf/ipwhitelist.conf:/etc/nginx/ipwhitelist.conf
      - /data/NFNginx/logs:/www/wwwlogs
--- a/logs/nginx/access.log
+++ b/logs/nginx/access.log
--- a/logs/tcp-access.log
+++ b/logs/tcp-access.log
	`@ -0,0 +1,2 @@`
					`allow 146.19.174.104;`
					`allow 103.20.235.147;`