Cloudflare tunnel把本地服务绑定到指定域名上

上张贴cx_sun发表回复

前提

  • 域名已经委托到cloudflare。
  • Nginx服务已经安装到宿主机。
  • WordPress服务已经安装到docker。

步骤

1. 下载cloudflared

brew install cloudflared

2. 通过命令行登录/认证 cloudflare

cloudflared tunnel login

3. 创建tunnel(通过Cloudflare UI创建)

搜索(页面顶部goto...)并跳转到tunnel, 按照提示创建tunnel
创建tunnel过程中,会自动创建DNS CNAME记录,不要自行手工创建,否则会冲突。

4. 加入一个或多个服务映射

5. 安装tunnel为服务。

安装服务之前手工测试一下:
cloudflared tunnel run --token eyJhIjoiZTYwZWUxM2FkOTU3ZDNiMjI0Mzc2ZjdlYWE4ZmUzZjciLCJ0IjoiMzNlOGNhMDUtNGU4NS00MmY4LThhMmYtM2JjYzQ1YjhmYjQzIiwicyI6Ik1ETmtaakExT0dFdE9ESXdZeTAwWXpoaUxXRTVNbUV0TW1ZME1qTTBNak0xT1RSbCJ9

安装服务:
sudo cloudflared service install eyJhIjoiZTYwZWUxM2FkOTU3ZDNiMjI0Mzc2ZjdlYWE4ZmUzZjciLCJ0IjoiMzNlOGNhMDUtNGU4NS00MmY4LThhMmYtM2JjYzQ1YjhmYjQzIiwicyI6Ik1ETmtaakExT0dFdE9ESXdZeTAwWXpoaUxXRTVNbUV0TW1ZME1qTTBNak0xT1RSbCJ9
安装后,会创建服务文件/Library/LaunchDaemons/com.cloudflare.cloudflared.plist。

启动tunnel

sudo launchctl bootstrap system /Library/LaunchDaemons/com.cloudflare.cloudflared.plist

验证tunnel服务安装结果

sudo launchctl list | grep cloudflared
返回状态为0,则正常运行。
cat /Library/LaunchDaemons/com.cloudflare.cloudflared.plist
tail -n200 -f /Library/Logs/com.cloudflare.cloudflared.err.log

停止tunnel

停止服务
sudo launchctl stop system/com.cloudflare.cloudflared
启动服务
sudo launchctl kickstart system/com.cloudflare.cloudflared
禁用服务
sudo launchctl disable system/com.cloudflare.cloudflared
启用服务
sudo launchctl enable system/com.cloudflare.cloudflared
删除服务
sudo launchctl bootout system /Library/LaunchDaemons/com.cloudflare.cloudflared.plist

保护管理员页面-wordpress wp_config.php配置

if ($_SERVER['REMOTE_ADDR'] === '127.0.0.1' || $_SERVER['REMOTE_ADDR'] === '::1') {
    define('WP_HOME', 'http://localhost:8080');
    define('WP_SITEURL', 'http://localhost:8080');
} else {
    define('WP_HOME', 'https://www.tech616.xyz');
    define('WP_SITEURL', 'https://www.tech616.xyz');
}

if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}

// 强制非本地访问使用 HTTPS
if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1' && $_SERVER['REMOTE_ADDR'] !== '::1') {
    define('FORCE_SSL_ADMIN', true);
}
/* That's all, stop editing! Happy publishing. */
...

保护管理员页面-nginx配置

worker_processes  1;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
	server {
	    listen 8080;
	    server_name localhost;
	    # 代理到 Docker 容器
	    location / {
	        proxy_pass http://localhost:8090;  # 指向 WordPress 容器端口
	        proxy_set_header Host $host;
	        proxy_set_header X-Real-IP $remote_addr;
	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	        proxy_set_header X-Forwarded-Proto $scheme;
	    }
	    # 限制 /wp-admin/ 仅限本地访问
	    location /wp-admin/ {
	        allow 127.0.0.1;
	        allow ::1;  # 支持 IPv6 本地地址
			# allow <your-public-ip>;  # 替换为你的公网 IP,例如 203.0.113.1,同步修改 wp_config.php
	        deny all;
	        proxy_pass http://localhost:8090;
	        proxy_set_header Host $host;
	        proxy_set_header X-Real-IP $remote_addr;
	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	        proxy_set_header X-Forwarded-Proto $scheme;
	    }
	    # 防止访问敏感文件
	    location ~* /(wp-config\.php|readme\.html|license\.txt) {
	        deny all;
	    }
	}
    include servers/*;
}

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注