search

pexcn / docker-images

Personally made docker images.
GNU General Public License v3.0
1 stars 1 forks source link

todo list #3

Open pexcn opened 3 years ago

pexcn commented 3 years ago
pexcn commented 3 years ago 
# mysql
-v $(pwd)/conf:/etc/mysql/conf.d
-v $(pwd)/logs:/logs
pexcn commented 2 years ago

TODO: and disable service for http 8123 port

{"level":"warn","ts":1636820412.6646771,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [pve.local.pexcn.me]: parsing OCSP response: ocsp: error from server: unauthorized"}
{"level":"info","ts":1636537030.2617736,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1636537030.2618124,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
 # reverse proxy to home assistant endpoint
 https://home.local.pexcn.me {
        encode zstd gzip
-       tls /cert/home.pexcn.me_ecc/fullchain.cer /cert/home.pexcn.me_ecc/home.pexcn.me.key
+       tls /cert/home.pexcn.me_ecc/fullchain.cer /cert/home.pexcn.me_ecc/home.pexcn.me.key {
+               protocols tls1.3 tls1.3
+       }

        reverse_proxy 127.0.0.1:8124 {
                header_up Host {host}
@@ -27,7 +29,9 @@ https://home.local.pexcn.me {
 # reverse proxy to home assistant endpoint (external)
 https://home.pexcn.me:8123 {
        encode zstd gzip
-       tls /cert/home.pexcn.me_ecc/fullchain.cer /cert/home.pexcn.me_ecc/home.pexcn.me.key
+       tls /cert/home.pexcn.me_ecc/fullchain.cer /cert/home.pexcn.me_ecc/home.pexcn.me.key {
+               protocols tls1.3
+       }
pexcn commented 2 years ago

caddy file-server

docker run --rm \
  --name caddy \
  --network host \
  -v $(pwd)/Caddyfile:/etc/caddy/Caddyfile \
  caddy

:8000 {
        root * /root/cd
        file_server browse {
                precompressed zstd br gzip
        }
}
pexcn commented 2 years ago

FIXME

# caddyfile
-               header_up X-Real-IP {remote}
-               header_up X-Forwarded-For {remote}
+               header_up X-Real-IP {remote_host}
+               header_up X-Forwarded-For {remote_host}
pexcn commented 2 years ago

FIXME: adguardhome 无法设置 bind_host: 192.168.1.1, 启动后会被还原

pexcn commented 2 years ago

su use -s param: https://github.com/nginxinc/docker-nginx/blob/92973a30900b2ed881d208d10cadade34bbbab33/mainline/alpine/Dockerfile#L66

-s SH   Shell to use instead of user's default
pexcn commented 2 years ago

https://www.v2ex.com/t/851718#r_11642533

1.禁止入方向的 ping 。
-A INPUT -p icmp --icmp-type echo-request -j DROP

2.禁止伺服器回覆 icmp port unreachable 和 host unreachable 訊息。
-A OUTPUT -p icmp --icmp-type port-unreachable -j DROP
-A OUTPUT -p icmp --icmp-type host-unreachable -j DROP

3.禁止伺服器回覆 no listen port 的 tcp reset 訊息(標誌位爲 rst,ack )
-A OUTPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

4.儘量不要直接採用 ssh 直接連線管理伺服器。
5.將 port 置於 16384-16389 之間是較好的選擇。
pexcn commented 1 year ago 
# refine log output, check this commands
exec 2 &1
exec 1 >/dev/null