为了分配二级域名在内网，需要指定CNAME。

本地网络路由器是菲讯K2,刷潘多拉固件。

ssh登录，修改/etc/storage/dnsmasq/dnsmasq.conf

添加以下内容

https://gist.github.com/feilongfl/df38d9410a2a19ed9c430d01cbee907b

cname=f.lan,feilong-server.lan
cname=home.f.lan,feilong-server.lan
cname=huginn.f.lan,feilong-server.lan
cname=feilong.f.lan,feilong-server.lan
cname=server.f.lan,feilong-server.lan
cname=ttrss.f.lan,feilong-server.lan
cname=transmission.f.lan,feilong-server.lan
cname=bt.lan,feilong-server.lan
cname=status.f.lan,feilong-server.lan
cname=drive.f.lan,feilong-server.lan
cname=ipfs.f.lan,feilong-server.lan
cname=ipfs-api.f.lan,feilong-server.lan

由于潘多拉固件限制,需要手动将修改后的数据写入flash,执行

mtd_storage.sh save

服务器的主机名为feilong-server.lan，所以dnsmasq会自动分配该域名。

为了使二级域名正常工作，需要配置nginx代理。

在nginx.conf中http部分添加

include /etc/nginx/reverse-proxy.conf;
include /etc/nginx/reverse-proxy-https.conf;

证书存储于/ssl/server

自签证书gist： https://gist.github.com/feilongfl/713626c7ab3e82c3256d1fdf9889be2f

配置/etc/nginx/reverse-proxy.conf

server
{
    listen 80;
    server_name status.f.lan;

    rewrite ^(.*)$      https://$host$1 permanent;
    location / {
        proxy_redirect off;
        proxy_set_header host $host;
        proxy_set_header x-real-ip $remote_addr;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:19999;
    }
    access_log /var/log/nginx/${host}_access.log;
}

执行https://gist.github.com/feilongfl/5738dd0127f6324ccbed6b06dcb60ceb生成对应https代码。

#!/usr/bin/env fish
mv /etc/nginx/reverse-proxy-https.conf /etc/nginx/reverse-proxy-https.conf.bak                                                                 
for l in (cat /etc/nginx/reverse-proxy.conf | grep -E '(server_name)|(proxy_pass)' | sed 'N;s/\n//' | sed -r 's/.*server_name (.*); +proxy_pass
(.*);/\1\t\2/g');
set h (echo $l | cut -f1)
set p (echo $l | cut -f2)
echo 'server {
    listen       443 ssl;
    server_name  '$h';
    ssl_certificate      /ssl/server.crt;
    ssl_certificate_key  /ssl/server.key;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;
    location / {
            proxy_redirect off;
            proxy_set_header host $host;
            proxy_set_header x-real-ip $remote_addr;
            proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;                                                                       
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_pass '$p';
    }
    access_log  /var/log/nginx/'$h'_access.log;
    error_log   /var/log/nginx/'$h'_error.log;
}
' | tee -a /etc/nginx/reverse-proxy-https.conf
end
systemctl restart nginx

系统导入自签证书（参考https://www.archlinux.org/news/ca-certificates-update/）避免git/wget/curl/aria2/…出现证书错误，浏览器在浏览器中导入

sudo ln -s /ssl/rootCA.pem /etc/ca-certificates/trust-source/anchors/feilong.pem
sudo trust extract-compat

最近做了个ipfs的漫画网站，https://cimoc.netlify.com/。

由于基于ipfs，所以在访问时请求会被拦截到内网ipfs网关，由于内网网关在另一台电脑上于是需要配置证书来支持内网https。

配置证书和nginx反向代理后，发现在登录或其他设计POST操作时，HTTP返回422,网页报错。

查看官方指南：https://github.com/huginn/huginn/wiki/Nginx-reverse-proxy-configuration

发现配置缺少

proxy_set_header X-Forwarded-Proto $scheme;

添加后即可正常使用。