You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4.4 KiB
4.4 KiB
Infrastruktura produkcyjna
Architektura
Internet → VPS (publiczne IP, nginx + SSL)
↕ WireGuard tunnel (szyfrowany, domowe IP ukryte)
192.168.2.66 (nginx, port 80)
↓ LAN
192.168.2.33 (docker-compose, port 80)
- Domowe IP nigdy nie jest widoczne publicznie
- SSL terminuje na VPS
.66inicjuje połączenie WireGuard do VPS — zero port-forwardingu na domowym routerze
1. WireGuard
Instalacja (VPS i .66)
apt install wireguard
VPS — generowanie kluczy
wg genkey | tee /etc/wireguard/vps_private.key | wg pubkey > /etc/wireguard/vps_public.key
.66 — generowanie kluczy
wg genkey | tee /etc/wireguard/home_private.key | wg pubkey > /etc/wireguard/home_public.key
/etc/wireguard/wg0.conf na VPS
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <vps_private.key>
[Peer]
# .66 home server
PublicKey = <home_public.key>
AllowedIPs = 10.10.0.2/32
/etc/wireguard/wg0.conf na .66
[Interface]
Address = 10.10.0.2/24
PrivateKey = <home_private.key>
[Peer]
# VPS
PublicKey = <vps_public.key>
Endpoint = <VPS_PUBLIC_IP>:51820
AllowedIPs = 10.10.0.1/32
PersistentKeepalive = 25
PersistentKeepalive = 25— utrzymuje tunel przez NAT domowego routera
Uruchomienie (obie maszyny)
systemctl enable --now wg-quick@wg0
Weryfikacja
wg show # status tunelu
ping 10.10.0.1 # z .66 do VPS
ping 10.10.0.2 # z VPS do .66
2. Nginx na VPS
Certyfikat SSL
apt install certbot python3-certbot-nginx
certbot certonly --nginx -d q2dropzone.xyz
/etc/nginx/sites-available/q2dropzone.xyz
server {
listen 80;
server_name q2dropzone.xyz;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name q2dropzone.xyz;
ssl_certificate /etc/letsencrypt/live/q2dropzone.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/q2dropzone.xyz/privkey.pem;
client_max_body_size 6g;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_connect_timeout 60s;
location / {
proxy_pass http://10.10.0.2:80;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_request_buffering off;
}
}
ln -s /etc/nginx/sites-available/q2dropzone.xyz /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx
3. Nginx na .66
/etc/nginx/sites-available/q2dropzone.xyz
server {
listen 80;
server_name q2dropzone.xyz;
client_max_body_size 6g;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_connect_timeout 60s;
location / {
proxy_pass http://192.168.2.33:80;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_request_buffering off;
}
}
ln -s /etc/nginx/sites-available/q2dropzone.xyz /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx
4. Firewall
VPS
ufw allow 51820/udp # WireGuard
ufw allow 80/tcp # HTTP (redirect do HTTPS)
ufw allow 443/tcp # HTTPS
ufw enable
.66
# port 80 tylko z WireGuard IP VPS-a
ufw allow in on wg0 from 10.10.0.1 to any port 80
ufw deny 80
ufw enable
5. .33 — uruchomienie aplikacji
git clone <repo> q2dropzone && cd q2dropzone
cp .env.example .env
nano .env # uzupełnij DB_PASSWORD, JWT_SECRET, DISK_ROOT
docker-compose up -d --build
DNS
Rekord A dla q2dropzone.xyz → publiczne IP VPS (nie domowe).
Przepływ requestu
klient
→ VPS:443 (SSL terminate, proxy_pass przez WireGuard)
→ .66:80 (proxy_pass przez LAN)
→ .33:80 (nginx w docker → backend Go)
Każdy nginx ma proxy_buffering off i proxy_request_buffering off — duże pliki streamowane bez buforowania na dysk.