问题[nginx](unix)

我有一个静态网站和一个 Django 应用程序后端，使用 gunicorn 在服务器的 8000 端口上运行。

我将静态网站的 CSS 文件收集到 /mywebsite-deployment/staticDir/homepage/css/static_website.css 中，并将 Django 模板的 CSS 收集到 /mywebsite-deployment/staticDir/dashboard/css/dashboard.css 中；

我能够使用 mywebsite.com 和www.mywebsite.com以及 CSS 访问静态网站，并使用 app.mywebsite.com 访问 Django 后端，但其 CSS 无法加载。

我尝试访问的模板如下所示：

{% load static %}

<html>

<head>
    <link href={% static '/dashboard/css/dashboard.css' %} rel="stylesheet" type="text/css" media="all" />
</head>

我的 Django 应用程序 settings.py 如下所示：

STATICFILES_DIRS = [
    os.path.join(BASE_DIR, 'staticFiles'),
]

STATIC_ROOT = '/mywebsite-deployment/staticDir/'

STATIC_URL = 'static/'

这是我的 nginx 配置：

    ssl_certificate         /etc/letsencrypt/live/mywebsite.co/fullchain.pem;    # managed by Certbot
    ssl_certificate_key     /etc/letsencrypt/live/mywebsite.co/privkey.pem;      # managed by Certbot
    
    root            /mywebsite-deployment/staticDir/;
    index           /homepage/index.html;
    error_page 404 500 502 503 504  /error.html;
    proxy_intercept_errors on;      # If proxy errors, let nginx process it
    
    # error_log /var/log/nginx/error.log info;
    
    server {
        # If host isn't a mywebsite host, close the connection to prevent host spoofing
        server_name _;
        listen 80 default_server;
        listen 443 ssl default_server;
    
        return 444;
    }
    
    # Redirect HTTP requests to HTTPS
    server {
        server_name mywebsite.co www.mywebsite.co app.mywebsite.co;
        listen 80;
        return 301  https://$host$uri;  # managed by Certbot
    }
    
    # Handle HTTPS static webserver requests
    server {
        server_name mywebsite.co www.mywebsite.co;
        listen 443  ssl;    # managed by Certbot
    }
    
    # Proxy HTTPS app requests to backend gunicorn service
    server {
        server_name     app.mywebsite.co;
        listen 443  ssl;    # managed by Certbot
    
        location / {    # Catch all - Match everything else not matched in any above location blocks within this server block
            proxy_redirect off;    # Stop redirects from proxy
    
            proxy_connect_timeout 3;    # Abort if service is unreachable
            proxy_read_timeout 3;       # Abort if the service is unresponsive
    
            include     proxy_params;
            proxy_pass  http://localhost:8000;
        }
    
        # If Gunicorn Django proxy app throws an error (like 404), nginx will handle it and show custom error page
        location /error.html {
            internal;
        }
    }

当我在浏览器中检查模板 HTML 时，我看到它尝试加载的 URL 是： https://app.mywebsite.co/static/dashboard/css/dashboard.css，但它没有加载。

我可以按如下方式访问主页 CSS：https://www.mywebsite.co/homepage/css/static_website.css 按如下方式访问仪表板 CSS： https://www.mywebsite.co/dashboard/css/dashboard.css

如何在仪表板中使用正确的路径查看 CSS？我感觉这是 Nginx 配置问题，但我是 Nginx 新手，不知道如何解决。请帮忙。

我有一个 Ubuntu 24.10 Digitalocean VPS，我想使用 Nginx 托管两个网站。

一个是website-name.com我想要托管一个 Next JS 网站的静态导出的地方，我已将其内容复制到该/var/www/out文件夹​​中，另一个是subdomain.website-name.com我想要托管一个正在运行的 Next JS 应用程序的地方localhost:3000。

在文件夹中/etc/nginx/sites-available/，我有一个名为的配置文件myapp，它充当 的代理localhost:3000。此配置文件如下：

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

server {
    listen 80;
    server_name subdomain.website-name.com;

    # Redirect all HTTP requests to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name subdomain.website-name.com;

    ssl_certificate /etc/letsencrypt/live/website-name.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/website-name.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Enable rate limiting
    limit_req zone=mylimit burst=20 nodelay;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;

        # Disable buffering for streaming support
        proxy_buffering off;
        proxy_set_header X-Accel-Buffering no;
    }
}

我在文件夹中还有另一个配置文件，/etc/nginx/sites-available/用于website-name.com提供静态网站，其内容可从该/var/www/out文件夹中获取。此配置文件如下：

server {
  listen 80;
  server_name website-name.com;

  root /var/www/out;

  location / {
      try_files $uri $uri.html $uri/ =404;
  }

  error_page 404 /404.html;
  location = /404.html {
      internal;
  }
}

我从Next JS 的文档页面获得了此配置。

我没有在 URL 上获取静态网站https://website-name.com，而是获取了正在运行的 Next JS 应用程序localhost:3000。

在 URL 上https://subdomain.website-name.com我按要求正确获取了 Next JS 应用程序。

我不知道出了什么问题。有人能帮忙吗？

注意：我也曾将certbot证书扩展为website-name.com（我已按照此问题subdomain.website-name.com的答案进行操作）。我还为创建了一条记录。Asubdomain.website-name.com

在添加ssl_certificate之前，我的nginx.conf非常简单：

server {
    listen 80 default_server;

    index index.php index.html index.htm;

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info  ^(.+\.php)(/.+)$;
        fastcgi_index            index.php;
        fastcgi_pass             php:9000;
        include                  fastcgi_params;
        fastcgi_read_timeout     1200s;
        fastcgi_param   PATH_INFO       $fastcgi_path_info;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

然后我按照这里使用 Nginx 设置 letsencrypt（[domain-name]从头到尾进行替换），现在我的nginx.conf样子：

server {
    listen 80 default_server;

    server_name [domain-name] www.[domain-name];
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://[domain-name]$request_uri;
    }
}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name [domain-name];

    ssl_certificate /etc/nginx/ssl/live/[domain-name]/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/[domain-name]/privkey.pem;
    
    location / {
        proxy_pass http://[domain-name];
    }

    index index.php index.html index.htm;

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info  ^(.+\.php)(/.+)$;
        fastcgi_index            index.php;
        fastcgi_pass             php:9000;
        include                  fastcgi_params;
        fastcgi_read_timeout     1200s;
        fastcgi_param   PATH_INFO       $fastcgi_path_info;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

请参阅此处的更改 - https://www.diffchecker.com/bAfVjewE/，

我认为这非常简单、直接且合理。

但是，我的 php 网站完全崩溃了——我的 chrome 浏览器说它进入了无限重定向（“重定向次数过多”），请参阅注释 2。

可能的原因是什么？如何解决？

笔记，

1. 添加 ssl_certificate 很好，但是即使我在空站点上进行测试，也会出现无限重定向。
2. 当发生无限重定向时，nginx 日志只会打印...[08/Aug/2024:15:xx:yy +0000] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Linux x86_64)...，即使我已经看到浏览器上的协议已从 更改http为https。

如果我使用 访问它curl，我会得到：

$ curl -i https://my.site.name:443/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 08 Aug 2024 15:42:45 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://my.site.name/

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

服务器日志为：

[08/Aug/2024:15:42:45 +0000] "GET / HTTP/1.1" 301 162 "-" "curl/8.5.0" "my.ip"
[08/Aug/2024:15:42:45 +0000] "GET / HTTP/1.1" 301 162 "-" "curl/8.5.0" "-"

错误日志为空，因为这是我的 ngix 日志配置方式：

cd /var/log/nginx/

root@5b6a9033cb31:/var/log/nginx# ls -l
total 0
lrwxrwxrwx 1 root root 11 Jul 23 07:14 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Jul 23 07:14 error.log -> /dev/stderr

这是我第一次使用 Let's Encrypt ，这个101 个问题很可能已经在某个地方得到解答了，但无论如何，来自https://eff-certbot.readthedocs.io/en/latest/using.html#setting-up-automated-renewal

大多数 Certbot 安装都预配置了自动更新。这是通过certbot renew定期运行的计划任务完成的。

因此，为了简化操作，我使用 Certbot docker 容器来获取证书，并且该容器没有预先配置自动更新功能，因此我需要自己启用该功能。

计划的 cron 任务非常简单：

0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q

我的问题是，Let's Encrypt 证书有效期为三个月，但 Certbot 文档中的官方建议说我们需要每 12 小时尝试更新一次。

我觉得这太过分了。有人知道我们多久可以续订吗？（从命令行更新“让我们加密”证书我知道没有--force-renewal选项）

我的意思是，如果更新可以提前 10 天进行，那么我的 cron 作业可以每 5 天设置一次，如果提前 6 天，我将使用 3。

另外，有人知道certbot renew在更新确实发生后，是否可以使用的返回代码来通知我的脚本以触发我的 nginx 配置重新加载？

谢谢

我有fail2ban 设置，它对于大多数扫描都非常有效。它会触发 nginx 错误日志中的任何 4xx。但是，请注意以下机器人扫描。不知何故，这个机器人触发我的服务器返回 301 而不是 404，就像所有其他机器人一样。怎么会这样呢？因为它是 301 而不是 4xx，所以它直接通过了我的fail2ban 并且从未被禁止。我想检测并防止这种情况。

关于如何做到这一点以及如何防止它有什么建议吗？

178.20.44.82 - - [30/May/2024:21:28:48 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
178.20.44.82 - - [30/May/2024:21:28:49 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0"
178.20.44.82 - - [30/May/2024:21:28:49 +0000] "GET /.DS_Store HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15"
178.20.44.82 - - [30/May/2024:21:28:49 +0000] "GET /.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:49 +0000] "POST /.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
178.20.44.82 - - [30/May/2024:21:28:50 +0000] "GET /.env.prod HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:50 +0000] "POST /.env.prod HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0"
178.20.44.82 - - [30/May/2024:21:28:50 +0000] "GET /.env.production HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:51 +0000] "POST /.env.production HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:51 +0000] "GET /redmine/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:51 +0000] "POST /redmine/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:52 +0000] "GET /__tests__/test-become/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:52 +0000] "POST /__tests__/test-become/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:52 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0"
178.20.44.82 - - [30/May/2024:21:28:52 +0000] "POST / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:53 +0000] "GET /debug/default/view?panel=config HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:53 +0000] "GET /debug/default/view.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:53 +0000] "GET /debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0"
178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /frontend/web/debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /web/debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /sapi/debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /_profiler/phpinfo HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:55 +0000] "GET /app_dev.php/_profiler/phpinfo HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:55 +0000] "GET /phpinfo.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:55 +0000] "GET /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"
178.20.44.82 - - [30/May/2024:21:28:56 +0000] "GET /info.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0"
178.20.44.82 - - [30/May/2024:21:28:56 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36"

我唯一的 301 重定向是 certbot 设置的：

server { if ($host = www.mydomainname.com) 
    { return 301 https://$host$request_uri; } # managed by Certbot 
if ($host = mydomainname.com) 
    { return 301 https://$host$request_uri; } # managed by Certbot 

我按照Cerbot 的说明 在我的 Debian 服务器中为域获取 NGINX 的 HTTPS 证书，但 HTTPS 未正确重定向。

etc/nginx/conf.d/app.conf我从 Certbot 的自动生成中得到以下内容：

server {
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    # listen 8080;
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        # return 301 https://mnpd.khkm.dev$request_uri;
        proxy_pass http://mnpd.khkm.dev;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mnpd.khkm.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mnpd.khkm.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = mnpd.khkm.dev) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name mnpd.khkm.dev www.mnpd.khkm.dev;
    return 404; # managed by Certbot
}

在 Chrome 中，当我访问https://mnpd.khkm.dev/时，我得到：

mnpd.khkm.dev redirected you too many times.
Try deleting your cookies.
ERR_TOO_MANY_REDIRECTS

我找到了这个Stack Overflow 答案 ，我查看了 Web 控制台中的“网络”选项卡，发现该页面不断被重定向到https://mnpd.khkm.dev/. NGINX 配置应该侦听 HTTPS 端口 443，那么为什么它不加载并不断重定向呢？（我希望加载默认的 NGINX 页面。）

运行时nginx -s reload，nginx 意味着软重新加载（逐渐关闭旧进程上的现有连接，并为新进程上的新请求提供服务）。

它确实做到了这一点，但似乎（可能）旧进程上的活动请求没有完成。产生失控情况，如果reload尝试多次，服务器最终将耗尽内存。

有没有办法（也许是c++模块？）来转储nginx在特定linux pid上提供服务的连接？
我不确定如何解决这个问题，除非我能准确地找出是什么不允许 nginx 自行关闭。
（我不能只是关闭网站来分而治之，它是一个拥有 200 多个网站的实时客户端服务器）

nginx版本：nginx/1.24.0

我有这个 nginx 自定义配置：

server {
  listen 8080;
  server_name           subdomain.domain.my.id;
    location /vless-ws { # Consistent with the path of V2Ray configuration
      if ($http_upgrade != "websocket") { # Return 404 error when WebSocket upgrading negotiate failed
        return 404;
      }
      proxy_redirect off;
      proxy_pass http://127.0.0.1:19002;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
    }
}

这是一个长选项websocat：

(base) isysrg@isysresearch:~/tmp$ ./websocat --help=long option
websocat 1.12.0
Vitaly "_Vi" Shukela <[email protected]>
Command-line client for web sockets, like netcat/curl/socat for ws://.

USAGE:
    websocat ws://URL | wss://URL               (simple client)
    websocat -s port                            (simple server)
    websocat [FLAGS] [OPTIONS] <addr1> <addr2>  (advanced mode)

FLAGS:
        --stdout-announce-listening-ports       [A] Print a line to stdout for each port being listened
        --async-stdio                           [A] On UNIX, set stdin and stdout to nonblocking mode instead of
                                                spawning a thread. This should improve performance, but may break other
                                                programs running on the same console.
        --compress-deflate                      [A] Compress data coming to a WebSocket using deflate method. Affects
                                                only binary WebSocket messages.
        --compress-gzip                         [A] Compress data coming to a WebSocket using gzip method. Affects only
                                                binary WebSocket messages.
        --compress-zlib                         [A] Compress data coming to a WebSocket using zlib method. Affects only
                                                binary WebSocket messages.
        --dump-spec                             [A] Instead of running, dump the specifiers representation to stdout
    -e, --set-environment                       Set WEBSOCAT_* environment variables when doing exec:/cmd:/sh-c:
                                                Currently it's WEBSOCAT_URI and WEBSOCAT_CLIENT for
                                                request URI and client address (if TCP)
                                                Beware of ShellShock or similar security problems.
    -E, --exit-on-eof                           Close a data transfer direction if the other one reached EOF
        --foreachmsg-wait-read                  [A] Wait for reading to finish before closing foreachmsg:'s peer
        --jsonrpc                               Format messages you type as JSON RPC 2.0 method calls. First word
                                                becomes method name, the rest becomes parameters, possibly automatically
                                                wrapped in [].
        --jsonrpc-omit-jsonrpc                  [A] Omit `jsonrpc` field when using `--jsonrpc`, e.g. for Chromium
        --just-generate-key                     [A] Just a Sec-WebSocket-Key value without running main Websocat
        --linemode-strip-newlines               [A] Don't include trailing \n or \r\n coming from streams in WebSocket
                                                messages
    -0, --null-terminated                       Use \0 instead of \n for linemode
        --no-line                               [A] Don't automatically insert line-to-message transformation
        --no-exit-on-zeromsg                    [A] Don't exit when encountered a zero message. Zero messages are used
                                                internally in Websocat, so it may fail to close connection at all.
        --no-fixups                             [A] Don't perform automatic command-line fixups. May destabilize
                                                websocat operation. Use --dump-spec without --no-fixups to discover what
                                                is being inserted automatically and read the full manual about Websocat
                                                internal workings.
        --no-async-stdio                        [A] Inhibit using stdin/stdout in a nonblocking way if it is not a tty
    -1, --one-message                           Send and/or receive only one message. Use with --no-close and/or -u/-U.
        --oneshot                               Serve only once. Not to be confused with -1 (--one-message)
        --print-ping-rtts                       Print measured round-trip-time to stderr after each received WebSocket
                                                pong.
        --exec-exit-on-disconnect               [A] Make exec: or sh-c: or cmd: immediately exit when connection is
                                                closed, don't wait for termination.
        --exec-sighup-on-stdin-close            [A] Make exec: or sh-c: or cmd: send SIGHUP on UNIX when input is
                                                closed.
        --exec-sighup-on-zero-msg               [A] Make exec: or sh-c: or cmd: send SIGHUP on UNIX when facing incoming
                                                zero-length message.
    -q                                          Suppress all diagnostic messages, except of startup errors
        --reuser-send-zero-msg-on-disconnect    [A] Make reuse-raw: send a zero-length message to the peer when some
                                                clients disconnects.
    -s, --server-mode                           Simple server mode: specify TCP port or addr:port as single argument
    -S, --strict                                strict line/message mode: drop too long messages instead of splitting
                                                them, drop incomplete lines.
        --timestamp-monotonic                   [A] Use monotonic clock for `timestamp:` overlay
    -k, --insecure                              Accept invalid certificates and hostnames while connecting to TLS
        --udp-broadcast                         [A] Set SO_BROADCAST
        --udp-multicast-loop                    [A] Set IP[V6]_MULTICAST_LOOP
        --udp-oneshot                           [A] udp-listen: replies only one packet per client
        --udp-reuseaddr                         [A] Set SO_REUSEADDR for UDP socket. Listening TCP sockets are always
                                                reuseaddr.
        --uncompress-deflate                    [A] Uncompress data coming from a WebSocket using deflate method.
                                                Affects only binary WebSocket messages.
        --uncompress-gzip                       [A] Uncompress data coming from a WebSocket using deflate method.
                                                Affects only binary WebSocket messages.
        --uncompress-zlib                       [A] Uncompress data coming from a WebSocket using deflate method.
                                                Affects only binary WebSocket messages.
    -u, --unidirectional                        Inhibit copying data in one direction
    -U, --unidirectional-reverse                Inhibit copying data in the other direction (or maybe in both directions
                                                if combined with -u)
        --accept-from-fd                        [A] Do not call `socket(2)` in UNIX socket listener peer, start with
                                                `accept(2)` using specified file descriptor number as argument instead
                                                of filename
        --unlink                                [A] Unlink listening UNIX socket before binding to it
    -V, --version                               Prints version information
    -v                                          Increase verbosity level to info or further
    -b, --binary                                Send message to WebSockets as binary messages
    -n, --no-close                              Don't send Close message to websocket on EOF
        --websocket-ignore-zeromsg              [A] Silently drop incoming zero-length WebSocket messages. They may
                                                cause connection close due to usage of zero-len message as EOF flag
                                                inside Websocat.
    -t, --text                                  Send message to WebSockets as text messages
        --base64                                Encode incoming binary WebSocket messages in one-line Base64 If
                                                `--binary-prefix` (see `--help=full`) is set, outgoing WebSocket
                                                messages that start with the prefix are decoded from base64 prior to
                                                sending.
        --base64-text                           [A] Encode incoming text WebSocket messages in one-line Base64. I don't
                                                know whether it can be ever useful, but it's for symmetry with
                                                `--base64`.

OPTIONS:
        --socks5 <auto_socks5>
            Use specified address:port as a SOCKS5 proxy. Note that proxy authentication is not supported yet. Example:
            --socks5 127.0.0.1:9050
        --autoreconnect-delay-millis <autoreconnect_delay_millis>
            [A] Delay before reconnect attempt for `autoreconnect:` overlay. [default: 20]

        --basic-auth <basic_auth>
            Add `Authorization: Basic` HTTP request header with this base64-encoded parameter

        --queue-len <broadcast_queue_len>
            [A] Number of pending queued messages for broadcast reuser [default: 16]

    -B, --buffer-size <buffer_size>                                  Maximum message size, in bytes [default: 65536]
        --byte-to-exit-on <byte_to_exit_on>
            [A] Override the byte which byte_to_exit_on: overlay looks for [default: 28]

        --client-pkcs12-der <client_pkcs12_der>                      [A] Client identity TLS certificate
        --client-pkcs12-passwd <client_pkcs12_passwd>
            [A] Password for --client-pkcs12-der pkcs12 archive. Required on Mac.

        --close-reason <close_reason>
            Close connection with a reason message. This option only takes effect if --close-status-code option is
            provided as well.
        --close-status-code <close_status_code>                      Close connection with a status code.
    -H, --header <custom_headers>...
            Add custom HTTP header to websocket client request. Separate header name and value with a colon and
            optionally a single space. Can be used multiple times. Note that single -H may eat multiple further
            arguments, leading to confusing errors. Specify headers at the end or with equal sign like -H='X: y'.
        --server-header <custom_reply_headers>...
            Add custom HTTP header to websocket upgrade reply. Separate header name and value with a colon and
            optionally a single space. Can be used multiple times. Note that single -H may eat multiple further
            arguments, leading to confusing errors.
        --exec-args <exec_args>...
            [A] Arguments for the `exec:` specifier. Must be the last option, everything after it gets into the exec
            args list.
        --header-to-env <headers_to_env>...
            Forward specified incoming request header to H_* environment variable for `exec:`-like specifiers.

    -h, --help <help>
            See the help.
            --help=short is the list of easy options and address types
            --help=long lists all options and types (see [A] markers)
            --help=doc also shows longer description and examples.
        --inhibit-pongs <inhibit_pongs>
            [A] Stop replying to incoming WebSocket pings after specified number of replies

        --just-generate-accept <just_generate_accept>
            [A] Just a Sec-WebSocket-Accept value based on supplied Sec-WebSocket-Key value without running main
            Websocat
        --max-messages <max_messages>
            Maximum number of messages to copy in one direction.

        --max-messages-rev <max_messages_rev>
            Maximum number of messages to copy in the other direction.

        --conncap <max_parallel_conns>
            Maximum number of simultaneous connections for listening mode

        --max-sent-pings <max_sent_pings>
            [A] Stop sending pings after this number of sent pings

        --max-ws-frame-length <max_ws_frame_length>
            [A] Maximum size of incoming WebSocket frames, to prevent memory overflow [default: 104857600]

        --max-ws-message-length <max_ws_message_length>
            [A] Maximum size of incoming WebSocket messages (sans of one data frame), to prevent memory overflow
            [default: 209715200]
        --origin <origin>                                            Add Origin HTTP header to websocket client request
        --pkcs12-der <pkcs12_der>
            Pkcs12 archive needed to accept SSL connections, certificate and key.
            A command to output it: openssl pkcs12 -export -out output.pkcs12 -inkey key.pem -in cert.pem
            Use with -s (--server-mode) option or with manually specified TLS overlays.
            See moreexamples.md for more info.
        --pkcs12-passwd <pkcs12_passwd>
            Password for --pkcs12-der pkcs12 archive. Required on Mac.

    -p, --preamble <preamble>...
            Prepend copied data with a specified string. Can be specified multiple times.

    -P, --preamble-reverse <preamble_reverse>...
            Prepend copied data with a specified string (reverse direction). Can be specified multiple times.

        --request-header <request_headers>...
            [A] Specify HTTP request headers for `http-request:` specifier.

    -X, --request-method <request_method>                            [A] Method to use for `http-request:` specifier
        --request-uri <request_uri>                                  [A] URI to use for `http-request:` specifier
        --restrict-uri <restrict_uri>
            When serving a websocket, only accept the given URI, like `/ws`
            This liberates other URIs for things like serving static files or proxying.
    -F, --static-file <serve_static_files>...
            Serve a named static file for non-websocket connections.
            Argument syntax: <URI>:<Content-Type>:<file-path>
            Argument example: /index.html:text/html:index.html
            Directories are not and will not be supported for security reasons.
            Can be specified multiple times. Recommended to specify them at the end or with equal sign like `-F=...`,
            otherwise this option may eat positional arguments
        --socks5-bind-script <socks5_bind_script>
            [A] Execute specified script in `socks5-bind:` mode when remote port number becomes known.

        --socks5-destination <socks_destination>
            [A] Examples: 1.2.3.4:5678  2600:::80  hostname:5678

        --tls-domain <tls_domain>
            [A] Specify domain for SNI or certificate verification when using tls-connect: overlay

        --udp-multicast <udp_join_multicast_addr>...
            [A] Issue IP[V6]_ADD_MEMBERSHIP for specified multicast address. Can be specified multiple times.

        --udp-multicast-iface-v4 <udp_join_multicast_iface_v4>...
            [A] IPv4 address of multicast network interface. Has to be either not specified or specified the same number
            of times as multicast IPv4 addresses. Order matters.
        --udp-multicast-iface-v6 <udp_join_multicast_iface_v6>...
            [A] Index of network interface for IPv6 multicast. Has to be either not specified or specified the same
            number of times as multicast IPv6 addresses. Order matters.
        --udp-ttl <udp_ttl>                                          [A] Set IP_TTL, also IP_MULTICAST_TTL if applicable
        --protocol <websocket_protocol>
            Specify this Sec-WebSocket-Protocol: header when connecting

        --server-protocol <websocket_reply_protocol>
            Force this Sec-WebSocket-Protocol: header when accepting a connection

        --websocket-version <websocket_version>                      Override the Sec-WebSocket-Version value
        --binary-prefix <ws_binary_prefix>
            [A] Prepend specified text to each received WebSocket binary message. Also strip this prefix from outgoing
            messages, explicitly marking them as binary even if `--text` is specified
        --ws-c-uri <ws_c_uri>
            [A] URI to use for ws-c: overlay [default: ws://0.0.0.0/]

        --ping-interval <ws_ping_interval>                           Send WebSocket pings each this number of seconds
        --ping-timeout <ws_ping_timeout>
            Drop WebSocket connection if Pong message not received for this number of seconds

        --text-prefix <ws_text_prefix>
            [A] Prepend specified text to each received WebSocket text message. Also strip this prefix from outgoing
            messages, explicitly marking them as text even if `--binary` is specified

ARGS:
    <addr1>    In simple mode, WebSocket URL to connect. In advanced mode first address (there are many kinds of
               addresses) to use. See --help=types for info about address types. If this is an address for
               listening, it will try serving multiple connections.
    <addr2>    In advanced mode, second address to connect. If this is an address for listening, it will accept only
               one connection.


Basic examples:
  Command-line websocket client:
    websocat ws://ws.vi-server.org/mirror/
    
  WebSocket server
    websocat -s 8080
    
  WebSocket-to-TCP proxy:
    websocat --binary ws-l:127.0.0.1:8080 tcp:127.0.0.1:5678
    

Full list of address types:
        ws://                   Insecure (ws://) WebSocket client. Argument is host and URL.
        wss://                  Secure (wss://) WebSocket client. Argument is host and URL.
        ws-listen:              WebSocket server. Argument is host and port to listen.
        inetd-ws:               WebSocket inetd server. [A]
        l-ws-unix:              WebSocket UNIX socket-based server. [A]
        l-ws-abstract:          WebSocket abstract-namespaced UNIX socket server. [A]
        ws-lowlevel-client:     [A] Low-level HTTP-independent WebSocket client connection without associated HTTP upgrade.
        ws-lowlevel-server:     [A] Low-level HTTP-independent WebSocket server connection without associated HTTP upgrade.
        wss-listen:             Listen for secure WebSocket connections on a TCP port
        http:                   [A] Issue HTTP request, receive a 1xx or 2xx reply, then pass
        asyncstdio:             [A] Set stdin and stdout to nonblocking mode, then use it as a communication counterpart. UNIX-only.
        inetd:                  Like `asyncstdio:`, but intended for inetd(8) usage. [A]
        tcp:                    Connect to specified TCP host and port. Argument is a socket address.
        tcp-listen:             Listen TCP port on specified address.
        ssl-listen:             Listen for SSL connections on a TCP port
        sh-c:                   Start specified command line using `sh -c` (even on Windows)
        cmd:                    Start specified command line using `sh -c` or `cmd /C` (depending on platform)
        exec:                   Execute a program directly (without a subshell), providing array of arguments on Unix [A]
        readfile:               Synchronously read a file. Argument is a file path.
        writefile:              Synchronously truncate and write a file.
        appendfile:             Synchronously append a file.
        udp:                    Send and receive packets to specified UDP socket, from random UDP port  
        udp-listen:             Bind an UDP socket to specified host:port, receive packet
        open-async:             Open file for read and write and use it like a socket. [A]
        open-fd:                Use specified file descriptor like a socket. [A]
        threadedstdio:          [A] Stdin/stdout, spawning a thread (threaded version).
        -                       Read input from console, print to console. Uses threaded implementation even on UNIX unless requested by `--async-stdio` CLI option.
        unix:                   Connect to UNIX socket. Argument is filesystem path. [A]
        unix-listen:            Listen for connections on a specified UNIX socket [A]
        unix-dgram:             Send packets to one path, receive from the other. [A]
        abstract:               Connect to UNIX abstract-namespaced socket. Argument is some string used as address. [A]
        abstract-listen:        Listen for connections on a specified abstract UNIX socket [A]
        abstract-dgram:         Send packets to one address, receive from the other. [A]
        mirror:                 Simply copy output to input. No arguments needed.
        literalreply:           Reply with a specified string for each input packet.
        clogged:                Do nothing. Don't read or write any bytes. Keep connections in "hung" state. [A]
        literal:                Output a string, discard input.
        assert:                 Check the input.  [A]
        assert2:                Check the input. [A]
        seqpacket:              Connect to AF_UNIX SOCK_SEQPACKET socket. Argument is a filesystem path. [A]
        seqpacket-listen:       Listen for connections on a specified AF_UNIX SOCK_SEQPACKET socket [A]
        random:                 Generate random bytes when being read from, discard written bytes.
Full list of overlays:
        ws-upgrade:             WebSocket upgrader / raw server. Specify your own protocol instead of usual TCP. [A]
        http-request:           [A] Issue HTTP request, receive a 1xx or 2xx reply, then pass
        http-post-sse:          [A] Accept HTTP/1 request. Then, if it is GET,
        ssl-connect:            Overlay to add TLS encryption atop of existing connection [A]
        ssl-accept:             Accept an TLS connection using arbitrary backing stream. [A]
        reuse-raw:              Reuse subspecifier for serving multiple clients: unpredictable mode. [A]
        broadcast:              Reuse this connection for serving multiple clients, sending replies to all clients.
        autoreconnect:          Re-establish underlying connection on any error or EOF
        ws-c:                   Low-level WebSocket connector. Argument is a some another address. [A]
        msg2line:               Line filter: Turns messages from packet stream into lines of byte stream. [A]
        line2msg:               Line filter: turn lines from byte stream into messages as delimited by '\\n' or '\\0' [A]
        foreachmsg:             Execute something for each incoming message.
        log:                    Log each buffer as it pass though the underlying connector.
        jsonrpc:                [A] Turns messages like `abc 1,2` into `{"jsonrpc":"2.0","id":412, "method":"abc", "params":[1,2]}`.
        timestamp:              [A] Prepend timestamp to each incoming message.
        socks5-connect:         SOCKS5 proxy client (raw) [A]
        socks5-bind:            SOCKS5 proxy client (raw, bind command) [A]
        exit_on_specific_byte:  [A] Turn specific byte into a EOF, allowing user to escape interactive Websocat session

websocat根据上面的 nginx 站点配置，等效命令是什么？我确信websocat可以做到这一点，因为它有很多选择。或者还有其他简单的 websocket 服务器实用程序吗？

https://www.keycdn.com/support/logrotate#maxsize

这将每个日志文件的大小限制为指定的字节数

/var/log/nginx/*.log
{
size 50G
}

这里的 50G 大小是否意味着所有日志的大小/var/log/nginx（例如access.log error.log等）？或者是其他东西？

我阅读了https://man7.org/linux/man-pages/man8/logrotate.8.html手册页，但无法从那里弄清楚这一点。

我的网站有一个带有 Nginx 反向代理的 debian VPS。并将 DNS 域转发到我的 VPS。我的问题是，如何限制公众访问以通过域访问我的网站？

例如，我有域：

admin.websitename.com

但我希望这个网站只能由我和我的朋友访问，因为这是用于登录的管理仪表板，可以查看我们网站内的所有数据。

这有什么方法或任何教程？我已经在谷歌上搜索过，但我认为我的关键字不正确。之前谢谢。