必备条件
- 一台能正常访问 TG API 的机器
- NGINX
- https
因为请求 TG API 走的是 HTTPS, 所以这里必须要 HTTPS 反代
核心配置
- 可以自由的把这段 location 添加到已有的 nginx ssl 配置中, 用于实现反代
不熟悉的 NGINX 的, 加错了自己修
- 配置检查, 重载:
nginx -t && nginx -s reload
1
2
3
4
5
6
7
8
9
10
11
| location ~* ^/bot {
resolver 8.8.8.8;
proxy_buffering off;
proxy_pass https://api.telegram.org$request_uri;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
|
验证
- 如果 502 先看看 有没有设置 dns, 检查 dns 可用性
- 然后再看看 nginx 日志, 根据配置文件排查看看是哪里不对劲
1
2
3
4
| ❯ curl https://api.telegram.org/bot
{"ok":false,"error_code":404,"description":"Not Found"}
❯ curl https://tyn3.xxx.xxx/bot
{"ok":false,"error_code":404,"description":"Not Found"}
|
完整配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| upstream iitii {
server openwrt.iitii.me:443;
}
server {
listen 80 default_server;
rewrite ^(.*) https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name china.iitii.me;
ssl on;
ssl_certificate /etc/nginx/ssl/china.iitii.me/pem.pem;
ssl_certificate_key /etc/nginx/ssl/china.iitii.me/key.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
location ~* ^/bot {
resolver 8.8.8.8;
proxy_buffering off;
proxy_pass https://api.telegram.org$request_uri;
proxy_http_version 1.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass https://iitii;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Encoding '';
proxy_buffering off;
}
}
|
参见