Как *.melnoff.com раскрывается в интернет и как добавить новый сервис.
melnoff.com на Cloudflare (NS: erin.ns.cloudflare.com, west.ns.cloudflare.com).95.165.74.182 (публичный IP домашнего интернет-канала).–server letsencrypt./usr/lib/acme/client/acme.sh, ACME home /etc/acme/.–keylength ec-256)./var/run/acme/challenge, обработчик — /etc/nginx/conf.d/acme80.conf (один общий вhost listen 80, в server_name перечислены все домены).acme (/etc/config/acme), демон /etc/init.d/acme.
Все vhost'ы построены по одному шаблону. Пример (bw.conf):
server { listen 443 ssl; listen [::]:443 ssl; listen 8080; server_name bw.melnoff.com; ssl_certificate /etc/acme/bw.melnoff.com_ecc/fullchain.cer; ssl_certificate_key /etc/acme/bw.melnoff.com_ecc/bw.melnoff.com.key; ssl_session_cache shared:SSL:32k; ssl_session_timeout 64m; location / { proxy_pass http://172.16.10.1:83; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300s; } }
http://172.16.10.1:<port> — это IP LXC 107 в VLAN 2. Не 192.168.0.6!
Свободные на LXC 107 (на 2026-04-27): 8084+, 84-99. Занятые: 83 (vw), 3000 (gitea), 3001 (grafana), 8000+9443 (portainer), 8082 (zabbix-web), 8083 (dokuwiki), 10051 (zabbix-server), 2244 (gitea-ssh).
Добавить A-запись <name>.melnoff.com → 95.165.74.182, Proxy: DNS-only. Дождаться пропагации:
dig @1.1.1.1 +short <name>.melnoff.com A
ssh root@192.168.0.6 pct exec 107 -- /bin/sh mkdir -p /opt/<name> cat > /opt/<name>/docker-compose.yml <<YAML services: <name>: image: <image> restart: unless-stopped ports: - "<port>:80" volumes: - /opt/<name>/data:/... environment: TZ: Europe/Moscow YAML cd /opt/<name> && docker compose up -d
ssh root@192.168.0.1 # бэкап cp /etc/nginx/conf.d/acme80.conf /etc/nginx/conf.d/acme80.conf.bak.$(date +%s) # добавить домен в server_name sed -i 's/\(server_name [^;]*\)/\1 <name>.melnoff.com/' /etc/nginx/conf.d/acme80.conf # reload /etc/init.d/nginx reload
mkdir -p /var/run/acme/challenge/.well-known/acme-challenge echo HELLO > /var/run/acme/challenge/.well-known/acme-challenge/test curl -H "Host: <name>.melnoff.com" http://127.0.0.1/.well-known/acme-challenge/test # должен вернуть HTTP 200 и 'HELLO' rm /var/run/acme/challenge/.well-known/acme-challenge/test
/usr/lib/acme/client/acme.sh --home /etc/acme \ --issue --server letsencrypt \ --webroot /var/run/acme/challenge \ -d <name>.melnoff.com \ --keylength ec-256
uci set acme.<short>=cert uci set acme.<short>.enabled=1 uci set acme.<short>.staging=0 uci set acme.<short>.validation_method=webroot uci set acme.<short>.key_type=ec256 uci set acme.<short>.domains=<name>.melnoff.com uci commit acme
cat > /etc/nginx/conf.d/<name>.conf <<NGINX server { listen 443 ssl; listen [::]:443 ssl; listen 8080; server_name <name>.melnoff.com; ssl_certificate /etc/acme/<name>.melnoff.com_ecc/fullchain.cer; ssl_certificate_key /etc/acme/<name>.melnoff.com_ecc/<name>.melnoff.com.key; ssl_session_cache shared:SSL:32k; ssl_session_timeout 64m; location / { proxy_pass http://172.16.10.1:<port>; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 300s; } } NGINX /etc/init.d/nginx reload
curl -sI https://<name>.melnoff.com/
pct exec 107 – bash … даст ошибку. Использовать /bin/sh.apk add –no-cache curl.nginx -t без флагов не работает на OpenWrt nginx-package (он использует /etc/nginx/uci.conf). Используйте /etc/init.d/nginx reload. Для инспекции — nginx -T.–server letsencrypt.echo. Берите в кавычки.nginx reload упадёт. Порядок: acme80 update → reload → issue cert → vhost → reload again.