一些 Docker 应用分享及使用配置附录,包含远程控制(RustDesk),PT 一体化工具(MoviePilot, Qbittorrent, Transmission, Audiobookshelf)和内网浏览器(Firefox)。
提示:根据个人的实际情况,自行替换配置文件中的路径、端口、口令等内容。
远程控制
考虑到单机部署,独立运行 hbbs, hbbr 意义不大,使用 rustdesk-server-s6 镜像即可。如果有访问网页端的需求,可再同时部署 rustdesk-api 镜像,一定程度上代替官方镜像的 21114 网页控制台的作用。
Docker Compose
rustdesk-s6
version: '3'
services:
rustdesk-server:
container_name: rustdesk-s6
ports:
- 36011:36011
- 36012:36012
- 36012:36012/udp
- 36013:36013
image: rustdesk/rustdesk-server-s6:latest
environment:
- RELAY=<指向服务器的域名>:36013
- ENCRYPTED_ONLY=1
- PORT=36012
volumes:
- /opt/docker/rustdesk-s6:/data
restart: unless-stopped
network_mode: bridge
|
rustdesk-s6 + rustdesk-api
version: '3'
services:
rustdesk-server:
container_name: rustdesk-s6
image: rustdesk/rustdesk-server-s6:latest
restart: unless-stopped
networks:
- rustdesk-network
ports:
- 36601-36605:36601-36605
- 36602:36602/udp
environment:
- TZ=Asia/Shanghai
- RELAY=<指向服务器的域名>:36603
- ENCRYPTED_ONLY=1
- PORT=36602
volumes:
- /opt/docker/rustdesk-s6:/data
rustdesk-api:
container_name: rustdesk-api
image: lejianwen/rustdesk-api:latest
restart: unless-stopped
networks:
- rustdesk-network
ports:
- 36600:21114
environment:
- TZ=Asia/Shanghai
- RUSTDESK_API_RUSTDESK_ID_SERVER=rustdesk-s6:36602
- RUSTDESK_API_RUSTDESK_RELAY_SERVER=rustdesk-s6:36603
- RUSTDESK_API_RUSTDESK_API_SERVER=https://<启用反代的Nginx域名>
- RUSTDESK_API_RUSTDESK_WS_HOST=wss://<启用反代的Nginx域名>
- RUSTDESK_API_RUSTDESK_KEY_FILE=./conf/data/id_ed25519.pub
volumes:
- /opt/docker/rustdesk-api/:/app/data
- /opt/docker/rustdesk-s6:/app/conf/data
networks:
rustdesk-network:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: 172.19.0.0/16
- subnet: "2001:db8:2::/64"
|
Nginx 配置server {
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
server_name <启用反代的Nginx域名>;
access_log /www/sites/rustdesk/log/access.log main;
error_log /www/sites/rustdesk/log/error.log;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
location / {
proxy_pass http://127.0.0.1:36600;
}
location /ws/id {
proxy_pass http://127.0.0.1:36604;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400s;
}
location /ws/relay {
proxy_pass http://127.0.0.1:36605;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400s;
}
ssl_certificate /www/sites/rustdesk/ssl/fullchain.pem;
ssl_certificate_key /www/sites/rustdesk/ssl/privkey.pem;
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!SRP:!CAMELLIA:!SEED;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;
add_header Strict-Transport-Security "max-age=31536000";
}
|
附录
关于 ID 服务器
关于环境变量RELAY
- 用于 ID 服务器通知客户端中继服务器的地址。
- 当然你也可以不配置该变量,而是在客户端手动输入中继服务器的值。
关于客户端配置:
| 项目 | 内容 |
|---|
| ID 服务器 | 服务器:21116(自定义端口需明确指出)。 |
| 中继服务器 | 环境变量配置 RELAY 后可置空。 |
| API 服务器 | 如果未部署 rustdesk-api 镜像可置空。 |
| key | 输入公钥文件id_ed25519.pub的内容(也可在日志中找到)。 |
关于默认端口:
| 端口 | 协议 | 服务 | 用途 |
|---|
| 21114 | TCP | hbbs | 网页控制台(仅专业版可用)。 |
| 21115 | TCP | hbbs | NAT类型检测和在线状态查询。 |
| 21116 | TCP/UDP | hbbs | 打洞与连接服务/ID注册与心跳服务。 |
| 21117 | TCP | hbbr | 中继服务。 |
| 21118 | TCP | hbbs | 网页客户端(RustDesk Web Client)。 |
| 21119 | TCP | hbbr | 网页客户端(RustDesk Web Client)。 |
关于自定义端口
- 综上,Rustdesk 正常运行的最小端口为 21115,21116,21117。
- 环境变量
PORT定义的是打洞端口(21116),其余端口通过该端口自动计算得出。 - 桥接模式下,务必保持映射前后的端口一致。
关于防火墙
- 至少需要放行最小运行端口(21115-21117)。
- 如果使用官方的 Web Client 还需要放行 21118,但在连接时需要在该网站输入设备 ID、服务器地址、Key 等信息:
<ID>@<服务器地址>?key=<密钥>。
碎碎念
- Rustdesk 的文档稀烂,关于自定义端口的描述是翻阅 issue 得知的。
- 中国反诈中心似乎在扫描部署了 RustDesk 的境内服务器,进而封禁 IP,不建议使用默认端口。
PT 一体化工具
- MoviePilot:自动订阅、整理。
- Audiobookshelf:自托管有声书架。
- QBittorrent:常见 PT 站所允许的下载器。
- Transmission:带快校的下载(保种)器。
Docker Compose
moviepilot-v2、qbittorrent、transmission、audiobookshelf
version: "3.3"
services:
moviepilot:
stdin_open: true
tty: true
image: jxxghp/moviepilot-v2:latest
container_name: moviepilot-v2
restart: always
network_mode: bridge
ports:
- "23301:3000"
- "23302:3001"
volumes:
- "/opt/Docker/moviepilot-v2/config:/config"
- "/opt/Docker/moviepilot-v2/core:/moviepilot/.cache/ms-playwright"
- "/媒体库目录:/媒体库目录"
environment:
- "NGINX_PORT=3000"
- "PORT=3001"
- "PUID=0"
- "PGID=0"
- "UMASK=000"
- "TZ=Asia/Shanghai"
- "MOVIEPILOT_AUTO_UPDATE=false"
- "PROXY_HOST=http://10.0.10.3:1080"
- "SUPERUSER=admin"
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
restart: always
network_mode: bridge
volumes:
- "/opt/Docker/qBittorrent:/config"
- "/媒体库目录:/媒体库目录"
ports:
- "23303:8080"
- "23304:6881"
- "23304:6881/udp"
environment:
- "PUID=0"
- "PGID=0"
- "TZ=Asia/Shanghai"
- "WEBUI_PORT=8080"
- "TORRENTING_PORT=6881"
transmission:
image: chisbread/transmission:latest
container_name: transmission
restart: always
network_mode: bridge
volumes:
- "/opt/Docker/transmission:/config"
- "/媒体库目录:/媒体库目录"
ports:
- "23305:9091"
- "23306:51413"
- "23306:51413/udp"
environment:
- "PUID=0"
- "PGID=0"
- "TZ=Asia/Shanghai"
- "PEERPORT=9091"
- "RPCPORT=51413"
- "USER=username"
- "PASS=password"
audiobookshelf:
image: advplyr/audiobookshelf:latest
container_name: audiobookshelf
restart: always
network_mode: bridge
volumes:
- "/opt/Docker/audiobook/metadata:/metadata"
- "/opt/Docker/audiobook/podcasts:/podcasts"
- "/opt/Docker/audiobook/config:/config"
- "/有声资源:/audiobooks"
ports:
- "23307:80"
environment:
- "TZ=Asia/Shanghai"
|
附录
- 可在下载器中,设置 torrent 完成时运行外部程序 手动触发 MoviePilot 的媒体入库动作。
curl "http://moviepilot_ip:23301/api/v1/transfer/now?token=moviepilot_token"
|
内网浏览器
Docker Compose
jlesage/firefox:latest
version: '3.8'
services:
firefox:
image: jlesage/firefox
container_name: firefox
network_mode: bridge
ports:
- "5800:5800"
environment:
- LANG=zh_CN.UTF-8
- ENABLE_CJK_FONT=1
- TZ=Asia/Shanghai
- KEEP_APP_RUNNING=1
- WEB_AUDIO=1
- WEB_AUTHENTICATION=1
- WEB_AUTHENTICATION_USERNAME=username
- WEB_AUTHENTICATION_PASSWORD=password
- VNC_PASSWORD=vnc_password
- SECURE_CONNECTION=1
- BASE_URL=https://反代用域名
volumes:
- /opt/Docker/firefox:/config
restart: unless-stopped
|
附录
- Nginx 反代配置,另如需在 CDN 中使用,请关闭回源跟随301/302配置。
Nginx 反代配置(局部)
"Firefox_IP:指向部署容器的 IP 地址。location / {
proxy_pass https://Firefox_IP:5800;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_ssl_verify off;
}
location /websockify {
proxy_pass https://Firefox_IP:5800;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
location /websockify-audio {
proxy_pass https://Firefox_IP:5800;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
|
- 如需在 Uptime Kuma 中配置检测,需在请求头中主动指定 Cookie:
{
"Cookie": "login_success_url=https://域名/;login_failure_url=https://域名/login/"
}
|
