Category Archives: IT天地

在OpenWRT上运行Podman

IT天地, ,

折腾Podman的原因是:Dockerd与Tproxy运行在同一台机器上有冲突,导致Tproxy透明代理失效。此文章用于记录此配置过程。

设备信息:

root@r5c:~# ubus call system board
{
        "kernel": "6.6.69",
        "hostname": "r5c",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5C",
        "board_name": "friendlyarm,nanopi-r5c",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0-rc5",
                "revision": "r28304-6dacba30a7",
                "target": "rockchip/armv8",
                "description": "OpenWrt 24.10.0-rc5 r28304-6dacba30a7",
                "builddate": "1736026537"
        }
}

Continue reading 在OpenWRT上运行Podman

为nghttp2 proxy配置客户端证书认证

IT天地 
# 建立 CA 目录结构
mkdir -p ./demoCA/{private,newcerts}
touch ./demoCA/index.txt
echo 01 > ./demoCA/serial

# 生成 CA 的 RSA 密钥对
openssl genrsa -des3 -out ./demoCA/private/cakey.pem 2048

# 自签发CA证书
openssl req -new -x509 -days 365 -key ./demoCA/private/cakey.pem \
-out ./demoCA/cacert.pem

# 把CA证书移至nghttpx配置目录
sudo mv ./demoCA/cacert.pem /etc/nghttpx/certs/

# 修改nghttpx启动脚本(supervisor)
[program:nghttpx]
command=nghttpx -s -f0.0.0.0,443 -b127.0.0.1,8080 /etc/nghttpx/certs/ssl.key /etc/nghttpx/certs/ssl.crt --verify-client --verify-client-cacert=/etc/nghttpx/certs/cacert.pem --npn-list=spdy/3.1,h2
autorestart=true
user=root

接下来把vps上的cacert.pem和cakey.pem下载到本机并导入操作系统。在OSX中cacert.pem(公钥)双击导入即可,但cakey.pem(私钥)需从终端导入(GUI有Bug导不进):

security import cakey.pem -k ~/Library/Keychains/login.keychain

最后,理论上只要在Chrome安装扩展Proxy SwitchyOmega,设置好https proxy就万时大吉;但实际上Chrome 41 stable对需要证书认证的https代理有一个无限崩溃的Bug,所以需要更新到Chrome 43 dev或以上才行。当然Firefox 33以上已支持https proxy,需通过pac使用。