异地组网搭建内网穿透，反向代理实现攻击隔离。

2025-12-21

概述

济南，周末，风和日暖。经过为期一个月测试，状态稳定，记录如下。网站及部分 Docker 服务迁移至手机 QEMU 模拟 Linux 系统，尽管 Android 系统无法实现 KVM 模拟 Linux 效果，无法充分发挥手机 CPU 、UFS 、内存等硬件性能，应对轻量 Web 项目及部分 CPU 要求不高 Docker 服务依然游刃有余。由于手机可视为移动状态服务器，完全依赖 WIFI 或基站流量获取移动联通电信三大运营商内网地址，手机可移动性决定无法拥有固定内网 IP 地址，核心问题是不能拥有公网 IP 地址，必须解决内网无公网 IP 问题，以实现内网服务暴露至公网。打洞成功率较高、稳定性相对较好，还得是异地组网，在异地组网基础上，依托边缘节点，借助反向代理，搭建内网穿透服务，附加效果，实现攻击隔离，在网络边缘暴露最小攻击面，达到隔离、收敛攻击面效果。

-M virt,virtualization=true -cpu cortex-a76 -accel tcg,thread=multi -net nic,model=virtio-net-pci -net user -device nec-usb-xhci -device usb-kbd -device usb-mouse -device virtio-gpu-pci -m 4g -smp 4

1	-M virt,virtualization=true -cpu cortex-a76 -accel tcg,thread=multi -net nic,model=virtio-net-pci -net user -device nec-usb-xhci -device usb-kbd -device usb-mouse -device virtio-gpu-pci -m 4g -smp 4

ssh -N -R Port:localhost:Port uer@10.0.2.2 -p Port
apt install autossh -y
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_vm_to_termux -N ''
ssh -i ~/.ssh/id_ed25519_vm_to_termux -p Port u0_a435@10.0.2.2
autossh -M 0 -N -f -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" \
  -R Port:localhost:Port -p Port uer@10.0.2.2 -i ~/.ssh/id_ed25519_vm_to_termux

ssh -N -R Port:localhost:Port uer@10.0.2.2 -p Port

apt install autossh -y

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_vm_to_termux -N ''

ssh -i ~/.ssh/id_ed25519_vm_to_termux -p Port u0_a435@10.0.2.2

autossh -M 0 -N -f -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" \

-R Port:localhost:Port -p Port uer@10.0.2.2 -i ~/.ssh/id_ed25519_vm_to_termux

tee /etc/systemd/system/reverse-ssh.service > /dev/null <<'EOF'
[Unit]
Description=Reverse SSH tunnel to Android Termux
After=network-online.target
Wants=network-online.target
[Service]
User=root
Environment=AUTOSSH_GATETIME=0
ExecStart=/usr/bin/autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" \
  -R Port:localhost:Port -p Port user@10.0.2.2 -i /root/.ssh/id_ed25519_vm_to_termux
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF

tee /etc/systemd/system/reverse-ssh.service > /dev/null <<'EOF'

[Unit]

Description=Reverse SSH tunnel to Android Termux

After=network-online.target

Wants=network-online.target

[Service]

User=root

Environment=AUTOSSH_GATETIME=0

ExecStart=/usr/bin/autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" \

-R Port:localhost:Port -p Port user@10.0.2.2 -i /root/.ssh/id_ed25519_vm_to_termux

Restart=always

RestartSec=10

[Install]

WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable --now reverse-ssh.service
systemctl status reverse-ssh.service -l
systemctl status ssh

systemctl daemon-reload

systemctl enable --now reverse-ssh.service

systemctl status reverse-ssh.service -l

systemctl status ssh

qemu-img resize -f raw /storage/emulated/0/Documents/VectrasVM/roms/g16937/Armbian_24.11.1_Uefi-arm64_bookworm_current_6.6.60_minimal.img 50G
resize2fs /dev/vda2

1 2	qemu-img resize -f raw /storage/emulated/0/Documents/VectrasVM/roms/g16937/Armbian_24.11.1_Uefi-arm64_bookworm_current_6.6.60_minimal.img 50G resize2fs /dev/vda2

nano ~/.bashrc
proxy-http() {
    export http_proxy=http://10.0.2.2:10808
    export https_proxy=http://10.0.2.2:10808
    unset ALL_PROXY
    echo "HTTP proxy set"
}
proxy-socks5() {
    export http_proxy=socks5://10.0.2.2:10808
    export https_proxy=socks5://10.0.2.2:10808
    export ALL_PROXY=socks5://10.0.2.2:10808
    echo "SOCKS5 proxy set"
}
proxy-off() {
    unset http_proxy https_proxy ALL_PROXY
    echo "Proxy disabled"
}
source ~/.bashrc
mkdir -p /etc/systemd/system/docker.service.d
nano /etc/systemd/system/docker.service.d/proxy.conf
[Service]
Environment="HTTP_PROXY=http://10.0.2.2:10808"
Environment="HTTPS_PROXY=http://10.0.2.2:10808"
Environment="NO_PROXY=localhost,127.0.0.1"
systemctl daemon-reexec
systemctl daemon-reload
systemctl restart docker

nano ~/.bashrc

proxy-http() {

export http_proxy=http://10.0.2.2:10808

export https_proxy=http://10.0.2.2:10808

unset ALL_PROXY

echo "HTTP proxy set"

}

proxy-socks5() {

export http_proxy=socks5://10.0.2.2:10808

export https_proxy=socks5://10.0.2.2:10808

export ALL_PROXY=socks5://10.0.2.2:10808

echo "SOCKS5 proxy set"

}

proxy-off() {

unset http_proxy https_proxy ALL_PROXY

echo "Proxy disabled"

}

source ~/.bashrc

mkdir -p /etc/systemd/system/docker.service.d

nano /etc/systemd/system/docker.service.d/proxy.conf

[Service]

Environment="HTTP_PROXY=http://10.0.2.2:10808"

Environment="HTTPS_PROXY=http://10.0.2.2:10808"

Environment="NO_PROXY=localhost,127.0.0.1"

systemctl daemon-reexec

systemctl daemon-reload

systemctl restart docker

Advanced Options → Rescue mode
lsblk -f
fdisk -l
vda
├─vda1  fat32  efi    /boot/efi
└─vda2  ext4   rootfs /
mkdir -p /mnt/rootfs
mount /dev/vda2 /mnt/rootfs
mkdir -p /mnt/rootfs/boot/efi
mount /dev/vda1 /mnt/rootfs/boot/efi
ls /mnt/rootfs
ls /mnt/rootfs/boot/efi
mount --bind /dev /mnt/rootfs/dev
mount --bind /dev/pts /mnt/rootfs/dev/pts
mount --bind /proc /mnt/rootfs/proc
mount --bind /sys /mnt/rootfs/sys
mount --bind /run /mnt/rootfs/run
chroot /mnt/rootfs /bin/bash
apt install --reinstall grub-efi-arm64
grub-install --target=arm64-efi --efi-directory=/boot/efi --bootloader-id=Armbian --recheck
update-grub
exit
umount /mnt/rootfs/dev/pts
umount /mnt/rootfs/dev
umount /mnt/rootfs/proc
umount /mnt/rootfs/sys
umount /mnt/rootfs/run
umount /mnt/rootfs/boot/efi
umount /mnt/rootfs

Advanced Options → Rescue mode

lsblk -f

fdisk -l

vda

├─vda1 fat32 efi /boot/efi

└─vda2 ext4 rootfs /

mkdir -p /mnt/rootfs

mount /dev/vda2 /mnt/rootfs

mkdir -p /mnt/rootfs/boot/efi

mount /dev/vda1 /mnt/rootfs/boot/efi

ls /mnt/rootfs

ls /mnt/rootfs/boot/efi

mount --bind /dev /mnt/rootfs/dev

mount --bind /dev/pts /mnt/rootfs/dev/pts

mount --bind /proc /mnt/rootfs/proc

mount --bind /sys /mnt/rootfs/sys

mount --bind /run /mnt/rootfs/run

chroot /mnt/rootfs /bin/bash

apt install --reinstall grub-efi-arm64

grub-install --target=arm64-efi --efi-directory=/boot/efi --bootloader-id=Armbian --recheck

update-grub

exit

umount /mnt/rootfs/dev/pts

umount /mnt/rootfs/dev

umount /mnt/rootfs/proc

umount /mnt/rootfs/sys

umount /mnt/rootfs/run

umount /mnt/rootfs/boot/efi

umount /mnt/rootfs

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
cd /var/www/html/abc.com/wordpress
su -s /bin/sh www-data -c "wp core install --url='https://abc.com' --title='abc' --admin_user=abc --admin_password='password' --admin_email=qwe@abc.com"
$_SERVER['HTTPS'] = 'on';
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

chmod +x wp-cli.phar

mv wp-cli.phar /usr/local/bin/wp

cd /var/www/html/abc.com/wordpress

su -s /bin/sh www-data -c "wp core install --url='https://abc.com' --title='abc' --admin_user=abc --admin_password='password' [email protected]"

$_SERVER['HTTPS'] = 'on';

define('FORCE_SSL_LOGIN', true);

define('FORCE_SSL_ADMIN', true);

git clone https://github.com/xubiaolin/docker-zerotier-planet.git
cd docker-zerotier-planet
./deploy.sh

git clone https://github.com/xubiaolin/docker-zerotier-planet.git

cd docker-zerotier-planet

./deploy.sh

curl -s https://install.zerotier.com | bash
cd /var/lib/zerotier-one
service zerotier-one restart
zerotier-cli join network-id
zerotier-cli peers

curl -s https://install.zerotier.com | bash

cd /var/lib/zerotier-one

service zerotier-one restart

zerotier-cli join network-id

zerotier-cli peers

server {
    listen 80;
    listen [::]:80;
  # listen 443 ssl;
  # listen [::]:443 ssl;
  # listen 443 quic;
  # listen [::]:443 quic;
    server_name abc.com;
  # ssl_certificate /etc/nginx/certs/abc.com_cert.pem;
  # ssl_certificate_key /etc/nginx/certs/abc.com_key.pem;
  # if ($scheme = http) {
  # return 301 https://$host$request_uri;
  # }
    root /var/www/html/abc.com/wordpress;
    index index.php;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
      # fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
      # fastcgi_cache my_cache;
      # add_header Cache-Control $add_cache_control;
        add_header Alt-Svc 'h3=":443"; ma=86400';
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
        aio threads;
        add_header Cache-Control "public, max-age=2592000";
        add_header Alt-Svc 'h3=":443"; ma=86400';
        log_not_found off;
        access_log off;
    }
    client_max_body_size 50m;
}

server {

listen 80;

listen [::]:80;

# listen 443 ssl;

# listen [::]:443 ssl;

# listen 443 quic;

# listen [::]:443 quic;

server_name abc.com;

# ssl_certificate /etc/nginx/certs/abc.com_cert.pem;

# ssl_certificate_key /etc/nginx/certs/abc.com_key.pem;

# if ($scheme = http) {

# return 301 https://$host$request_uri;

# }

root /var/www/html/abc.com/wordpress;

index index.php;

location / {

try_files $uri $uri/ /index.php?$args;

}

location ~ \.php$ {

# fastcgi_pass unix:/run/php/php-fpm.sock;

fastcgi_pass php:9000;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

# fastcgi_cache my_cache;

# add_header Cache-Control $add_cache_control;

add_header Alt-Svc 'h3=":443"; ma=86400';

}

location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {

aio threads;

add_header Cache-Control "public, max-age=2592000";

add_header Alt-Svc 'h3=":443"; ma=86400';

log_not_found off;

access_log off;

}

client_max_body_size 50m;

}

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    listen 443 quic;
    listen [::]:443 quic;
    server_name abc.com;
    ssl_certificate /etc/nginx/certs/abc.com_cert.pem;
    ssl_certificate_key /etc/nginx/certs/abc.com_key.pem;
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }
    location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   Host $host;
        proxy_pass         http://192.168.1.110;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header X-Forwarded-Proto https;
        add_header Alt-Svc 'h3=":443"; ma=86400';
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
        proxy_pass http://192.168.1.110;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_cache my_proxy_cache;
        proxy_set_header Accept-Encoding "";
        aio threads;
        # add_header Cache-Control $add_cache_control;
        add_header Alt-Svc 'h3=":443"; ma=86400';
        log_not_found off;
        access_log off;
    }
    client_max_body_size 1000m;
}

server {

listen 80;

listen [::]:80;

listen 443 ssl;

listen [::]:443 ssl;

listen 443 quic;

listen [::]:443 quic;

server_name abc.com;

ssl_certificate /etc/nginx/certs/abc.com_cert.pem;

ssl_certificate_key /etc/nginx/certs/abc.com_key.pem;

if ($scheme = http) {

return 301 https://$host$request_uri;

}

location / {

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $host;

proxy_pass http://192.168.1.110;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header X-Forwarded-Proto https;

add_header Alt-Svc 'h3=":443"; ma=86400';

}

location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {

proxy_pass http://192.168.1.110;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;

proxy_cache my_proxy_cache;

proxy_set_header Accept-Encoding "";

aio threads;

# add_header Cache-Control $add_cache_control;

add_header Alt-Svc 'h3=":443"; ma=86400';

log_not_found off;

access_log off;

}

client_max_body_size 1000m;

}

THE END