No need for a public IP, no need to manually manage certificate updates. The server used in this article is debian12.
- Register a cloudflare account
Add your domain in the control panel, add site.
Happy to choose the free option 😎 cloudflare is awesome.
-
Change the domain NS to cloudflare
Follow the tutorial, here is a brief explanation... -
Install cloudflare zero trust tunnel
https://one.dash.cloudflare.com/
Select Access->Tunnels in order
Follow the documentation for installation
- After installation, select Public Hostname->Add your own domain
Here is an example, add your own subdomain
Include the complete subdomain in the Http Header
-
Install docker
Using apt (debian based)# Add Docker's official GPG key: apt-get update apt-get install ca-certificates curl gnupg -y install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg chmod a+r /etc/apt/keyrings/docker.gpg # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ tee /etc/apt/sources.list.d/docker.list > /dev/null apt-get update apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -yFor other platforms, please refer to
https://www.docker.com/products/docker-desktop/ -
Write docker-compose file
Create a new folder named rsshub, open it, and create docker-compose.yml
Change ACCESS_KEY
services:
rsshub:
image: diygod/rsshub
container_name: "rsshub"
restart: always
ports:
- '1200:1200'
environment:
NODE_ENV: production
CACHE_TYPE: redis
REDIS_URL: 'redis://redis:6379/'
PUPPETEER_WS_ENDPOINT: 'ws://browserless:3000'
DEBUG_INFO: false
ALLOW_LOCALHOST: false
ACCESS_KEY: your_pass_key_here
depends_on:
- redis
- browserless
browserless:
image: browserless/chrome
container_name: "browserless"
restart: always
ulimits:
core:
hard: 0
soft: 0
redis:
image: redis:alpine
container_name: "redis"
restart: always
volumes:
- redis-data:/data
volumes:
redis-data:
Save, then run docker compose up -d
The service is now running, open your domain, and the rsshub default page should be displayed.
Deployment is complete, when using your own subscription source in the future, use https://${your_domain}/${subscription_path}?key=your_ACCESS_KEY
Advanced gameplay:
Add an additional layer of local WAF using Thunder Trench
- Uninstall nginx/apache/caddy on your local machine to free up ports 80 and 443
- Install Thunder Trench
bash -c "$(curl -fsSLk https://waf-ce.chaitin.cn/release/latest/setup.sh)"
Thunder Trench management page
https://localhost:9443/
Map SSH to server 9443 to open it normally
- Add the domain on port 80 in Thunder Trench, reverse proxy
Change the port in Tunnels to 80
- Add a certificate in Thunder Trench
Thunder Trench general configuration->Certificate management
- Add port 443 in Thunder Trench
Use the certificate
Change the port in Tunnels to 443
Now you can use https to open the rsshub page, and the traffic passing through your server is cleaned, making it more secure.
After confirming that https is working fine, enable http2 and force https
Remember to set the Thunder Trench source IP acquisition method to obtain from HttpHeader, fill in X-Forwarded-For
Enable http2 in the tunnel settings
Now the settings are complete, because Thunder Trench comes with statistics and protection, you can have a better understanding of the site's operational status and whether it is being abused.