Signed-off-by: SilverAg.L <caclx@outlook.com>
This commit is contained in:
@@ -8,10 +8,12 @@
|
||||
|
||||
## 硬件加速,硬件呢
|
||||
|
||||
我是 Linux Docker 部署的。由于因特耳的核显驱动闭源,**官版 Docker 容器搞起来后还需要`exec -it`进去装 Intel 驱动**。即便是`nyanmisaka`版开箱即用 Jellyfin 镜像,也需要**手动映射渲染节点**(他们就没设置过`render`用户组,若要**映射整个`/dev/dri`后续就需要进去`groupadd`**)。
|
||||
我是 Linux Docker 部署的。由于因特耳的核显驱动闭源,**官版 Docker 容器搞起来后还需要`exec -it`进去装 Intel 驱动**;即便是`nyanmisaka`版开箱即用 Jellyfin 镜像,也需要**手动映射渲染节点**[^renderD128]。
|
||||
|
||||
[^renderD128]: 非要映射整个`/dev/dri`也可以,那样后续仍然**可能**需要进入容器里创建`render`组。并且由于`nyanmisaka`版镜像并没有对用户组做特别设置,如需映射渲染节点做硬件解码,就**不允许指定用户(组)运行**。
|
||||
|
||||
::: details docker-compose.yml
|
||||
See [AgxCOy@liteyuki/agserver.svc](https://git.liteyuki.org/AgxCOy/agserver.svc).
|
||||
以下是最简配置。如果预计暴露到公网上,建议再加上额外的安全措施,**尤其注意收紧容器的执行权限和性能分配**。
|
||||
```yaml
|
||||
services:
|
||||
jellyfin:
|
||||
@@ -19,19 +21,18 @@ services:
|
||||
container_name: jellyfin
|
||||
network_mode: 'host'
|
||||
volumes:
|
||||
- /var/lib/jellyfin:/config
|
||||
- jellyfin-config:/config
|
||||
- jellyfin-cache:/cache
|
||||
- /media:/media
|
||||
- /home/http/media:/media:ro,nosuid,nodev # recursive 'rx'
|
||||
# - /dev/dri/renderD128:/dev/dri/renderD128
|
||||
- type: bind
|
||||
source: /usr/share/fonts/opentype
|
||||
target: /usr/local/share/fonts/custom
|
||||
read_only: true
|
||||
devices:
|
||||
- /dev/dri/renderD128:/dev/dri/renderD128
|
||||
- /dev/dri/renderD128:/dev/dri/renderD128:rw
|
||||
#- /dev/dri/card0:/dev/dri/card0
|
||||
restart: 'unless-stopped'
|
||||
# Optional - alternative address used for autodiscovery
|
||||
# environment:
|
||||
# - JELLYFIN_PublishedServerUrl=
|
||||
extra_hosts:
|
||||
@@ -39,6 +40,8 @@ services:
|
||||
volumes:
|
||||
jellyfin-cache:
|
||||
driver: local
|
||||
jellyfin-config:
|
||||
driver: local
|
||||
```
|
||||
:::
|
||||
|
||||
@@ -148,57 +151,14 @@ epub 的 mimetype 通常标`application/epub+zip`,说明其本质是压缩包
|
||||
|
||||
AI 对此的解法是在 frp 这里记录下真实 IP。我选配的服务商支持 Proxy Protocol,也更推荐这么实现。但在实地测试后,发现 Jellyfin 并不直接支持 Proxy Protocol,那么就只能在 frpc 跟 Jellyfin 之间多加一层 nginx 做反向代理了(frps 显然我是动不了的)。
|
||||
|
||||
方法很简单,frp 侧仍旧启用 Proxy Protocol,在 nginx 里剥离真实 ip。我是在 Ubuntu Server 上安装的 nginx,据称已集成`real-ip`模块。那么编辑`/etc/nginx/sites-enabled/default`(我是图方便直接原地开刀了):
|
||||
方法很简单,frp 侧仍旧启用 Proxy Protocol,在 nginx 里剥离真实 ip。参见[官方文档](https://jellyfin.org/docs/general/post-install/networking/reverse-proxy/nginx)。
|
||||
|
||||
后来考虑到挂 web 的静态资源安全(防止意外删改),就顺势收紧 Jellyfin 容器的权限和性能分配。其中桥接网络让我想起最初的小巧思:我把 frp 挂在中间机器上,流量物理上不走内网不就好了。最终搭起来看了一眼日志,貌似连`nginx`都不需要了:
|
||||
```log
|
||||
[2026-03-09 10:08:57.650 +00:00] [INF] [23] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "172.17.0.1" closed
|
||||
[2026-03-09 10:08:58.280 +00:00] [INF] [28] Emby.Server.Implementations.HttpServer.WebSocketManager: WS "172.17.0.1" request
|
||||
[2026-03-09 10:09:00.493 +00:00] [INF] [24] Jellyfin.Api.Controllers.UniversalAudioController: ...
|
||||
[2026-03-09 10:09:00.495 +00:00] [INF] [24] Jellyfin.Api.Helpers.MediaInfoHelper: ...
|
||||
[2026-03-09 10:09:00.495 +00:00] [INF] [24] Jellyfin.Api.Helpers.MediaInfoHelper: RemoteClientBitrateLimit: 6000000, RemoteIP: "172.17.0.1", IsInLocalNetwork: False
|
||||
```
|
||||
server {
|
||||
listen 8097 proxy_protocol;
|
||||
listen [::]:8097 proxy_protocol;
|
||||
set_real_ip_from 127.0.0.1;
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
server_name _;
|
||||
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8096;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_buffering off;
|
||||
}
|
||||
|
||||
location /socket {
|
||||
proxy_pass http://127.0.0.1:8096;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
}
|
||||
|
||||
# Jellyfin 推荐给真实客户端信息“打码”
|
||||
access_log /var/log/nginx/access.log stripsecrets;
|
||||
}
|
||||
|
||||
# 为了解说方便把 http 块里的全局“打码”配置拉下来叻(本文件本来就嵌套在 http 块)。
|
||||
# 不清楚先后顺序有没有影响。
|
||||
log_format stripsecrets '$remote_addr $host - $remote_user [$time_local] '
|
||||
'"$secretfilter" $status $body_bytes_sent '
|
||||
'$request_length $request_time $upstream_response_time '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
map $request $secretfilter {
|
||||
~*^(?<prefix1>.*[\?&]api_key=)([^&]*)(?<suffix1>.*)$ "${prefix1}***$suffix1";
|
||||
~*^(?<prefix1>.*[\?&]ApiKey=)([^&]*)(?<suffix1>.*)$ "${prefix1}***$suffix1";
|
||||
default $request;
|
||||
}
|
||||
```
|
||||
注意到最后一句`IsInLocalNetwork: False`,它似乎并不认为 Docker 容器的桥接网段是内网网段。这样一来连 frp 隧道都不需要动,天然就完成了我的小巧思。
|
||||
|
||||
Reference in New Issue
Block a user