需要使用的模块
ngx_stream_core_module
ngx_stream_ssl_module
本来使用的是另外一个模块,叫做 nginx_tcp_proxy_module的, 但是这··个模块不支持最近的nginx版本,编译不过。
ngx_stream_core_module
The ngx_stream_core_module module is available since version 1.9.0. This module is not built by default, it should be enabled with the --with-stream configuration parameter.
The ngx_stream_ssl_module module (1.9.0) provides the necessary support for a stream proxy server to work with the SSL/TLS protocol. This module is not built by default, it should be enabled with the --with-stream_ssl_module configuration parameter.
编译命令
./configure --with-stream --with-stream_ssl_module
make
make install
简单配置
worker_processes auto;
error_log /var/log/nginx/error.log info;
events {
worker_connections 1024;
}
stream {
upstream backend {
hash $remote_addr consistent;
server backend1.example.com:12345 weight=5;
server 127.0.0.1:12345 max_fails=3 fail_timeout=30s;
server unix:/tmp/backend3;
}
upstream dns {
server 192.168.0.1:53535;
server dns.example.com:53;
}
server {
listen 12345;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass backend;
}
server {
listen 127.0.0.1:53 udp reuseport;
proxy_timeout 20s;
proxy_pass dns;
}
server {
listen [::1]:12345;
proxy_pass unix:/tmp/stream.socket;
}
}
ssl配置
stream {
...
server {
listen 12345 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /usr/local/nginx/conf/cert.pem;
ssl_certificate_key /usr/local/nginx/conf/cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
...
}
我实际的配置
vi nginx.conf
stream {
include vhosts/tcp/*.conf
}
===
vi vhosts/tcp/test.conf
upstream tcp-server {
server 192.168.0.1:1234;
server 192.168.0.2:1234;
server 192.168.0.3:1234;
}
server{
listen 1234 ssl;
ssl_certificate /usr/local/openresty/nginx/conf/key/xx.crt;
ssl_certificate_key /usr/local/openresty/nginx/conf/key/xx.key;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
proxy_pass tcp-server;
}
网友评论