简单nginx tcp 代理

需要使用的模块

ngx_stream_core_module
ngx_stream_ssl_module

本来使用的是另外一个模块，叫做 nginx_tcp_proxy_module的， 但是这··个模块不支持最近的nginx版本，编译不过。

ngx_stream_core_module
The ngx_stream_core_module module is available since version 1.9.0. This module is not built by default, it should be enabled with the --with-stream configuration parameter.

ngx_stream_ssl_module

The ngx_stream_ssl_module module (1.9.0) provides the necessary support for a stream proxy server to work with the SSL/TLS protocol. This module is not built by default, it should be enabled with the --with-stream_ssl_module configuration parameter.

编译命令

./configure   --with-stream    --with-stream_ssl_module 
make
make install

简单配置

worker_processes auto;

error_log /var/log/nginx/error.log info;

events {
    worker_connections  1024;
}

stream {
    upstream backend {
        hash $remote_addr consistent;

        server backend1.example.com:12345 weight=5;
        server 127.0.0.1:12345            max_fails=3 fail_timeout=30s;
        server unix:/tmp/backend3;
    }

    upstream dns {
       server 192.168.0.1:53535;
       server dns.example.com:53;
    }

    server {
        listen 12345;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass backend;
    }

    server {
        listen 127.0.0.1:53 udp reuseport;
        proxy_timeout 20s;
        proxy_pass dns;
    }

    server {
        listen [::1]:12345;
        proxy_pass unix:/tmp/stream.socket;
    }
}

ssl配置

stream {

    ...

    server {
        listen              12345 ssl;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;

        ...
    }

我实际的配置

vi nginx.conf
stream {
    include vhosts/tcp/*.conf
}

===

vi vhosts/tcp/test.conf
upstream tcp-server {
        server  192.168.0.1:1234;
        server  192.168.0.2:1234;
        server  192.168.0.3:1234;
}

server{
        listen 1234 ssl;
        ssl_certificate /usr/local/openresty/nginx/conf/key/xx.crt;
        ssl_certificate_key /usr/local/openresty/nginx/conf/key/xx.key;
        ssl_session_timeout  10m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        proxy_pass tcp-server;
}