nginx 透明代理

作者: 薄荷盐 | 来源:发表于2023-03-28 18:37 被阅读0次

nginx做代理上网
nginx常用功能全揭秘
Nginx
二、架构02-Nginx的反向代理、虚拟主机
前端配置代理proxy、nginx，解决跨域问题
代理、转发
Nginx调度器以及相关优化
nginx代理，负载均衡以及https配置
记录Nginx反向代理常用配置
nginx

安装代理模块

nginx 官方没有支持正向代理的模块，只能通过加载第三方模块来实现

安装依赖

yum -y install pcre-devel openssl openssl-devel

下载二进制包

https://nginx.org/download/nginx-1.22.1.tar.gz
https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.3.tar.gz

安装 patch

yum install -y patch

编译安装

# 将nginx和ngx_http_proxy_connect_module解压到 /opt 目录下
[root@VM-0-17-centos opt]# ls
ngx_http_proxy_connect_module nginx-1.22.1
# 加载 ngx_http_proxy_connect_module
cd nginx-1.22.1/
patch -p1 < /opt/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure --prefix=/opt/nginx --add-module=/opt/ngx_http_proxy_connect_module --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module
make && make install

透明代理配置

修改配置文件：/opt/nginx/conf/nginx.conf

# http
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    
    # http
    server {
        listen       80;
     resolver  114.114.114.114;
     proxy_connect;
     proxy_connect_allow            443;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
    }
}

# https
stream {
    resolver 114.114.114.114;
    server {
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:$server_port;
    }
}

客户端配置

修改 hosts，将需要访问的域名解析到 NG 所在的机器

172.18.0.17 cip.cc

测试

curl -k  https://cip.cc

转发链路

场景：外层 NG 无法提供80/443端口，只能提供普通端口，内部请求也必须通过多层的NG转发

请求链路：内网机器 ==>> 内网NG1（80、443）==>> 内网NG2（8080、8081）==>> 外层NG（8080、8081）

内网 NG1 配置

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
     resolver  114.114.114.114;
     proxy_connect;
     proxy_connect_allow            443;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;
     location / {
         proxy_pass http://172.18.1.10:8080;
         proxy_set_header Host $host;
     }
    }
}

stream {
    resolver 114.114.114.114;
    server {
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass 172.18.1.10:8081;
    }
}

内网 NG2 配置

    server {
     listen       8080;
     location / {
         proxy_pass http://172.18.0.17:8080;
         proxy_set_header Host $host;
     }
    }
    
stream {
    resolver 114.114.114.114;
    server {
        listen 8081;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass 172.18.0.17:8081;
    }
}

外层 NG 配置

server {
    listen                           8080;
    server_name                      localhost;
    resolver                         114.114.114.114;
    proxy_connect;
    proxy_connect_allow              443 80;
    proxy_connect_connect_timeout    10s;
    proxy_connect_read_timeout       10s;
    proxy_connect_send_timeout       10s;
    location / {
        proxy_pass $scheme://$http_host$request_uri;
    }
}

stream {
    resolver 114.114.114.114;
    server {
        listen 8081;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:443;
    }
}

域名白名单

场景：限制透明代理转发的域名，只允许指定域名出网

修改出口 NG 配置：stream

stream {
    resolver 114.114.114.114;
    
    map $ssl_preread_server_name $backend_pool {
        qyapi.weixin.qq.com qyapi.weixin.qq.com:443;
        nlp.tencentcloudapi.com  nlp.tencentcloudapi.com:443;
        open.work.weixin.qq.com open.work.weixin.qq.com:443;
    }

    server {
        listen 8081;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $backend_pool;
    }
}