安装代理模块
nginx 官方没有支持正向代理的模块,只能通过加载第三方模块来实现
- 安装依赖
yum -y install pcre-devel openssl openssl-devel
- 下载二进制包
https://nginx.org/download/nginx-1.22.1.tar.gz
https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.3.tar.gz
- 安装 patch
yum install -y patch
- 编译安装
# 将nginx和ngx_http_proxy_connect_module解压到 /opt 目录下
[root@VM-0-17-centos opt]# ls
ngx_http_proxy_connect_module nginx-1.22.1
# 加载 ngx_http_proxy_connect_module
cd nginx-1.22.1/
patch -p1 < /opt/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure --prefix=/opt/nginx --add-module=/opt/ngx_http_proxy_connect_module --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module
make && make install
透明代理配置
修改配置文件:/opt/nginx/conf/nginx.conf
# http
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# http
server {
listen 80;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
}
# https
stream {
resolver 114.114.114.114;
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass $ssl_preread_server_name:$server_port;
}
}
客户端配置
修改 hosts,将需要访问的域名解析到 NG 所在的机器
172.18.0.17 cip.cc
测试
curl -k https://cip.cc
转发链路
场景:外层 NG 无法提供80/443端口,只能提供普通端口,内部请求也必须通过多层的NG转发
请求链路:内网机器 ==>> 内网NG1(80、443)==>> 内网NG2(8080、8081)==>> 外层NG(8080、8081)
- 内网 NG1 配置
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://172.18.1.10:8080;
proxy_set_header Host $host;
}
}
}
stream {
resolver 114.114.114.114;
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass 172.18.1.10:8081;
}
}
- 内网 NG2 配置
server {
listen 8080;
location / {
proxy_pass http://172.18.0.17:8080;
proxy_set_header Host $host;
}
}
stream {
resolver 114.114.114.114;
server {
listen 8081;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass 172.18.0.17:8081;
}
}
- 外层 NG 配置
server {
listen 8080;
server_name localhost;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}
stream {
resolver 114.114.114.114;
server {
listen 8081;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass $ssl_preread_server_name:443;
}
}
域名白名单
场景:限制透明代理转发的域名,只允许指定域名出网
修改出口 NG 配置:stream
stream {
resolver 114.114.114.114;
map $ssl_preread_server_name $backend_pool {
qyapi.weixin.qq.com qyapi.weixin.qq.com:443;
nlp.tencentcloudapi.com nlp.tencentcloudapi.com:443;
open.work.weixin.qq.com open.work.weixin.qq.com:443;
}
server {
listen 8081;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass $backend_pool;
}
}
网友评论