Nginx forwards tls and tcp
The version used is 1.22.0
forward tcp
Get the first 4 bytes to judge forwarding. peek is just a glance, it will not read out the streaming data
stream {
upstream serverA{
server 127.0.0.1:8001;
}
upstream serverB{
server 127.0.0.1:8002;
}
lua_add_variable $proxy;
server {
listen 11301;
preread_by_lua_block {
local sock = ngx.req.socket()
local data = sock:peek(4)
if (data == "serA") then
ngx.var.proxy= "serverA";
else
ngx.var.proxy= "serverB";
end
}
proxy_pass $proxy;
}
}
forward tls
Use the servername of tls to forward, you can write hard rules or regular rules.
In the same way, tls-based grpc can be forwarded
(nginx also has separate support for grpc forwarding, here)
map $ssl_preread_server_name $targetBackend {
~^org11(.*) node1;
~^org22(.*) node1;
org1 node1;
org2 node2;
org3 node1-grpc;
}
upstream node1 {
server 127.0.0.1:11301;
}
upstream node2 {
server 127.0.0.1:11302;
}
upstream node1-grpc {
server 127.0.0.1:12301;
}
server {
listen 18301;
ssl_preread on;
proxy_pass $targetBackend;
access_log logs/access.log proxy;
}
You can also dynamically get servername in lua
local server_name = ngx_ssl.server_name()
tcp to tls forwarding and then to tcp
client–(tcp)–>client nginx–(tls)–>server nginx–(tcp)–>server
Server nginx configuration
# This configure file setup proxy for aby3's party 0.
stream {
map $ssl_server_name $stream_map {
aby3_task_1 upstream_task_1;
aby3_task_2 upstream_task_2;
}
upstream upstream_task_1 {
server 127.0.0.1:1313;
}
upstream upstream_task_2 {
server 127.0.0.1:1314;
}
server {
listen 8185 ssl;
ssl_certificate /home/chainmaker/nginx-cfg/cert/server1.crt;
ssl_certificate_key /home/chainmaker/nginx-cfg/cert/server1.key;
proxy_pass $stream_map;
proxy_ssl off;
ssl_preread off;
}
}
client nginx
stream {
server {
listen 8184 ssl;
proxy_pass 192.168.30.110:8185;
proxy_ssl on;
# Certificate of TLS server, this TLS server is nginx, nginx
# will send certificate to client.
ssl_certificate /home/chainmaker/nginx/cert/server1.crt;
ssl_certificate_key /home/chainmaker/nginx/cert/server1.key;
proxy_ssl_server_name on;
proxy_ssl_name aby3_task_1;
}
server {
listen 9184 ssl;
proxy_pass 192.168.30.110:9185;
proxy_ssl on;
# Certificate of TLS server, this TLS server is nginx, nginx
# will send certificate to client.
ssl_certificate /home/chainmaker/nginx/cert/server1.crt;
ssl_certificate_key /home/chainmaker/nginx/cert/server1.key;
proxy_ssl_server_name on;
proxy_ssl_name aby3_task_2;
}
}