Configuración y uso del proxy de reenvío nginx

Enterprise 2023-05-05 17:22:47 views: null

Configuración y uso del proxy de reenvío nginx

Configuración y uso del proxy de reenvío nginx

proxy de reenvío nginx http, proxy de reenvío nginx https

  • El proxy de reenvío se refiere a un servicio de proxy que utiliza un servidor proxy para los navegadores/clientes proxy para redirigir las solicitudes para acceder al servidor de destino. La característica del servicio proxy de reenvío es que el objeto proxy del servidor proxy es el navegador/cliente, es decir, el navegador/cliente está oculto para el servidor de destino.

  • nginx admite el proxy de reenvío http de forma predeterminada, pero no admite https

  • Nginx oficialmente no admite el reenvío de solicitudes HTTPS directamente. Nginx admite HTTPS y requiere el módulo ngx_http_proxy_connect_module. El módulo https://github.com/chobits/ngx_http_proxy_connect_module es de código abierto en github. Sin embargo, el parche del módulo ngx_http_proxy_connect_module mantenido también está limitado por la versión de nginx. Debe seleccionar el módulo de proxy de reenvío correspondiente según la versión de nginx que utilice. Puede ver la relación correspondiente entre la versión de nginx y el módulo en Seleccionar parche de REDEME.md

Preparación del paquete de instalación

Descarga el paquete de instalación de nginx

enlace de descarga

inserte la descripción de la imagen aquí

Descargue el paquete del módulo proxy de reenvío

enlace de descarga
inserte la descripción de la imagen aquí

Tabla comparativa de versiones y módulos

inserte la descripción de la imagen aquí

Implementar el servicio nginx

  • Aquí se usa Nginx-1.20.2, correspondiente a proxy_connect_rewrite_1018.patch

Cargue el paquete nginx y reenvíe el paquete del módulo

mkdir /nginx
cd /nginx

[root@mysql nginx]# ll

-rw-r--r-- 1 root root 1062124 Feb 12 15:23 nginx-1.20.2.tar.gz
-rw-r--r-- 1 root root   57926 Feb 12 15:23 ngx_http_proxy_connect_module-master.zip

descomprimir, renombrar

tar -xf nginx.tar.gz
unzip ngx_http_proxy_connect_module-master.zip


ll
drwxr-xr-x 9 1001 1001    4096 Feb 12 15:27 nginx-1.20.2
-rw-r--r-- 1 root root 1062124 Feb 12 15:23 nginx-1.20.2.tar.gz
drwxr-xr-x 5 root root    4096 Feb  9 16:54 ngx_http_proxy_connect_module-master
-rw-r--r-- 1 root root   57926 Feb 12 15:23 ngx_http_proxy_connect_module-master.zip

mv ngx_http_proxy_connect_module-master ngx_http_proxy_connect_module

ll
drwxr-xr-x 9 1001 1001    4096 Feb 12 15:27 nginx-1.20.2
-rw-r--r-- 1 root root 1062124 Feb 12 15:23 nginx-1.20.2.tar.gz
drwxr-xr-x 5 root root    4096 Feb  9 16:54 ngx_http_proxy_connect_module
-rw-r--r-- 1 root root   57926 Feb 12 15:23 ngx_http_proxy_connect_module-master.zip

instalar nginx

yum -y install make gcc openssl openssl-devel pcre-devel zlib zlib-devel

cd nginx-1.20.2

ll 
drwxr-xr-x 6 1001 1001   4096 Feb 12 15:20 auto
-rw-r--r-- 1 1001 1001 312251 Nov 16  2021 CHANGES
-rw-r--r-- 1 1001 1001 476577 Nov 16  2021 CHANGES.ru
drwxr-xr-x 2 1001 1001   4096 Feb 12 15:20 conf
-rwxr-xr-x 1 1001 1001   2590 Nov 16  2021 configure
drwxr-xr-x 4 1001 1001   4096 Feb 12 15:20 contrib
drwxr-xr-x 2 1001 1001   4096 Feb 12 15:20 html
-rw-r--r-- 1 1001 1001   1397 Nov 16  2021 LICENSE
drwxr-xr-x 2 1001 1001   4096 Feb 12 15:20 man
-rw-r--r-- 1 1001 1001     49 Nov 16  2021 README
drwxr-xr-x 9 1001 1001   4096 Feb 12 15:20 src

# 查看正向代理模块proxy_connect_rewrite_1018.patch的位置
ll ../ngx_http_proxy_connect_module/patch/
-rw-r--r-- 1 root root 9849 Feb  9 16:54 proxy_connect_1014.patch
-rw-r--r-- 1 root root 9697 Feb  9 16:54 proxy_connect.patch
-rw-r--r-- 1 root root 9408 Feb  9 16:54 proxy_connect_rewrite_1014.patch
-rw-r--r-- 1 root root 9505 Feb  9 16:54 proxy_connect_rewrite_101504.patch
-rw-r--r-- 1 root root 9496 Feb  9 16:54 proxy_connect_rewrite_1015.patch
-rw-r--r-- 1 root root 9553 Feb  9 16:54 proxy_connect_rewrite_1018.patch
-rw-r--r-- 1 root root 9306 Feb  9 16:54 proxy_connect_rewrite_102101.patch
-rw-r--r-- 1 root root 9337 Feb  9 16:54 proxy_connect_rewrite.patch

# 导入模块 后面为模块路径
patch -p1 < /nginx/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch

# 编译
./configure --add-module=/nginx/ngx_http_proxy_connect_module

# 安装,默认安装在/usr/local/nginx/
make && make install

# 查看nginx
ll /usr/local/nginx/
drwx------ 2 nobody root 4096 Feb 12 15:47 client_body_temp
drwxr-xr-x 2 root   root 4096 Feb 12 15:46 conf
drwx------ 2 nobody root 4096 Feb 12 15:47 fastcgi_temp
drwxr-xr-x 2 root   root 4096 Feb 12 15:28 html
drwxr-xr-x 2 root   root 4096 Feb 12 15:47 logs
drwx------ 2 nobody root 4096 Feb 12 15:47 proxy_temp
drwxr-xr-x 2 root   root 4096 Feb 12 15:33 sbin
drwx------ 2 nobody root 4096 Feb 12 15:47 scgi_temp
drwx------ 2 nobody root 4096 Feb 12 15:47 uwsgi_temp

Configurar proxy de reenvío

cd /usr/local/nginx/

#gzip  on;下添加
vim conf/nginx.conf
    #gzip  on;

    #正向代理转发http请求
    server {
    
    
    #指定DNS服务器IP地址
        resolver 114.114.114.114;
    #监听80端口,http默认端口80
        listen 80;
    #服务器IP或域名
            server_name  localhost;
    #正向代理转发http请求
    location / {
    
    
        proxy_pass                 http://$host$request_uri;
        proxy_set_header           HOST $host;
        proxy_buffers              256 4k;
        proxy_max_temp_file_size   0k;
        proxy_connect_timeout      30;
        proxy_send_timeout         60;
        proxy_read_timeout         60;
        proxy_next_upstream error  timeout invalid_header http_502;
    }
    }
    #正向代理转发https请求
    server {
    
    
        #指定DNS服务器IP地址
            resolver 114.114.114.114;
        #监听443端口,https默认端口443
        listen 443;
        #正向代理转发https请求
        proxy_connect;
        proxy_connect_allow            443 563;
        proxy_connect_connect_timeout  10s;
        proxy_connect_read_timeout     10s;
        proxy_connect_send_timeout     10s;
     location / {
    
    
             proxy_pass http://$host;
             proxy_set_header Host $host;
   }
   }

crear usuario nginx

  • El servicio nginx comienza como usuario nginx
useradd nginx

Verifique la configuración de nginx y comience

sbin/nginx -t
sbin/nginx

ss -utnlp | grep nginx
tcp    LISTEN     0      511       *:443                   *:*                   users:(("nginx",pid=6645,fd=7),("nginx",pid=6644,fd=7))
tcp    LISTEN     0      511       *:80                    *:*                   users:(("nginx",pid=6645,fd=6),("nginx",pid=6644,fd=6))

El servidor donde se encuentra el servicio nginx verifica la función de proxy de reenvío

 curl -I http://www.baidu.com/ -v -x 127.0.0.1:80
 curl -I https://www.baidu.com/ -v -x 127.0.0.1:443

curl -I http://www.baidu.com/ -v -x 127.0.0.1:80
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD http://www.baidu.com/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.20.2
Server: nginx/1.20.2
< Date: Sun, 12 Feb 2023 09:03:40 GMT
Date: Sun, 12 Feb 2023 09:03:40 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 277
Content-Length: 277
< Connection: keep-alive
Connection: keep-alive
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Etag: "575e1f60-115"
Etag: "575e1f60-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
< Pragma: no-cache
Pragma: no-cache

<
* Connection #0 to host 127.0.0.1 left intact

curl -I https://www.baidu.com/ -v -x 127.0.0.1:443
* About to connect() to proxy 127.0.0.1 port 443 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* Establish HTTP proxy tunnel to www.baidu.com:443
> CONNECT www.baidu.com:443 HTTP/1.1
> Host: www.baidu.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
Proxy-agent: nginx
<

* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
*       start date: Jul 05 05:16:02 2022 GMT
*       expire date: Aug 06 05:16:01 2023 GMT
*       common name: baidu.com
*       issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
Connection: keep-alive
< Content-Length: 277
Content-Length: 277
< Content-Type: text/html
Content-Type: text/html
< Date: Sun, 12 Feb 2023 09:03:40 GMT
Date: Sun, 12 Feb 2023 09:03:40 GMT
< Etag: "575e1f60-115"
Etag: "575e1f60-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
< Pragma: no-cache
Pragma: no-cache
< Server: bfe/1.0.8.18
Server: bfe/1.0.8.18

<
* Connection #0 to host 127.0.0.1 left intact

Configurar un servidor que no puede acceder a la red externa (es decir, un servidor de red interna) para que pueda acceder a la red externa

Configuración del servidor Liunx

1. Cuando solo configura yum, puede usar el proxy de reenvío para acceder a la red externa

#追加配置
vim /etc/yum.conf
proxy=http://192.168.0.20:80		#nginx正向代理服务器的地址
proxy=ftp://192.168.0.20:80			#nginx正向代理服务器的地址

2. Cuando solo configura wget, puede usar el proxy de reenvío para acceder a la red externa

#追加配置
vim /etc/wgetrc
http_proxy=192.168.0.20:80     #nginx正向代理服务器的地址
http_proxy=192.168.0.20:443    #nginx正向代理服务器的地址

3. Configuración global, por lo que las solicitudes de acceso pueden usar el proxy de reenvío para acceder a la red externa

#追加配置
vim /etc/profile
http_proxy=192.168.0.20:80
https_proxy=192.168.0.20:443
ftp_proxy=192.168.0.20:443

export http_proxy
export https_proxy
export ftp_proxy

# 加载配置
source /etc/profile

configuración del servidor de windows

inserte la descripción de la imagen aquí

Verifique que el servidor que no puede acceder a la red externa (es decir, el servidor de la red interna) use un proxy para acceder a Internet

curl -I http://www.baidu.com
curl -I https://www.baidu.com

curl -I http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.20.2
Date: Sun, 12 Feb 2023 09:31:03 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache

curl -I https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 12 Feb 2023 09:31:07 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18

Supongo que te gusta

Origin blog.csdn.net/qq_44659804/article/details/128997510
Recomendado
Clasificación
Diario
Más
2024-05-12(22)
2024-05-11(31)
2024-05-10(32)
2024-05-09(31)
2024-05-08(18)
2024-05-07(35)
2024-05-06(4)
2024-05-05(0)
2024-05-04(17)
2024-05-03(8)

Code World

© 2018 codetd.com