安装代理模块
Nginx 官方没有支持正向代理的模块,只能通过加载第三方模块来实现
- 安装依赖
yum -y install pcre-devel openssl openssl-devel patch
- 下载二进制包
https://nginx.org/download/nginx-1.25.0.tar.gz
https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.5.tar.gz
- 编译安装
# 将 nginx 和 ngx_http_proxy_connect_module上传到 /opt 目录下并解压
tar zxf nginx-1.25.0.tar.gz && tar zxf ngx_http_proxy_connect_module-0.0.5.tar.gz
mv ngx_http_proxy_connect_module-0.0.5 ngx_http_proxy_connect_module
[root@ opt]# ls
nginx-1.25.0 ngx_http_proxy_connect_module
# 加载 ngx_http_proxy_connect_module
cd nginx-1.25.0/
patch -p1 < /opt/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure --prefix=/opt/nginx --add-module=/opt/ngx_http_proxy_connect_module --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module
make && make install
配置环境变量
echo 'export PATH=$PATH:/opt/nginx/sbin' >> /etc/profile
source /etc/profile
透明代理配置
修改配置文件:/opt/nginx/conf/nginx.conf
# http
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# http
server {
listen 80;
resolver 114.114.114.114;
#allow 113.57.167.50;
#allow 10.1.90.0/24;
#deny all;
proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
}
# https
stream {
resolver 114.114.114.114;
#allow 113.57.167.50;
#allow 10.1.90.0/24;
#deny all;
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass $ssl_preread_server_name:$server_port;
}
}
客户端配置
修改 hosts,将需要访问的域名解析到 NG 所在的机器
172.18.0.17 cip.cc
测试
curl -k https://cip.cc
转发链路
场景:外层 NG 无法提供80/443端口,只能提供普通端口,内部请求也必须通过多层的NG转发
请求链路:内网机器 ==» 内网NG1(80、443)==» 内网NG2(8080、8081)==» 外层NG(8080、8081)
- 内网 NG1 配置
http {
...
server {
listen 80;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://172.18.1.10:8080;
proxy_set_header Host $host;
}
}
}
stream {
resolver 114.114.114.114;
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass 172.18.1.10:8081;
}
}
- 内网 NG2 配置
server {
listen 8080;
location / {
proxy_pass http://172.18.0.17:8080;
proxy_set_header Host $host;
}
}
stream {
resolver 114.114.114.114;
server {
listen 8081;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass 172.18.0.17:8081;
}
}
- 外层 NG 配置,只有这里有点区别
server {
listen 8080;
server_name localhost;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
stream {
resolver 114.114.114.114;
server {
listen 8081;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass $ssl_preread_server_name:443;
}
}
域名白名单
场景:限制透明代理转发的域名,只允许指定域名出网
修改出口 NG 配置:stream
stream {
resolver 114.114.114.114;
map $ssl_preread_server_name $backend_pool {
qyapi.weixin.qq.com qyapi.weixin.qq.com:443;
nlp.tencentcloudapi.com nlp.tencentcloudapi.com:443;
open.work.weixin.qq.com open.work.weixin.qq.com:443;
}
server {
listen 8081;
ssl_preread on;
proxy_connect_timeout 5s;
proxy_pass $backend_pool;
}
}