Client
-> Proxy server
发送HTTP CONNECT请求。Proxy server
利用HTTP CONNECT请求中的主机和端口与目的服务器建立TCP连接。Proxy server
-> Client
返回HTTP 200
响应。Client
和Proxy server
建立起HTTP CONNECT隧道,HTTPS流量到达代理服务器后,直接通过TCP透传给远端目的服务器。代理服务器的角色是透传HTTPS流量,并不需要解密HTTPS
。在之前的编译nginx的基础上,我们对nginx二进制增加新的模块ngx_http_proxy_connect_module[1]
# cd /root/workspace/packages/nginx && git clone https://github.com/chobits/ngx_http_proxy_connect_module.git
# ./configure --prefix=/webserver/nginx18 --user=www --group=www --with-pcre --with-zlib=/root/workspace/packages/nginx/zlib-1.2.8 --with-openssl=/root/workspace/packages/nginx/openssl-1.0.2d --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --add-module=/root/workspace/packages/nginx/ngx_devel_kit-0.3.0 --with-ld-opt=-ljemalloc --with-stream --with-http_ssl_module --add-module=/root/workspace/packages/nginx/nginx_upstream_check_module-0.3.0 --with-http_gzip_static_module --add-module=/root/workspace/packages/nginx/ngx_http_proxy_connect_module
在编译过程中会遇到一些问题
libpcre.so.3: cannot open shared object file: No such file or directory
上面是因为系统缺少了libpcre.so.3
的库文件,上网查了一下,说是需要编译安装pcre-8.0
于是需要编译安装进去
# wget https://ftp.pcre.org/pub/pcre/pcre-8.00.tar.gz
# tar xf pcre-8.00.tar.gz && cd pcre-8.00 && ./configure --enable-utf8 --disable-shared --with-pic && make && make install
编译安装过程没有问题,但是nginx运行的时候依旧说这个包不存在
# find / -iname "libpcre.so.3" # 找不到
# ldd /webserver/nginx18/sbin/nginx
libpcre.so.3 => not found
看来是包的版本没有安装对,暂时也没有找到,直接决定从其他的机器上拷贝一个libpcre.so.3
到/usr/lib/x86_64-linux-gnu/libpcre.so.3
,注意这个目录需要提前创建出来
# echo '/lib/x86_64-linux-gnu' > /etc/ld.so.conf.d/local.conf
# ldconfig
# ldd /webserver/nginx18/sbin/nginx |grep 'libpcre.so.3'
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd0404eb000)
libjemalloc.so.2: cannot open shared object file: No such file or directory
这和上面的问题类似,我们之前编译安装好之后,直接将库文件加入到ld库配置文件中,让其能引用到即可
# tar xf jemalloc-4.5.0.tar.bz2
# cd jemalloc-4.5.0 && ./configure && make && make install
# echo '/usr/local/lib' >> /etc/ld.so.conf.d/local.conf
# ldd /webserver/nginx18/sbin/nginx
linux-vdso.so.1 => (0x00007ffd2cb5d000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007fd040db2000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fd040bae000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd040992000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fd04075b000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd0404eb000)
libc.so.6 => /lib64/libc.so.6 (0x00007fd04011e000)
libm.so.6 => /lib64/libm.so.6 (0x00007fd03fe1c000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd041005000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fd03fc19000)
这样解决了依赖的库文件之后,就应该可以正常使用了
# /webserver/nginx18/sbin/nginx -t -c /webserver/nginx18/conf/nginx.conf
nginx: the configuration file /webserver/nginx18/conf/nginx.conf syntax is ok
nginx: configuration file /webserver/nginx18/conf/nginx.conf test is successful
正向代理的配置首先保证你的ngx_http_proxy_connect_module
模块被编译到nginx二进制中
# /webserver/nginx18/sbin/nginx -V
nginx version: nginx/1.18.0
built by gcc 5.4.0 20160609 (CentOS Linux 7 (Core)
built with OpenSSL 1.0.2d 9 Jul 2015
TLS SNI support enabled
configure arguments: --prefix=/webserver/nginx18 --user=www --group=www --with-pcre --with-zlib=/root/workspace/packages/nginx/zlib-1.2.8 --with-openssl=/root/workspace/packages/nginx/openssl-1.0.2d --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --add-module=/root/workspace/packages/nginx/ngx_devel_kit-0.3.0 --with-ld-opt=-ljemalloc --with-stream --with-http_ssl_module --add-module=/root/workspace/packages/nginx/nginx_upstream_check_module-0.3.0 --with-http_gzip_static_module --add-module=/root/workspace/packages/nginx/ngx_http_proxy_connect_module
然后准备正向代理的配置文件
# cat /webserver/nginx18/conf/vhost/proxy.conf
server {
# 正向代理监听的端口
listen 0.0.0.0:3128;
# 正向代理中必须有的DNS解析指令
resolver 114.114.114.114;
# 启用日志记录
access_log /webserver/nginx18/logs/proxy.log main;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
然后重启nginx即可
# /webserver/nginx18/sbin/nginx -t -c /webserver/nginx18/conf/nginx.conf
# /webserver/nginx18/sbin/nginx -s reload -c /webserver/nginx18/conf/nginx.conf #这里面引用了vhost中的配置include vhost/*.conf;
# netstat -tunlp |grep 3128
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 16553/nginx: master
# curl https://github.com/ -I -x 161.101.x.x:3128
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
date: Wed, 29 Jul 2020 00:34:11 GMT
content-type: text/html; charset=utf-8
server: GitHub.com
status: 200 OK
vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
etag: W/"0645355c347925d40eae01189b1372c6"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
Set-Cookie: _gh_sess=f8%2BEHC2ipWawJaW%2BRIhaoHDpiKBaMNM9Qs6Kems7FPk0Jc13hBa28rZNLbtC9r3QEMvfN0JqDvOAsyyBKZMiG5QW3biYIFiQ8JxaGd0LjcmIRZ%2BVHqwYqrWVf23JtcsA6r1yIf3c%2BJy9QT92ANFDzxtpehY4F9ZWU7Wm%2B5iIY%2Fcb3h65b4t1ShJTue%2FA2dalNNAxSnvx%2FAm%2Br0p5IQRc9tGfevbWvL0bVYh8nqcezYEcExri65LLIwTwTkCzxasZfvLTQyDus05yMT8uQ%2F28Zw%3D%3D--zMmIhtSvd34s34pS--cFVCt72dLeREVdP%2BwqXrkA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.176641920.1595982853; Path=/; Domain=github.com; Expires=Thu, 29 Jul 2021 00:34:13 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 29 Jul 2021 00:34:13 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
X-GitHub-Request-Id: BDE2:5AA6:205F20:2CDA3C:5F20C405
这样nginx的简单正向代理就可以使用了,在阿里云上使用需要注意在安全组中开启对应的端口,同时为了安全使用,应该对正向代理添加安全认证。
[1]
正向代理模块: ngx_http_proxy_connect_module: https://github.com/chobits/ngx_http_proxy_connect_module