Nginx专辑|05 -如何使用Nginx配置正向代理

公众号: 云原生生态圈

发布于 2020-08-04 16:12:19

2.6K0

发布于 2020-08-04 16:12:19

文章被收录于专栏：云原生生态圈云原生生态圈

背景

通常某些服务因为安全问题，限制固定访问，因此可以通过正向代理解决
访问某些国外的服务访问慢，可以通过正向代理中继缓解丢包和延迟高的问题

原理如图

Client -> Proxy server发送HTTP CONNECT请求。
Proxy server利用HTTP CONNECT请求中的主机和端口与目的服务器建立TCP连接。
Proxy server -> Client 返回HTTP 200响应。
Client和Proxy server建立起HTTP CONNECT隧道，HTTPS流量到达代理服务器后，直接通过TCP透传给远端目的服务器。代理服务器的角色是透传HTTPS流量，并不需要解密HTTPS。

测试实验

编译nginx

在之前的编译nginx的基础上，我们对nginx二进制增加新的模块ngx_http_proxy_connect_module[1]

# cd /root/workspace/packages/nginx && git clone https://github.com/chobits/ngx_http_proxy_connect_module.git
# ./configure --prefix=/webserver/nginx18 --user=www --group=www --with-pcre --with-zlib=/root/workspace/packages/nginx/zlib-1.2.8 --with-openssl=/root/workspace/packages/nginx/openssl-1.0.2d --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --add-module=/root/workspace/packages/nginx/ngx_devel_kit-0.3.0 --with-ld-opt=-ljemalloc --with-stream --with-http_ssl_module --add-module=/root/workspace/packages/nginx/nginx_upstream_check_module-0.3.0 --with-http_gzip_static_module --add-module=/root/workspace/packages/nginx/ngx_http_proxy_connect_module

在编译过程中会遇到一些问题

libpcre.so.3

libpcre.so.3: cannot open shared object file: No such file or directory

上面是因为系统缺少了libpcre.so.3的库文件，上网查了一下，说是需要编译安装pcre-8.0于是需要编译安装进去

# wget https://ftp.pcre.org/pub/pcre/pcre-8.00.tar.gz
# tar xf pcre-8.00.tar.gz && cd pcre-8.00 && ./configure --enable-utf8 --disable-shared --with-pic && make && make install

编译安装过程没有问题，但是nginx运行的时候依旧说这个包不存在

# find /  -iname  "libpcre.so.3" # 找不到
# ldd /webserver/nginx18/sbin/nginx
libpcre.so.3 => not found

看来是包的版本没有安装对，暂时也没有找到，直接决定从其他的机器上拷贝一个libpcre.so.3到/usr/lib/x86_64-linux-gnu/libpcre.so.3,注意这个目录需要提前创建出来

# echo '/lib/x86_64-linux-gnu' > /etc/ld.so.conf.d/local.conf
# ldconfig
# ldd /webserver/nginx18/sbin/nginx |grep 'libpcre.so.3'
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd0404eb000)

libjemalloc.so.2

libjemalloc.so.2: cannot open shared object file: No such file or directory

这和上面的问题类似，我们之前编译安装好之后，直接将库文件加入到ld库配置文件中，让其能引用到即可

# tar xf jemalloc-4.5.0.tar.bz2
# cd jemalloc-4.5.0 && ./configure && make && make install
# echo '/usr/local/lib' >> /etc/ld.so.conf.d/local.conf
# ldd /webserver/nginx18/sbin/nginx
 linux-vdso.so.1 =>  (0x00007ffd2cb5d000)
 libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007fd040db2000)
 libdl.so.2 => /lib64/libdl.so.2 (0x00007fd040bae000)
 libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd040992000)
 libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fd04075b000)
 libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fd0404eb000)
 libc.so.6 => /lib64/libc.so.6 (0x00007fd04011e000)
 libm.so.6 => /lib64/libm.so.6 (0x00007fd03fe1c000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fd041005000)
 libfreebl3.so => /lib64/libfreebl3.so (0x00007fd03fc19000)

这样解决了依赖的库文件之后，就应该可以正常使用了

# /webserver/nginx18/sbin/nginx -t -c /webserver/nginx18/conf/nginx.conf
nginx: the configuration file /webserver/nginx18/conf/nginx.conf syntax is ok
nginx: configuration file /webserver/nginx18/conf/nginx.conf test is successful

正向代理配置

正向代理的配置首先保证你的ngx_http_proxy_connect_module模块被编译到nginx二进制中

# /webserver/nginx18/sbin/nginx -V
nginx version: nginx/1.18.0
built by gcc 5.4.0 20160609 (CentOS Linux 7 (Core)
built with OpenSSL 1.0.2d 9 Jul 2015
TLS SNI support enabled
configure arguments: --prefix=/webserver/nginx18 --user=www --group=www --with-pcre --with-zlib=/root/workspace/packages/nginx/zlib-1.2.8 --with-openssl=/root/workspace/packages/nginx/openssl-1.0.2d --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --add-module=/root/workspace/packages/nginx/ngx_devel_kit-0.3.0 --with-ld-opt=-ljemalloc --with-stream --with-http_ssl_module --add-module=/root/workspace/packages/nginx/nginx_upstream_check_module-0.3.0 --with-http_gzip_static_module --add-module=/root/workspace/packages/nginx/ngx_http_proxy_connect_module

然后准备正向代理的配置文件

# cat /webserver/nginx18/conf/vhost/proxy.conf
server {
		 # 正向代理监听的端口
     listen                         0.0.0.0:3128;

     # 正向代理中必须有的DNS解析指令
     resolver                       114.114.114.114;

		 # 启用日志记录
     access_log /webserver/nginx18/logs/proxy.log main;
     
     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;

     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
 }

然后重启nginx即可

# /webserver/nginx18/sbin/nginx -t -c /webserver/nginx18/conf/nginx.conf
# /webserver/nginx18/sbin/nginx -s reload -c /webserver/nginx18/conf/nginx.conf #这里面引用了vhost中的配置include vhost/*.conf;
# netstat -tunlp |grep 3128
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      16553/nginx: master

正向代理测试

# curl https://github.com/ -I -x 161.101.x.x:3128
HTTP/1.1 200 Connection Established
Proxy-agent: nginx

HTTP/1.1 200 OK
date: Wed, 29 Jul 2020 00:34:11 GMT
content-type: text/html; charset=utf-8
server: GitHub.com
status: 200 OK
vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
etag: W/"0645355c347925d40eae01189b1372c6"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js gist.github.com/socket-worker.js
Set-Cookie: _gh_sess=f8%2BEHC2ipWawJaW%2BRIhaoHDpiKBaMNM9Qs6Kems7FPk0Jc13hBa28rZNLbtC9r3QEMvfN0JqDvOAsyyBKZMiG5QW3biYIFiQ8JxaGd0LjcmIRZ%2BVHqwYqrWVf23JtcsA6r1yIf3c%2BJy9QT92ANFDzxtpehY4F9ZWU7Wm%2B5iIY%2Fcb3h65b4t1ShJTue%2FA2dalNNAxSnvx%2FAm%2Br0p5IQRc9tGfevbWvL0bVYh8nqcezYEcExri65LLIwTwTkCzxasZfvLTQyDus05yMT8uQ%2F28Zw%3D%3D--zMmIhtSvd34s34pS--cFVCt72dLeREVdP%2BwqXrkA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.176641920.1595982853; Path=/; Domain=github.com; Expires=Thu, 29 Jul 2021 00:34:13 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 29 Jul 2021 00:34:13 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
X-GitHub-Request-Id: BDE2:5AA6:205F20:2CDA3C:5F20C405

这样nginx的简单正向代理就可以使用了，在阿里云上使用需要注意在安全组中开启对应的端口，同时为了安全使用，应该对正向代理添加安全认证。