nginx正向代理http和https的实现步骤
配置准备正向代理,指的是通过代理服务器 代理浏览器/客户端去重定向请求访问到目标服务器 的一种代理服务。
正向代理服务的特点是代理服务器 代理的对象是浏览器/客户端,也就是对于目标服务器 来说浏览器/客户端是隐藏的。
nginx默认支持正向代理http,不支持https
nginx官方并不支持直接转发https请求,nginx支持https需要ngx_http_proxy_connect_module模块。github上开源了模块 https://github.com/chobits/ngx_http_proxy_connect_module。不过维护的ngx_http_proxy_connect_module模块的补丁也是有nginx版本限制的(目前维护了1.4.x~1.19.x版本)
可以在REDEME.md的Select patch中查看nginx版本和模块的对应关系
nginx版本和正向代理https的模块的对应关系
nginx versionenable REWRITE phasepatch1.4.x ~ 1.12.xNOproxy_connect.patch1.4.x ~ 1.12.xYESproxy_connect_rewrite.patch1.13.x ~ 1.14.xNOproxy_connect_1014.patch1.13.x ~ 1.14.xYESproxy_connect_rewrite_1014.patch1.15.2YESproxy_connect_rewrite_1015.patch1.15.4 ~ 1.16.xYESproxy_connect_rewrite_101504.patch1.17.x ~ 1.18.0YESproxy_connect_rewrite_1018.patch1.19.x ~ 1.21.0YESproxy_connect_rewrite_1018.patch1.21.1 ~ 1.22.0YESproxy_connect_rewrite_102101.patchls /root/ngx_http_proxy_connect_module/patch
proxy_connect_1014.patch proxy_connect_rewrite_1015.patch
proxy_connect.patch proxy_connect_rewrite_1018.patch
proxy_connect_rewrite_1014.patch proxy_connect_rewrite_102101.patch
proxy_connect_rewrite_101504.patchproxy_connect_rewrite.patchgithub上开源了模块 https://github.com/chobits/ngx_http_proxy_connect_module
此处用的是nginx-1.17.6,对应proxy_connect_rewrite_1018.patch
配置nginx正向代理
下载后上传到服务器
ls
ngx_http_proxy_connect_module-master.zip nginx-1.17.6.tar.gz
解压nginx,解压模块并重命名
tar xf nginx-1.17.6.tar.gz
unzip ngx_http_proxy_connect_module-master.zip
mv ngx_http_proxy_connect_module-master ngx_http_proxy_connect_module
ls
ngx_http_proxy_connect_module nginx-1.17.6 ngx_http_proxy_connect_module-master.zip
nginx-1.17.6.tar.gz
安装nginx
安装源码编译工具包,nginx依赖包
yum -y install make gcc openssl openssl-devel pcre-devel zlib zlib-devel进入nginx解压后的目录
cd nginx-1.17.6
./configure
make && make install
使用正向代理https的模块
查看nginx-1.17.6对应的https模块的具体位置
ls /root/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch导入模块,再次编译安装
patch -p1 < /root/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch
./configure --add-module=/root/ngx_http_proxy_connect_module
make && make install
配置正向代理
nginx默认安装在/usr/local/nginx/
cd /usr/local/nginx/修改配置文件
vim conf/nginx.conf 在 #gzip on; 下添加配置
#正向代理转发http请求
server {
#指定DNS服务器IP地址
resolver 114.114.114.114;
#监听80端口,http默认端口80
listen 80;
#服务器IP或域名
server_namelocalhost;
#正向代理转发http请求
location / {
proxy_pass http://$host$request_uri;
proxy_set_header HOST $host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream errortimeout invalid_header http_502;
}
}
#正向代理转发https请求
server {
#指定DNS服务器IP地址
resolver 114.114.114.114;
#监听443端口,https默认端口443
listen 443;
#正向代理转发https请求
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}检查配置文件是否有错误sbin/nginx -t
创建nginx用户,用来运行nginx
useradd nginx启动服务
sbin/nginx
验证正向代理
curl -I http://www.baidu.com/ -v -x 127.0.0.1:80
curl -I https://www.baidu.com/ -v -x 127.0.0.1:443验证正向代理http 200 ok
curl -I http://www.baidu.com/ -v -x 127.0.0.1:80
* About to connect() to proxy 127.0.0.1 port 80 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> HEAD http://www.baidu.com/ HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.17.6
Server: nginx/1.17.6
< Date: Sun, 28 Aug 2022 02:05:33 GMT
Date: Sun, 28 Aug 2022 02:05:33 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 277
Content-Length: 277
< Connection: keep-alive
Connection: keep-alive
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Etag: "575e1f7c-115"
Etag: "575e1f7c-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:36 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:36 GMT
< Pragma: no-cache
Pragma: no-cache
<
* Connection #0 to host 127.0.0.1 left intact验证正向代理https 200 ok
curl -I https://www.baidu.com/ -v -x 127.0.0.1:443
* About to connect() to proxy 127.0.0.1 port 443 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* Establish HTTP proxy tunnel to www.baidu.com:443
> CONNECT www.baidu.com:443 HTTP/1.1
> Host: www.baidu.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
Proxy-agent: nginx
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
* start date: 7月 05 05:16:02 2022 GMT
* expire date: 8月 06 05:16:01 2023 GMT
* common name: baidu.com
* issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
Connection: keep-alive
< Content-Length: 277
Content-Length: 277
< Content-Type: text/html
Content-Type: text/html
< Date: Sun, 28 Aug 2022 02:05:50 GMT
Date: Sun, 28 Aug 2022 02:05:50 GMT
< Etag: "575e1f7c-115"
Etag: "575e1f7c-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:36 GMT
Last-Modified: Mon, 13 Jun 2016 02:50:36 GMT
< Pragma: no-cache
Pragma: no-cache
< Server: bfe/1.0.8.18
Server: bfe/1.0.8.18
<
* Connection #0 to host 127.0.0.1 left intact到此这篇关于nginx正向代理http和https的实现步骤的文章就介绍到这了,更多相关nginx正向代理http和https内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!
来源:https://www.jb51.net/server/2915732k2.htm
免责声明:由于采集信息均来自互联网,如果侵犯了您的权益,请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容,谢谢合作!
页:
[1]