nginx配置正向代理
1、环境准备
下载ngx_http_proxy_connect_module,网址:https://github.com/chobits/ngx_http_proxy_connect_module
2、打补丁
根据nginx的版本选择合适的patch
| nginx version | enable REWRITE phase | patch |
|---|---|---|
| 1.4.x ~ 1.12.x | NO | proxy_connect.patch |
| 1.4.x ~ 1.12.x | YES | proxy_connect_rewrite.patch |
| 1.13.x ~ 1.14.x | NO | proxy_connect_1014.patch |
| 1.13.x ~ 1.14.x | YES | proxy_connect_rewrite_1014.patch |
| 1.15.2 | YES | proxy_connect_rewrite_1015.patch |
| 1.15.4 ~ 1.16.x | YES | proxy_connect_rewrite_101504.patch |
| 1.17.x ~ 1.18.0 | YES | proxy_connect_rewrite_1018.patch |
| 1.19.x ~ 1.21.0 | YES | proxy_connect_rewrite_1018.patch |
| 1.21.1 | YES | proxy_connect_rewrite_102101.patch |
]# git clone https://github.com/chobits/ngx_http_proxy_connect_module.git ##下载补丁包 ]# patch -p1 < /home/zzf/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch ##给nginx打补丁,选择目录内适合的版本
3、重新编译安装nginx
]# ./configure \ --prefix=/opt/nginx \ --sbin-path=/opt/nginx/sbin/nginx \ --modules-path=/opt/nginx/modules \ --conf-path=/opt/nginx/conf/nginx.conf \ --error-log-path=/opt/nginx/log/error.log \ --http-log-path=/opt/nginx/log/access.log \ --pid-path=/opt/nginx/nginx.pid \ --lock-path=/opt/nginx/nginx.lock \ --http-client-body-temp-path=/opt/nginx/client_temp \ --http-proxy-temp-path=/opt/nginx/proxy_temp \ --http-fastcgi-temp-path=/opt/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/opt/nginx/uwsgi_temp \ --http-scgi-temp-path=/opt/nginx/scgi_temp \ --with-compat \ --user=nginx \ --group=nginx \ --with-file-aio \ --with-threads \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-mail \ --with-mail_ssl_module \ --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --add-dynamic-module=/home/zzf/ngx_http_proxy_connect_module/ ##增加的ngx_http_proxy_connect_module模块路径 ]# make && make install
4、编辑nginx配置文件
]# vim /opt/nginx/conf/nginx.conf
load_module /opt/nginx/modules/ngx_http_proxy_connect_module.so; #配置在events上
server {
resolver 114.114.114.114; #DNS地址
listen 80;
proxy_connect;
proxy_connect_allow all; #代理允许通过的端口
proxy_connect_connect_timeout 10s; #代理超时时间
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
root html;
index index.html index.htm;
proxy_pass $scheme://$host$request_uri;
proxy_set_header HOST $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
}
}load module要配置在nginx的主目录内,且需要配置在events之上
5、访问测试
客户端访问测试
]# curl -I https://www.sohu.com -x 172.25.230.47:18020 访问sohu,代理服务器为172.25.230.47 代理端口为18020
请求过程
* About to connect() to proxy 172.25.230.47 port 18020 (#0) * Trying 172.25.230.47... * Connected to 172.25.230.47 (172.25.230.47) port 18020 (#0) * Establish HTTP proxy tunnel to www.sohu.com:443 > CONNECT www.sohu.com:443 HTTP/1.1 > Host: www.sohu.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection Established HTTP/1.1 200 Connection Established < Proxy-agent: nginx Proxy-agent: nginx < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=www.sohu.com,O=北京搜狐新媒体信息技术有限公司,ST=北京市,C=CN * start date: Aug 10 00:00:00 2023 GMT * expire date: Aug 10 23:59:59 2024 GMT * common name: www.sohu.com * issuer: CN=Secure Site CA G2,OU=www.digicert.com,O=DigiCert Inc,C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: www.sohu.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Date: Thu, 14 Sep 2023 15:01:11 GMT Date: Thu, 14 Sep 2023 15:01:11 GMT < Content-Type: text/html;charset=UTF-8 Content-Type: text/html;charset=UTF-8 < Server: openresty Server: openresty < Vary: Accept-Encoding Vary: Accept-Encoding < Vary: Origin Vary: Origin < Vary: Access-Control-Request-Method Vary: Access-Control-Request-Method < Vary: Access-Control-Request-Headers Vary: Access-Control-Request-Headers < S-REQ-ID: 6582164252102008908 S-REQ-ID: 6582164252102008908 < S-REQ-TYPE: 0 S-REQ-TYPE: 0 < Cache-Control: max-age=60 Cache-Control: max-age=60 < Content-Length: 216337 Content-Length: 216337 < Accept-Ranges: bytes Accept-Ranges: bytes < X-NWS-LOG-UUID: 13330695295807490873 X-NWS-LOG-UUID: 13330695295807490873 < Connection: keep-alive Connection: keep-alive < X-Cache-Lookup: Cache Hit X-Cache-Lookup: Cache Hit < Server-Timing: cdn-cache;desc=hit, edge;dur=1 Server-Timing: cdn-cache;desc=hit, edge;dur=1 < * Connection #0 to host 172.25.230.47 left intact
查看代理服务器nginx访问日志
客户端配置代理
临时设置代理:
]# export http_proxy=172.25.230.47:18020 ##http代理 ]# export https_proxy=172.25.230.47:18020 ##https代理
永久设置代理:
]# echo 'export http_proxy=172.25.230.47:18020' >> /etc/profile ]# export https_proxy=172.25.230.47:18020 >> /etc/profile ]# source /etc/profile
临时取消代理:
]# unset http_proxy ##取消http代理 ]# unset https_proxy ##取消https代理
