正向代理简介
nginx不仅可以做反向代理,还能用作正向代理来进行上网等功能。如果把局域网外的Internet想象成一个巨大的资源库,则局域网中的客户端要访问Internet,则需要通过代理服务器来访问,这种代理服务就称为正向代理(也就是大家常说的,通过正向代理进行上网功能)
示例
如下图所示,内网机器
10.212.4.35处于办公内网中,无法访问外部Internet;外网机器10.211.1.6处于另一个网络环境中,也就是可以上互联网的机器。内网机器和外网机器之间的数据传输通过网闸进行摆渡。在下面图中的环境,已将网络打通,内网机器10.212.4.35可以访问外网机器10.211.1.6的8080端口。则内网机器如果想上互联网,则只能通过外网机器代理实现。
安装部署nginx
在外网机器安装部署
nginx、并配置代理。
- 由于
nginx默认不支持https的代理,故而需要额外先添加模块。 - 插件地址:https://github.com/chobits/ngx_http_proxy_connect_module/
- 插件和
nginx需对应,对应关系查看插件地址里面的介绍 - 需要通过
patch命令打入补丁,通过yum install patch进行安装
这里所使用的 nginx为 1.19.2,补丁版本为 1018
✏️ 下载模块
wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.2.zip
✏️ 解压
unzip v0.0.2.zip
✏️ 下载 nginx
wget http://nginx.org/download/nginx-1.19.2.tar.gz
✏️ 打入补丁包
tar xf nginx-1.19.2.tar.gz
cd nginx-1.19.2
patch -p1 < /root/tools/ngx_http_proxy_connect_module-0.0.2/patch/proxy_connect_rewrite_1018.patch
✏️ 编译安装 nginx
yum install gcc cmake make cmake unzip ncurses-devel gcc gcc-c++ -y
./configure --prefix=/usr/local/nginx --add-module=/root/tools/ngx_http_proxy_connect_module-0.0.2
make && make install
配置正向代理
✏️ 配置 nginx
cd /usr/local/nginx/conf/
cp nginx.conf{,.bak}
vim nginx.conf
server {
listen 80;
server_name localhost;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_coneect_send_timeout 10s;
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}
✏️ 编写 systemd启动脚本
cat > /etc/systemd/system/nginx.service << EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
✏️ 启动 nginx
systemctl daemon-reload
systemctl start nginx
✏️ 开放防火墙策略(这里由于是通过网闸出来的,所以源 IP发生了改变为 172.12.0.179)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.12.0.179" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
测试验证
内网机器进行访问测试,并添加到环境变量
✏️ http的访问测试
curl -I --proxy 172.11.0.179:8080 http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 05 Sep 2021 08:17:57 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
✏️ https的访问测试
curl -I --proxy 172.11.0.179:8080 https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 05 Sep 2021 08:18:17 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
✏️ 添加到环境变量,直接使用
vim /etc/profile
export http_proxy=172.11.0.179:8080
export https_proxy=172.11.0.179:8080
✏️ 添加完成后,变可以直接上网了
curl -I http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 05 Sep 2021 08:26:35 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
curl -I https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 05 Sep 2021 08:26:14 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Original: https://www.cnblogs.com/yanjieli/p/15229907.html
Author: 别来无恙-
Title: Nginx-正向代理实现
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/543773/
转载文章受原作者版权保护。转载请注明原作者出处!