場景說明:
由於公司換雲平台,必然出口ip也會變,對接的有些合作公司需要添加新的ip白名單,但有些公司申請ip白名單添加流程比較長,所以需要在新雲平台的服務器做正向代理以達到通過原來公司的出口ip出去的目的,這樣的話在合作公司白名單ip申請期間服務也可以正常使用而不影響業務。
此次采用nginx來作為正向代理,默認nginx沒有加載https的代理模塊,通過打補丁的方式,然后編譯安裝就可以。
參考:https://github.com/chobits/ngx_http_proxy_connect_module
nginx版本
nginx-1.14.2
系統版本
centos6.5 , centos7.x也可以,配置步驟基本一樣
我這里是nginx代理服務器部署在原來雲平台的服務器中,為了出口ip一致
1、下載nginx源碼包,https模塊
wget http://nginx.org/download/nginx-1.14.2.tar.gz tar -xf nginx-1.14.2.tar.gz cd nginx-1.14.2/ yum install -y git git clone https://github.com/chobits/ngx_http_proxy_connect_module.git
2、打補丁,編譯,編譯安裝
yum install -y patch pcre pcre-devel patch -p1 < ngx_http_proxy_connect_module/patch/proxy_connect_1.14.patch ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=ngx_http_proxy_connect_module make && make install ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/nginx
3、正向代理配置
vim /usr/local/nginx/conf/nginx.conf
http {
.....
include /usr/local/nginx/conf/conf.d/*.conf;
.....
}
mkdir /usr/local/nginx/conf/conf.d
cd /usr/local/nginx/conf/conf.d
[root@localhost conf.d]# vim forward.conf
server {
listen 8000;
# dns resolver used by forward proxying
resolver 223.5.5.5;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
4、啟動正向代理服務
nginx -t nginx
5、測試是否能代理http,https請求
隨便找一台主機,把代理 ip:port 指向配置的搭建的正向代理就可以
[root@sz-d-test-07 ~]# curl https://github.com/ -v -x 10x.x5.136.51:8000 * About to connect() to proxy 10x.x5.136.51 port 8000 (#0) * Trying 10x.x5.136.51... * Connected to 106.75.136.51 (10x.x5.136.51) port 8000 (#0) * Establish HTTP proxy tunnel to github.com:443 > CONNECT github.com:443 HTTP/1.1 > Host: github.com:443 > User-Agent: curl/7.29.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection Established < Proxy-agent: nginx < * Proxy replied OK to CONNECT request * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US * start date: May 05 00:00:00 2020 GMT * expire date: May 10 12:00:00 2022 GMT * common name: github.com * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: github.com > Accept: */* > < HTTP/1.1 200 OK < date: Wed, 08 Jul 2020 02:46:21 GMT < content-type: text/html; charset=utf-8 < server: GitHub.com < status: 200 OK < vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding < etag: W/"362bc36ce104548787eefc88455faa45" < cache-control: max-age=0, private, must-revalidate < strict-transport-security: max-age=31536000; includeSubdomains; preload < x-frame-options: deny < x-content-type-options: nosniff < x-xss-protection: 1; mode=block < referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
..........................
..........................
我這里是為了驗證在新雲平台的服務器中用代理是否成功從原來的雲平台出口ip出去,因此找了一台可以看到日志文件的服務,主要是看日志里面的客戶端ip是不是原來雲服務器的ip來請求的。
在centos里面配置全局代理,任何出去都走代理
如果只是測試下可以用curl -x或--proxy 代理i:port export http_proxy='10x.x5.136.51:8000' # http export https_proxy='10x.x5.136.51:8000' # https 以上永久生效,需要寫在/etc/profile中,或/etc/profile.d/xxx.sh [root@sz-d-test-07 ~]# echo $http_proxy 10x.x5.136.51:8000 [root@sz-d-test-07 ~]# echo $https_proxy 10x.x5.136.51:8000 [root@sz-d-test-07 ~]#
測試https [root@sz-d-test-07 ~]# curl https://testadmin.haitxx.com/admin/ # 可以加上-v 查看詳細請求過程 ............................ tailf /path/to/access.log 10x.x5.136.51 - - [08/Jul/2020:11:00:43 +0800] "GET /admin/ HTTP/1.1" 200 6706 "-" "curl/7.29.0 這里的ip是正向代理ip就成功 測試http [root@sz-d-test-07 ~]# curl https://testadmin.haitxx.com/admin/ 看到日志文件的ip是正向代理的ip即可
也可以在windows瀏覽器配置代理地址指向這個正向代理服務器地址,以谷歌瀏覽器為例
驗證是否是通過正向代理服務器出去請求的,在正向代理服務器看代理訪問日志,如果請求的ip是你自己的ip就表示成功,如果不知道自己的出口ip,在沒設置瀏覽器代理之前打開百度,輸入 ip 就會自動識別出來你的出口ip
