正向代理簡介
nginx不僅可以做反向代理,還能用作正向代理來進行上網等功能。如果把局域網外的Internet想象成一個巨大的資源庫,則局域網中的客戶端要訪問Internet,則需要通過代理服務器來訪問,這種代理服務就稱為正向代理(也就是大家常說的,通過正向代理進行上網功能)
示例
如下圖所示,內網機器
10.212.4.35處於辦公內網中,無法訪問外部Internet;外網機器10.211.1.6處於另一個網絡環境中,也就是可以上互聯網的機器。內網機器和外網機器之間的數據傳輸通過網閘進行擺渡。在下面圖中的環境,已將網絡打通,內網機器10.212.4.35可以訪問外網機器10.211.1.6的8080端口。則內網機器如果想上互聯網,則只能通過外網機器代理實現。
安裝部署nginx
在外網機器安裝部署
nginx、並配置代理。
- 由於
nginx默認不支持https的代理,故而需要額外先添加模塊。- 插件地址:https://github.com/chobits/ngx_http_proxy_connect_module/
- 插件和
nginx需對應,對應關系查看插件地址里面的介紹- 需要通過
patch命令打入補丁,通過yum install patch進行安裝
這里所使用的nginx為1.19.2,補丁版本為1018
✏️ 下載模塊
wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.2.zip
✏️ 解壓
unzip v0.0.2.zip
✏️ 下載nginx
wget http://nginx.org/download/nginx-1.19.2.tar.gz
✏️ 打入補丁包
tar xf nginx-1.19.2.tar.gz
cd nginx-1.19.2
patch -p1 < /root/tools/ngx_http_proxy_connect_module-0.0.2/patch/proxy_connect_rewrite_1018.patch
✏️ 編譯安裝nginx
yum install gcc cmake make cmake unzip ncurses-devel gcc gcc-c++ -y
./configure --prefix=/usr/local/nginx --add-module=/root/tools/ngx_http_proxy_connect_module-0.0.2
make && make install
配置正向代理
✏️ 配置nginx
cd /usr/local/nginx/conf/
cp nginx.conf{,.bak}
vim nginx.conf
server {
listen 80;
server_name localhost;
resolver 114.114.114.114;
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_coneect_send_timeout 10s;
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}
✏️ 編寫systemd啟動腳本
cat > /etc/systemd/system/nginx.service << EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF
✏️ 啟動nginx
systemctl daemon-reload
systemctl start nginx
✏️ 開放防火牆策略(這里由於是通過網閘出來的,所以源IP發生了改變為172.12.0.179)
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.12.0.179" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
測試驗證
內網機器進行訪問測試,並添加到環境變量
✏️ http的訪問測試
# curl -I --proxy 172.11.0.179:8080 http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 05 Sep 2021 08:17:57 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
✏️ https的訪問測試
# curl -I --proxy 172.11.0.179:8080 https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 05 Sep 2021 08:18:17 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
✏️ 添加到環境變量,直接使用
vim /etc/profile
export http_proxy=172.11.0.179:8080
export https_proxy=172.11.0.179:8080
✏️ 添加完成后,變可以直接上網了
# curl -I http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 05 Sep 2021 08:26:35 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
# curl -I https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 05 Sep 2021 08:26:14 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18