NGINX Stream方式正向代理
Nginx四层正向代理
前言
除了HTTP CONNECT隧道7层正向代理的方式,还可以通过Nginx Stream的方式实现四层正向代理。
前提
需要--with-stream、--with-stream_ssl_preread_module、--with-stream_ssl_module模块的支持,该模块默认不build,需要configure时加上这三个模块选项来开启12。
正向代理Https请求
# 10.122.10.98,四层代理,与http模块平级
stream {
resolver 114.114.114.114;
log_format main '$remote_addr - [$time_local] '
'$protocol $status $bytes_sent $bytes_received $session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time" '
'$remote_addr $remote_port $server_addr $server_port';
access_log logs/access.log main;
server {
listen 443;
ssl_preread on;
proxy_connect_timeout 10s;
proxy_timeout 10s;
proxy_pass $ssl_preread_server_name:$server_port;
}
}
在另外一台机器测试,四层正向代理只能转发Https请求,无法转发Http请求,使用时无需设置系统代理,但是必须添加hosts,curl http://www.baidu.com -v不正常,curl https://www.baidu.com -v正常。
正向代理转发两次
Client Machine C –> Nginx Machine B(installed stream module)–> Nginx Machine A(installed stream module) –> target website
在前面配置好正向代理请求Https之后,配置如下 。
# 10.122.10.218,内网二次转发,四层代理转发,只支持转发https请求
stream {
log_format main '$remote_addr - [$time_local] '
'$protocol $status $bytes_sent $bytes_received $session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time" '
'$remote_addr $remote_port $server_addr $server_port';
access_log logs/access.log main;
upstream https_proxy {
# server 10.122.10.201:443;
server 10.122.10.218:443;
}
server {
listen 443;
proxy_connect_timeout 10s;
proxy_timeout 10s;
proxy_pass https_proxy;
}
}
在另外一台机器测试,无需设置系统代理,但是必须添加hosts,curl http://www.baidu.com -v不正常,curl https://www.baidu.com -v正常。
