nginx正向代理https網(wǎng)站的實現(xiàn)
1. 緣起
最近碰到了一個麻煩事情,就是公司的centos測試服務器放在內(nèi)網(wǎng)環(huán)境,而且不能直接上外網(wǎng),導致無法通過yum安裝軟件,非常捉急。
幸好,內(nèi)網(wǎng)還是有可以可以訪問外網(wǎng)的機器,所以就想到應該可以利用nginx搭建一個代理服務器,然后centos通過這個nginx來訪問外網(wǎng)。當然,如果只是代理http還是很簡單的,而要代理https還是需要稍費周折,因為nginx本身不能部署被代理的網(wǎng)站的證書,不能部署成https終結點來,因此與被代理客戶端之間不能用ssl協(xié)議通訊,因此需要通過http協(xié)議中的CONNECT請求打通和外網(wǎng)的連接,然后客戶端到nginx走明文,nginx到外網(wǎng)走https協(xié)議。這里需要用到ngx_http_proxy_connect_module模塊來實現(xiàn)CONNECT的代理功能。
2. 部署nginx
步驟1:從nginx官網(wǎng)下載nginx源碼包。
步驟2:因為nginx原生是不支持CONNECT請求的,需要安裝一個擴展插件,即ngx_http_proxy_connect_module,從github下載ngx_http_proxy_connect_module,另外還要下載一個nginx內(nèi)核補丁。
步驟3: 解壓nginx源碼包,進入nginx源碼目錄,創(chuàng)建modules目錄(mkdir modules)。
步驟4: 將ngx_http_proxy_connect_module源碼目錄放到modules目錄中。
步驟5: 將nginx內(nèi)核補丁放到nginx源碼目錄,姑且名字叫p1.patch
步驟6: 在nginx源碼目錄,執(zhí)行以下命令給nginx內(nèi)核打上補?。?/p>
patch -p 1 < p1.patch
步驟7:編譯nginx,這里假設nginx安裝到/opt/nginx目錄中(在編譯前確認pcre、zlib、openssl的庫是否已經(jīng)正常安裝),編譯命令如下:
./configure --prefix=/opt/nginx --with-http_ssl_module -add-module=./modules/ngx_http_proxy_connect_module make & make install
步驟8:配置nginx
配置文件如下:
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; keepalive_timeout 65; server { # 代理端口 listen 8080; server_name localhost; # 解析被代理網(wǎng)站域名的dns服務器,根據(jù)實際情況自行配置 resolver 114.114.114.114; # 開啟proxy connect功能 proxy_connect; # 設置允許代理的目標端口為443,即https的默認端口 proxy_connect_allow 443 80; location / { # 正向代理配置,根據(jù)請求地址自動解析出目標網(wǎng)站地址并進行代理 proxy_pass $scheme://$host$request_uri; # 發(fā)送到被代理網(wǎng)站的請求需要添加host頭 proxy_set_header Host $http_host; proxy_buffers 256 4k; proxy_max_temp_file_size 0; proxy_connect_timeout 30; } } }
以上配置完成后,通過nginx的8080端口,既可以代理普通http的請求,也可以代理https的請求。
步驟9:啟動nginx
執(zhí)行/opt/nginx/sbin/nginx,啟動nginx
3. 測試
3.1 http測試
curl "http://www.baidu.com/" -x 127.0.0.1:8080 -v
響應內(nèi)容:
* Trying 127.0.0.1:8080... * Connected to (nil) (127.0.0.1) port 8080 (#0) > GET http://www.baidu.com/ HTTP/1.1 > Host: www.baidu.com > User-Agent: curl/7.81.0 > Accept: */* > Proxy-Connection: Keep-Alive > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Server: nginx/1.24.0 < Date: Fri, 23 Feb 2024 09:08:01 GMT < Content-Type: text/html < Content-Length: 2381 < Connection: keep-alive < Accept-Ranges: bytes < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform < Etag: "588604eb-94d" < Last-Modified: Mon, 23 Jan 2017 13:28:11 GMT < Pragma: no-cache < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/ < <!DOCTYPE html> <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新聞</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地圖</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>視頻</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>貼吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登錄</a> </noscript> <script>document.write('<a + encodeURIComponent(window.location.href+ (window.location.search === " rel="external nofollow" rel="external nofollow" " ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登錄</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多產(chǎn)品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>關于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必讀</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意見反饋</a> 京ICP證030173號 <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
通過以上的輸出可以看到http代理是沒有通過CONNECT請求進行連接的,響應正常。
3.2 https測試
curl "https://www.baidu.com/" -x 127.0.0.1:8080 -v
* Trying 127.0.0.1:8080... * Connected to (nil) (127.0.0.1) port 8080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to www.baidu.com:443 > CONNECT www.baidu.com:443 HTTP/1.1 > Host: www.baidu.com:443 > User-Agent: curl/7.81.0 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection Established < Proxy-agent: nginx < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com * start date: Jul 6 01:51:06 2023 GMT * expire date: Aug 6 01:51:05 2024 GMT * subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com" * issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018 * SSL certificate verify ok. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/1.1 > Host: www.baidu.com > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Accept-Ranges: bytes < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform < Connection: keep-alive < Content-Length: 2443 < Content-Type: text/html < Date: Fri, 23 Feb 2024 09:11:25 GMT < Etag: "58860410-98b" < Last-Modified: Mon, 23 Jan 2017 13:24:32 GMT < Pragma: no-cache < Server: bfe/1.0.8.18 < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/ < <!DOCTYPE html> * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.2 (IN), TLS header, Supplemental data (23): <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新聞</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地圖</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>視頻</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>貼吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登錄</a> </noscript> <script>document.write('<a + encodeURIComponent(window.location.href+ (window.location.search === " rel="external nofollow" rel="external nofollow" " ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登錄</a>'); </script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多產(chǎn)品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>關于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www.baidu.com/duty/>使用百度前必讀</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意見反饋</a> 京ICP證030173號 <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>
通過以上的輸出可以看到https代理是通過CONNECT請求進行連接的,中間有發(fā)生ssl的握手過程,也已經(jīng)正常進行了響應。
4 給centos設置代理訪問外網(wǎng)
給centos服務器設置兩個http_proxy和https_proxy環(huán)境變量,假設nginx服務器的ip為192.168.0.1,那么在命令行執(zhí)行以下兩條命令,即:
export http_proxy="http://192.168.0.1:8080" export https_proxy="https://192.168.0.1:8080"
然后就可以順暢地進行yum了。當然,如果可以的話,就將以上兩條命令配置到bash.rc中,這樣子免得每次登錄都需要敲命令。
到此這篇關于nginx正向代理https網(wǎng)站的實現(xiàn)的文章就介紹到這了,更多相關nginx正向代理https內(nèi)容請搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關文章希望大家以后多多支持腳本之家!
相關文章
Nginx如何實現(xiàn)pathinfo模式的方法詳解
pathinfo是偽靜態(tài)的一種,對于用過thinkphp的朋友們來說應該都不陌生,下面這篇文章主要給大家介紹了關于Nginx如何實現(xiàn)pathinfo模式的方法,文中通過示例代碼介紹的非常詳細,需要的朋友可以參考下。2017-09-09瀏覽器控制臺報錯Failed to load module script:解決方
這篇文章主要為大家介紹了瀏覽器控制臺報錯Failed to load module script:解決方法,有需要的朋友可以借鑒參考下,希望能夠有所幫助,祝大家多多進步,早日升職加薪2022-11-11