如何使用Nginx配置正向代理(静态编译)?

Forward Proxy

1 前言

今天发现Nginx也能当正向代理使用(代理上网),一番折腾结果还行,笔记如下。

2 最佳实践

2.1 安装前准备

2.1.1 准备操作系统环境

OS = CentOS 6.8 x86_64
ip = 10.168.0.80
hostname = any.cmdschool.org

2.1.2 准备编译环境

yum install -y gcc gcc-c++ make expat-devel

安装patch工具

yum install -y patch

2.1.3 准备Nginx软件包

cd ~
wget http://nginx.org/download/nginx-1.16.1.tar.gz

2.1.4 准备软件模块

cd ~
wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/v0.0.1.tar.gz -O ngx_http_proxy_connect_module-0.0.1.tar.gz

2.1.5 解压nginx软件包

cd ~
tar -xzvf nginx-1.16.1.tar.gz

2.1.6 解压模块软件包

cd ~
tar -xf ngx_http_proxy_connect_module-0.0.1.tar.gz

2.1.7 解压模块软件包

groupadd  -g 498 nginx
useradd -u 499 -g 498 -d /var/cache/nginx -s /sbin/nologin nginx

2.2 编译安装

2.2.1 附加模块软件包

cd ~/nginx-1.16.1
patch -p1 < ../ngx_http_proxy_connect_module-0.0.1/patch/proxy_connect_rewrite_101504.patch

注:以上需要根据nginx的合适版本选择不同的补丁,

nginx version enable REWRITE phase patch
1.4.x ~ 1.12.x NO proxy_connect.patch
1.4.x ~ 1.12.x YES proxy_connect_rewrite.patch
1.13.x ~ 1.14.x NO proxy_connect_1014.patch
1.13.x ~ 1.14.x YES proxy_connect_rewrite_1014.patch
1.15.2 YES proxy_connect_rewrite_1015.patch
1.15.4 ~ 1.16.x YES proxy_connect_rewrite_101504.patch
1.17.x YES proxy_connect_rewrite_101504.patch

2.2.2 预编译安装包

cd ~/nginx-1.16.1
./configure --prefix=/etc/nginx \
            --sbin-path=/usr/sbin/nginx \
            --modules-path=/usr/lib64/nginx/modules \
            --conf-path=/etc/nginx/nginx.conf \
            --error-log-path=/var/log/nginx/error.log \
            --http-log-path=/var/log/nginx/access.log \
            --pid-path=/var/run/nginx.pid \
            --lock-path=/var/run/nginx.lock \
            --http-client-body-temp-path=/var/cache/nginx/client_temp \
            --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
            --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
            --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
            --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
            --user=nginx \
            --group=nginx \
            --with-compat \
            --with-threads \
            --with-cpu-opt=generic \
            --with-http_addition_module \
            --with-http_auth_request_module \
            --with-http_dav_module \
            --with-http_flv_module \
            --with-http_gunzip_module \
            --with-http_gzip_static_module \
            --with-http_mp4_module \
            --with-http_random_index_module \
            --with-http_realip_module \
            --with-http_secure_link_module \
            --with-http_slice_module \
            --with-http_ssl_module \
            --with-http_stub_status_module \
            --with-http_sub_module \
            --with-http_v2_module \
            --with-mail \
            --with-mail_ssl_module \
            --with-stream \
            --with-stream_realip_module \
            --with-stream_ssl_module \
            --with-stream_ssl_preread_module \
            --with-openssl=/usr/local/openssl-1.0.2 \
            --add-module=../ngx_http_proxy_connect_module-0.0.1

如果遇到如下错误,

./configure: error: can not detect int size

请使用如下命令修改文件定义,

vim auto/types/sizeof

修改如下参数

ngx_size=4

编译软件包

make

如果遇到如下错误,

make -f objs/Makefile
make[1]: Entering directory `/root/nginx-1.16.1'
cd /usr/local/openssl-1.0.2 \
        && if [ -f Makefile ]; then make clean; fi \
        && ./config --prefix=/usr/local/openssl-1.0.2/.openssl no-shared no-threads  \
        && make \
        && make install_sw LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/openssl-1.0.2/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/root/nginx-1.16.1'
make: *** [build] Error 2

请使用如下命令修改文件定义,

cp auto/lib/openssl/conf auto/lib/openssl/conf.default
vim auto/lib/openssl/conf

使用如下命令修改参数的定义,

:%s/OPENSSL\/.openssl/OPENSSL/g

注:需要使用“make clean”情况缓存后重新编译
如果遇到如下错误,

cc1: warnings being treated as errors
src/http/ngx_http_core_module.c: In function ‘ngx_http_update_location_config’:
src/http/ngx_http_core_module.c:1235: error: ‘return’ with a value, in function returning void
make[1]: *** [objs/src/http/ngx_http_core_module.o] Error 1
make[1]: Leaving directory `/root/nginx-1.16.1'
make: *** [build] Error 2

请使用如下命令修改文件定义,

vim objs/Makefile

修改如下参数

# CFLAGS =  -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
CFLAGS =  -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -g

2.2.3 安装软件包

make install

2.2.4 配置服务控制脚本

vim /etc/init.d/nginx

加入如下配置,

#!/bin/sh
#
# nginx        Startup script for nginx
#
# chkconfig: - 85 15
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# description: nginx is an HTTP and reverse proxy server
#
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop nginx
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

if [ -L $0 ]; then
    initscript=`/bin/readlink -f $0`
else
    initscript=$0
fi

sysconfig=`/bin/basename $initscript`

if [ -f /etc/sysconfig/$sysconfig ]; then
    . /etc/sysconfig/$sysconfig
fi

nginx=${NGINX:-/usr/sbin/nginx}
prog=`/bin/basename $nginx`
conffile=${CONFFILE:-/etc/nginx/nginx.conf}
lockfile=${LOCKFILE:-/var/lock/subsys/nginx}
pidfile=${PIDFILE:-/var/run/nginx.pid}
SLEEPSEC=${SLEEPSEC:-1}
UPGRADEWAITLOOPS=${UPGRADEWAITLOOPS:-5}
CHECKSLEEP=${CHECKSLEEP:-3}
RETVAL=0

start() {
    echo -n $"Starting $prog: "

    daemon --pidfile=${pidfile} ${nginx} -c ${conffile}
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && touch ${lockfile}
    return $RETVAL
}

stop() {
    echo -n $"Stopping $prog: "
    killproc -p ${pidfile} ${prog}
    RETVAL=$?
    echo
    [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

reload() {
    echo -n $"Reloading $prog: "
    killproc -p ${pidfile} ${prog} -HUP
    RETVAL=$?
    echo
}

upgrade() {
    oldbinpidfile=${pidfile}.oldbin

    configtest -q || return
    echo -n $"Starting new master $prog: "
    killproc -p ${pidfile} ${prog} -USR2
    echo

    for i in `/usr/bin/seq $UPGRADEWAITLOOPS`; do
        /bin/sleep $SLEEPSEC
        if [ -f ${oldbinpidfile} -a -f ${pidfile} ]; then
            echo -n $"Graceful shutdown of old $prog: "
            killproc -p ${oldbinpidfile} ${prog} -QUIT
            RETVAL=$?
            echo
            return
        fi
    done

    echo $"Upgrade failed!"
    RETVAL=1
}

configtest() {
    if [ "$#" -ne 0 ] ; then
        case "$1" in
            -q)
                FLAG=$1
                ;;
            *)
                ;;
        esac
        shift
    fi
    ${nginx} -t -c ${conffile} $FLAG
    RETVAL=$?
    return $RETVAL
}

rh_status() {
    status -p ${pidfile} -b ${nginx} ${nginx}
}

check_reload() {
    templog=`/bin/mktemp --tmpdir nginx-check-reload-XXXXXX.log`
    trap '/bin/rm -f $templog' 0
    /usr/bin/tail --pid=$$ -n 0 --follow=name /var/log/nginx/error.log > $templog &
    /bin/sleep 1
    /bin/echo -n $"Sending reload signal to $prog: "
    killproc -p ${pidfile} ${prog} -HUP
    /bin/echo
    /bin/sleep $CHECKSLEEP
    /bin/grep -E "\[emerg\]|\[alert\]" $templog
}

# See how we were called.
case "$1" in
    start)
        rh_status >/dev/null 2>&1 && exit 0
        start
        ;;
    stop)
        stop
        ;;
    status)
        rh_status
        RETVAL=$?
        ;;
    restart)
        configtest -q || exit $RETVAL
        stop
        start
        ;;
    upgrade)
        rh_status >/dev/null 2>&1 || exit 0
        upgrade
        ;;
    condrestart|try-restart)
        if rh_status >/dev/null 2>&1; then
            stop
            start
        fi
        ;;
    force-reload|reload)
        reload
        ;;
    configtest)
        configtest
        ;;
    check-reload)
        check_reload
        RETVAL=0
        ;;
    *)
        echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|upgrade|reload|status|help|configtest|check-reload}"
        RETVAL=2
esac

exit $RETVAL

配置完成后,请使用如下命令增加执行权限,

chmod +x /etc/init.d/nginx

2.2.5 增加配置文件

vim /etc/nginx/nginx.conf

加入如下配置,

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    client_max_body_size 500m;

    include /etc/nginx/conf.d/*.conf;
}

根据配置文件创建所需的文件夹,

mkdir /etc/nginx/conf.d

然后,创建正向代理配置,

vim /etc/nginx/conf.d/proxy.cmdschool.org_3128.conf

加入如下配置,

 server {
     listen                         3128;

     # dns resolver used by forward proxying
     resolver                       8.8.8.8;

     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            all;
     #proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;

     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
 }

修改完毕后,启动服务并设置自启动,

/etc/init.d/nginx start
chkconfig on

2.3 配置nginx客户端

2.3.1 设置客户端的代理服务器

export http_proxy="http://user1:passwd1@10.168.0.80:3128"
export https_proxy="http://user1:passwd1@10.168.0.80:3128"

由于配置没有开启认证,请省略用户名和密码,

export http_proxy="http://10.168.0.80:3128"
export https_proxy="http://10.168.0.80:3128"

2.3.2 测试客户端的代理

curl http://www.cmdschool.org
curl https://www.cmdschool.org

注:请不要尝试去ping或者nslookup,因为代理的只是http协议。

参阅文档
===================

官方文档
———–
https://github.com/chobits/ngx_http_proxy_connect_module?spm=a2c4e.10696291.0.0.47bd19a42cXQQz

报错解决
————-
https://blog.csdn.net/fish43237/article/details/40515897
https://blog.csdn.net/u013091013/article/details/53640318?utm_medium=distribute.pc_relevant.none-task-blog-baidujs-4
https://www.cnblogs.com/guoxiaoqian/p/3984967.html

没有评论

发表评论

Nginx
如何设置Nginx HTTP-only Cookie?

1 基础知识 1.1 HTTP cookies 1.1.1 HTTP cookies的概念 &#82 …

Nginx
如何附加Nginx Cookie标签模块?

1 基础知识 “nginx_cookie_flag_module”为上游响应标头中的cookie设置 …