1 前言
今天发现Nginx也能当正向代理使用(代理上网),一番折腾结果还行,笔记如下。
2 最佳实践
2.1 安装前准备
2.1.1 准备操作系统环境
OS = CentOS 6.8 x86_64
ip = 10.168.0.80
hostname = any.cmdschool.org
2.1.2 准备编译环境
yum install -y gcc gcc-c++ make expat-devel
安装patch工具
yum install -y patch
2.1.3 准备Nginx软件包
cd ~ wget http://nginx.org/download/nginx-1.16.1.tar.gz
2.1.4 准备软件模块
cd ~ wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/v0.0.1.tar.gz -O ngx_http_proxy_connect_module-0.0.1.tar.gz
2.1.5 解压nginx软件包
cd ~ tar -xzvf nginx-1.16.1.tar.gz
2.1.6 解压模块软件包
cd ~ tar -xf ngx_http_proxy_connect_module-0.0.1.tar.gz
2.1.7 解压模块软件包
groupadd -g 498 nginx useradd -u 499 -g 498 -d /var/cache/nginx -s /sbin/nologin nginx
2.2 编译安装
2.2.1 附加模块软件包
cd ~/nginx-1.16.1 patch -p1 < ../ngx_http_proxy_connect_module-0.0.1/patch/proxy_connect_rewrite_101504.patch
注:以上需要根据nginx的合适版本选择不同的补丁,
nginx version | enable REWRITE phase | patch |
---|---|---|
1.4.x ~ 1.12.x | NO | proxy_connect.patch |
1.4.x ~ 1.12.x | YES | proxy_connect_rewrite.patch |
1.13.x ~ 1.14.x | NO | proxy_connect_1014.patch |
1.13.x ~ 1.14.x | YES | proxy_connect_rewrite_1014.patch |
1.15.2 | YES | proxy_connect_rewrite_1015.patch |
1.15.4 ~ 1.16.x | YES | proxy_connect_rewrite_101504.patch |
1.17.x | YES | proxy_connect_rewrite_101504.patch |
2.2.2 预编译安装包
cd ~/nginx-1.16.1 ./configure --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib64/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/run/nginx.lock \ --http-client-body-temp-path=/var/cache/nginx/client_temp \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --user=nginx \ --group=nginx \ --with-compat \ --with-threads \ --with-cpu-opt=generic \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_secure_link_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_sub_module \ --with-http_v2_module \ --with-mail \ --with-mail_ssl_module \ --with-stream \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-openssl=/usr/local/openssl-1.0.2 \ --add-module=../ngx_http_proxy_connect_module-0.0.1
如果遇到如下错误,
./configure: error: can not detect int size
请使用如下命令修改文件定义,
vim auto/types/sizeof
修改如下参数
ngx_size=4
编译软件包
make
如果遇到如下错误,
make -f objs/Makefile make[1]: Entering directory `/root/nginx-1.16.1' cd /usr/local/openssl-1.0.2 \ && if [ -f Makefile ]; then make clean; fi \ && ./config --prefix=/usr/local/openssl-1.0.2/.openssl no-shared no-threads \ && make \ && make install_sw LIBDIR=lib /bin/sh: line 2: ./config: No such file or directory make[1]: *** [/usr/local/openssl-1.0.2/.openssl/include/openssl/ssl.h] Error 127 make[1]: Leaving directory `/root/nginx-1.16.1' make: *** [build] Error 2
请使用如下命令修改文件定义,
cp auto/lib/openssl/conf auto/lib/openssl/conf.default vim auto/lib/openssl/conf
使用如下命令修改参数的定义,
:%s/OPENSSL\/.openssl/OPENSSL/g
注:需要使用“make clean”情况缓存后重新编译
如果遇到如下错误,
cc1: warnings being treated as errors src/http/ngx_http_core_module.c: In function ‘ngx_http_update_location_config’: src/http/ngx_http_core_module.c:1235: error: ‘return’ with a value, in function returning void make[1]: *** [objs/src/http/ngx_http_core_module.o] Error 1 make[1]: Leaving directory `/root/nginx-1.16.1' make: *** [build] Error 2
请使用如下命令修改文件定义,
vim objs/Makefile
修改如下参数
# CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -g
2.2.3 安装软件包
make install
2.2.4 配置服务控制脚本
vim /etc/init.d/nginx
加入如下配置,
#!/bin/sh # # nginx Startup script for nginx # # chkconfig: - 85 15 # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # description: nginx is an HTTP and reverse proxy server # ### BEGIN INIT INFO # Provides: nginx # Required-Start: $local_fs $remote_fs $network # Required-Stop: $local_fs $remote_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop nginx ### END INIT INFO # Source function library. . /etc/rc.d/init.d/functions if [ -L $0 ]; then initscript=`/bin/readlink -f $0` else initscript=$0 fi sysconfig=`/bin/basename $initscript` if [ -f /etc/sysconfig/$sysconfig ]; then . /etc/sysconfig/$sysconfig fi nginx=${NGINX:-/usr/sbin/nginx} prog=`/bin/basename $nginx` conffile=${CONFFILE:-/etc/nginx/nginx.conf} lockfile=${LOCKFILE:-/var/lock/subsys/nginx} pidfile=${PIDFILE:-/var/run/nginx.pid} SLEEPSEC=${SLEEPSEC:-1} UPGRADEWAITLOOPS=${UPGRADEWAITLOOPS:-5} CHECKSLEEP=${CHECKSLEEP:-3} RETVAL=0 start() { echo -n $"Starting $prog: " daemon --pidfile=${pidfile} ${nginx} -c ${conffile} RETVAL=$? echo [ $RETVAL = 0 ] && touch ${lockfile} return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc -p ${pidfile} ${prog} RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile} } reload() { echo -n $"Reloading $prog: " killproc -p ${pidfile} ${prog} -HUP RETVAL=$? echo } upgrade() { oldbinpidfile=${pidfile}.oldbin configtest -q || return echo -n $"Starting new master $prog: " killproc -p ${pidfile} ${prog} -USR2 echo for i in `/usr/bin/seq $UPGRADEWAITLOOPS`; do /bin/sleep $SLEEPSEC if [ -f ${oldbinpidfile} -a -f ${pidfile} ]; then echo -n $"Graceful shutdown of old $prog: " killproc -p ${oldbinpidfile} ${prog} -QUIT RETVAL=$? echo return fi done echo $"Upgrade failed!" RETVAL=1 } configtest() { if [ "$#" -ne 0 ] ; then case "$1" in -q) FLAG=$1 ;; *) ;; esac shift fi ${nginx} -t -c ${conffile} $FLAG RETVAL=$? return $RETVAL } rh_status() { status -p ${pidfile} -b ${nginx} ${nginx} } check_reload() { templog=`/bin/mktemp --tmpdir nginx-check-reload-XXXXXX.log` trap '/bin/rm -f $templog' 0 /usr/bin/tail --pid=$$ -n 0 --follow=name /var/log/nginx/error.log > $templog & /bin/sleep 1 /bin/echo -n $"Sending reload signal to $prog: " killproc -p ${pidfile} ${prog} -HUP /bin/echo /bin/sleep $CHECKSLEEP /bin/grep -E "\[emerg\]|\[alert\]" $templog } # See how we were called. case "$1" in start) rh_status >/dev/null 2>&1 && exit 0 start ;; stop) stop ;; status) rh_status RETVAL=$? ;; restart) configtest -q || exit $RETVAL stop start ;; upgrade) rh_status >/dev/null 2>&1 || exit 0 upgrade ;; condrestart|try-restart) if rh_status >/dev/null 2>&1; then stop start fi ;; force-reload|reload) reload ;; configtest) configtest ;; check-reload) check_reload RETVAL=0 ;; *) echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|upgrade|reload|status|help|configtest|check-reload}" RETVAL=2 esac exit $RETVAL
配置完成后,请使用如下命令增加执行权限,
chmod +x /etc/init.d/nginx
2.2.5 增加配置文件
vim /etc/nginx/nginx.conf
加入如下配置,
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; client_max_body_size 500m; include /etc/nginx/conf.d/*.conf; }
根据配置文件创建所需的文件夹,
mkdir /etc/nginx/conf.d
然后,创建正向代理配置,
vim /etc/nginx/conf.d/proxy.cmdschool.org_3128.conf
加入如下配置,
server { listen 3128; # dns resolver used by forward proxying resolver 8.8.8.8; # forward proxy for CONNECT request proxy_connect; proxy_connect_allow all; #proxy_connect_allow 443 563; proxy_connect_connect_timeout 10s; proxy_connect_read_timeout 10s; proxy_connect_send_timeout 10s; # forward proxy for non-CONNECT request location / { proxy_pass http://$host; proxy_set_header Host $host; } }
修改完毕后,启动服务并设置自启动,
/etc/init.d/nginx start chkconfig on
2.3 配置nginx客户端
2.3.1 设置客户端的代理服务器
export http_proxy="http://user1:passwd1@10.168.0.80:3128" export https_proxy="http://user1:passwd1@10.168.0.80:3128"
由于配置没有开启认证,请省略用户名和密码,
export http_proxy="http://10.168.0.80:3128" export https_proxy="http://10.168.0.80:3128"
2.3.2 测试客户端的代理
curl http://www.cmdschool.org curl https://www.cmdschool.org
注:请不要尝试去ping或者nslookup,因为代理的只是http协议。
参阅文档
===================
官方文档
———–
https://github.com/chobits/ngx_http_proxy_connect_module?spm=a2c4e.10696291.0.0.47bd19a42cXQQz
报错解决
————-
https://blog.csdn.net/fish43237/article/details/40515897
https://blog.csdn.net/u013091013/article/details/53640318?utm_medium=distribute.pc_relevant.none-task-blog-baidujs-4
https://www.cnblogs.com/guoxiaoqian/p/3984967.html
没有评论