Forward Proxy
1 前言
今天发现Nginx也能当正向代理使用(代理上网),一番折腾结果还行,笔记如下。
2 最佳实践
2.1 安装前准备
2.1.1 准备操作系统环境
OS = CentOS 6.8 x86_64
ip = 10.168.0.80
hostname = any.cmdschool.org
2.1.2 准备编译环境
yum install -y gcc gcc-c++ make expat-devel
安装patch工具
yum install -y patch
2.1.3 准备Nginx软件包
cd ~ wget http://nginx.org/download/nginx-1.16.1.tar.gz
2.1.4 准备软件模块
cd ~ wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/v0.0.1.tar.gz -O ngx_http_proxy_connect_module-0.0.1.tar.gz
2.1.5 解压nginx软件包
cd ~ tar -xzvf nginx-1.16.1.tar.gz
2.1.6 解压模块软件包
cd ~ tar -xf ngx_http_proxy_connect_module-0.0.1.tar.gz
2.1.7 解压模块软件包
groupadd -g 498 nginx useradd -u 499 -g 498 -d /var/cache/nginx -s /sbin/nologin nginx
2.2 编译安装
2.2.1 附加模块软件包
cd ~/nginx-1.16.1 patch -p1 < ../ngx_http_proxy_connect_module-0.0.1/patch/proxy_connect_rewrite_101504.patch
注:以上需要根据nginx的合适版本选择不同的补丁,
| nginx version | enable REWRITE phase | patch |
|---|---|---|
| 1.4.x ~ 1.12.x | NO | proxy_connect.patch |
| 1.4.x ~ 1.12.x | YES | proxy_connect_rewrite.patch |
| 1.13.x ~ 1.14.x | NO | proxy_connect_1014.patch |
| 1.13.x ~ 1.14.x | YES | proxy_connect_rewrite_1014.patch |
| 1.15.2 | YES | proxy_connect_rewrite_1015.patch |
| 1.15.4 ~ 1.16.x | YES | proxy_connect_rewrite_101504.patch |
| 1.17.x | YES | proxy_connect_rewrite_101504.patch |
2.2.2 预编译安装包
cd ~/nginx-1.16.1
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--modules-path=/usr/lib64/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--user=nginx \
--group=nginx \
--with-compat \
--with-threads \
--with-cpu-opt=generic \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-openssl=/usr/local/openssl-1.0.2 \
--add-module=../ngx_http_proxy_connect_module-0.0.1
如果遇到如下错误,
./configure: error: can not detect int size
请使用如下命令修改文件定义,
vim auto/types/sizeof
修改如下参数
ngx_size=4
编译软件包
make
如果遇到如下错误,
make -f objs/Makefile
make[1]: Entering directory `/root/nginx-1.16.1'
cd /usr/local/openssl-1.0.2 \
&& if [ -f Makefile ]; then make clean; fi \
&& ./config --prefix=/usr/local/openssl-1.0.2/.openssl no-shared no-threads \
&& make \
&& make install_sw LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/openssl-1.0.2/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/root/nginx-1.16.1'
make: *** [build] Error 2
请使用如下命令修改文件定义,
cp auto/lib/openssl/conf auto/lib/openssl/conf.default vim auto/lib/openssl/conf
使用如下命令修改参数的定义,
:%s/OPENSSL\/.openssl/OPENSSL/g
注:需要使用“make clean”情况缓存后重新编译
如果遇到如下错误,
cc1: warnings being treated as errors src/http/ngx_http_core_module.c: In function ‘ngx_http_update_location_config’: src/http/ngx_http_core_module.c:1235: error: ‘return’ with a value, in function returning void make[1]: *** [objs/src/http/ngx_http_core_module.o] Error 1 make[1]: Leaving directory `/root/nginx-1.16.1' make: *** [build] Error 2
请使用如下命令修改文件定义,
vim objs/Makefile
修改如下参数
# CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g CFLAGS = -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -g
2.2.3 安装软件包
make install
2.2.4 配置服务控制脚本
vim /etc/init.d/nginx
加入如下配置,
#!/bin/sh
#
# nginx Startup script for nginx
#
# chkconfig: - 85 15
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid
# description: nginx is an HTTP and reverse proxy server
#
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $local_fs $remote_fs $network
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop nginx
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
if [ -L $0 ]; then
initscript=`/bin/readlink -f $0`
else
initscript=$0
fi
sysconfig=`/bin/basename $initscript`
if [ -f /etc/sysconfig/$sysconfig ]; then
. /etc/sysconfig/$sysconfig
fi
nginx=${NGINX:-/usr/sbin/nginx}
prog=`/bin/basename $nginx`
conffile=${CONFFILE:-/etc/nginx/nginx.conf}
lockfile=${LOCKFILE:-/var/lock/subsys/nginx}
pidfile=${PIDFILE:-/var/run/nginx.pid}
SLEEPSEC=${SLEEPSEC:-1}
UPGRADEWAITLOOPS=${UPGRADEWAITLOOPS:-5}
CHECKSLEEP=${CHECKSLEEP:-3}
RETVAL=0
start() {
echo -n $"Starting $prog: "
daemon --pidfile=${pidfile} ${nginx} -c ${conffile}
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} ${prog}
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
killproc -p ${pidfile} ${prog} -HUP
RETVAL=$?
echo
}
upgrade() {
oldbinpidfile=${pidfile}.oldbin
configtest -q || return
echo -n $"Starting new master $prog: "
killproc -p ${pidfile} ${prog} -USR2
echo
for i in `/usr/bin/seq $UPGRADEWAITLOOPS`; do
/bin/sleep $SLEEPSEC
if [ -f ${oldbinpidfile} -a -f ${pidfile} ]; then
echo -n $"Graceful shutdown of old $prog: "
killproc -p ${oldbinpidfile} ${prog} -QUIT
RETVAL=$?
echo
return
fi
done
echo $"Upgrade failed!"
RETVAL=1
}
configtest() {
if [ "$#" -ne 0 ] ; then
case "$1" in
-q)
FLAG=$1
;;
*)
;;
esac
shift
fi
${nginx} -t -c ${conffile} $FLAG
RETVAL=$?
return $RETVAL
}
rh_status() {
status -p ${pidfile} -b ${nginx} ${nginx}
}
check_reload() {
templog=`/bin/mktemp --tmpdir nginx-check-reload-XXXXXX.log`
trap '/bin/rm -f $templog' 0
/usr/bin/tail --pid=$$ -n 0 --follow=name /var/log/nginx/error.log > $templog &
/bin/sleep 1
/bin/echo -n $"Sending reload signal to $prog: "
killproc -p ${pidfile} ${prog} -HUP
/bin/echo
/bin/sleep $CHECKSLEEP
/bin/grep -E "\[emerg\]|\[alert\]" $templog
}
# See how we were called.
case "$1" in
start)
rh_status >/dev/null 2>&1 && exit 0
start
;;
stop)
stop
;;
status)
rh_status
RETVAL=$?
;;
restart)
configtest -q || exit $RETVAL
stop
start
;;
upgrade)
rh_status >/dev/null 2>&1 || exit 0
upgrade
;;
condrestart|try-restart)
if rh_status >/dev/null 2>&1; then
stop
start
fi
;;
force-reload|reload)
reload
;;
configtest)
configtest
;;
check-reload)
check_reload
RETVAL=0
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|upgrade|reload|status|help|configtest|check-reload}"
RETVAL=2
esac
exit $RETVAL
配置完成后,请使用如下命令增加执行权限,
chmod +x /etc/init.d/nginx
2.2.5 增加配置文件
vim /etc/nginx/nginx.conf
加入如下配置,
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
client_max_body_size 500m;
include /etc/nginx/conf.d/*.conf;
}
根据配置文件创建所需的文件夹,
mkdir /etc/nginx/conf.d
然后,创建正向代理配置,
vim /etc/nginx/conf.d/proxy.cmdschool.org_3128.conf
加入如下配置,
server {
listen 3128;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow all;
#proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
修改完毕后,启动服务并设置自启动,
/etc/init.d/nginx start chkconfig on
2.3 配置nginx客户端
2.3.1 设置客户端的代理服务器
export http_proxy="http://user1:passwd1@10.168.0.80:3128" export https_proxy="http://user1:passwd1@10.168.0.80:3128"
由于配置没有开启认证,请省略用户名和密码,
export http_proxy="http://10.168.0.80:3128" export https_proxy="http://10.168.0.80:3128"
2.3.2 测试客户端的代理
curl http://www.cmdschool.org curl https://www.cmdschool.org
注:请不要尝试去ping或者nslookup,因为代理的只是http协议。
参阅文档
===================
官方文档
———–
https://github.com/chobits/ngx_http_proxy_connect_module?spm=a2c4e.10696291.0.0.47bd19a42cXQQz
报错解决
————-
https://blog.csdn.net/fish43237/article/details/40515897
https://blog.csdn.net/u013091013/article/details/53640318?utm_medium=distribute.pc_relevant.none-task-blog-baidujs-4
https://www.cnblogs.com/guoxiaoqian/p/3984967.html
没有评论