Nginx Ngx_http_proxy_connect_module模块实现SSL正向代理

2023年 5月 4日 70.5k 0

由于项目需要使用到https正向代理,而nginx官方模块仅支持做http正向代理,ngx_http_proxy_connect_module模块可以实现隧道SSL请求的代理服务器
关于正向代理原理可以参考下面的文章

Nginx 反向代理与正向代理

新闻联播老司机

  • 19年5月31日
  • 喜欢:0
  • 浏览:2.7k
  •  

    模块地址:http://www.github.com/chobits/ngx_http_proxy_connect_module

    目前该模块截止2023-04-14插件支持的版本

    nginx version
    enable
    REWRITE phase patch
    1.4.x ~ 1.12.x NO proxy_connect.patch
    1.4.x ~ 1.12.x YES proxy_connect_rewrite.patch
    1.13.x ~ 1.14.x NO proxy_connect_1014.patch
    1.13.x ~ 1.14.x YES proxy_connect_rewrite_1014.patch
    1.15.2 YES proxy_connect_rewrite_1015.patch
    1.15.4 ~ 1.16.x YES proxy_connect_rewrite_101504.patch
    1.17.x ~ 1.18.x YES proxy_connect_rewrite_1018.patch
    1.19.x ~ 1.21.0 YES proxy_connect_rewrite_1018.patch
    1.21.1 ~ 1.22.x YES proxy_connect_rewrite_102101.patch
    1.23.x ~ 1.24.0 YES proxy_connect_rewrite_102101.patch

    下载插件

    proxy_connect_rewrite_102101.patch 为补丁包

    wget https://d.frps.cn/file/tools/nginx/model/ngx_http_proxy_connect_module.tar.gz
    [root@web-03 ~]# tar xf ngx_http_proxy_connect_module.tar.gz   #解压

    安装Nginx

    NGINX_VERSION="nginx-1.22.1"
    
    for i in openssl-1.1.1t pcre-8.45 zlib-1.2.13;do
        wget https://d.frps.cn/file/tools/nginx/${i}.tar.gz
    done
       wget  https://d.frps.cn/file/tools/nginx/nginx-1.22.1.tar.gz
    for i in openssl-1.1.1t pcre-8.45 zlib-1.2.13;do
        tar zxvf ${i}.tar.gz -C /usr/local/src
    done
    useradd nginx -s /sbin/nologin -M

    安装patch命令

    [root@web-03 nginx-1.22.1]# yum install -y patch

    进入到Nginx目录,修改编译参数

    [root@web-03 ~]# tar xf nginx-1.22.1.tar.gz 
    [root@web-03 nginx-1.22.1]# patch -p1 < /root/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch 
    patching file src/http/ngx_http_core_module.c
    patching file src/http/ngx_http_parse.c
    patching file src/http/ngx_http_request.c
    patching file src/http/ngx_http_request.h
    patching file src/http/ngx_http_variables.c
    
    #patch -p1 <后面的路径需要绝对路径

    编译

    ./configure --prefix=/opt/nginx-1.22 --with-openssl=/usr/local/src/openssl-1.1.1t  --with-pcre=/usr/local/src/pcre-8.45  --with-zlib=/usr/local/src/zlib-1.2.13  --with-http_ssl_module --with-http_stub_status_module --with-stream --with-http_stub_status_module --with-http_gzip_static_module  --add-module=/root/ngx_http_proxy_connect_module
    
    #编译安装
    make && make install
    
    #--add-module=/root/ngx_http_proxy_connect_module 模块目录(注意指定目录!)

    检查安装

    [root@web-03 nginx-1.22.1]# /opt/nginx-1.22/sbin/nginx -V
    nginx version: nginx/1.22.1
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
    built with OpenSSL 1.1.1t  7 Feb 2023
    TLS SNI support enabled
    configure arguments: --prefix=/opt/nginx-1.22 --with-openssl=/usr/local/src/openssl-1.1.1t --with-pcre=/usr/local/src/pcre-8.45 --with-zlib=/usr/local/src/zlib-1.2.13 --with-http_ssl_module --with-http_stub_status_module --with-stream --with-http_stub_status_module --with-http_gzip_static_module --add-module=/root/ngx_http_proxy_connect_module

    创建验证文件

    修改Nginx配置文件

    server{
        resolver 114.114.114.114;
        resolver_timeout 30s;
        listen 80;
        proxy_connect;                          #启用 CONNECT HTTP方法
        proxy_connect_allow            443 80;  #指定代理CONNECT方法可以连接的端口号或范围的列表
        proxy_connect_connect_timeout  20s;     #定义客户端与代理服务器建立连接的超时时间
        proxy_connect_read_timeout     20s;     #定义客户端从代理服务器读取响应的超时时间
        proxy_connect_send_timeout     20s;     #设置客户端将请求传输到代理服务器的超时时间
    
        location / {
    
            proxy_pass $scheme://$http_host$request_uri;
    
        }  
    }

    设置本地代理

    [root@web-03 conf]# export http_proxy=http://127.0.0.1:80/
    [root@web-03 conf]# export https_proxy=https://127.0.0.1:80/
    

    测试代理

    [root@web-03 conf]# curl https://www.baidu.com -svo /dev/null
    * About to connect() to proxy 127.0.0.1 port 80 (#0)
    *   Trying 127.0.0.1...
    * Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
    * Establish HTTP proxy tunnel to www.baidu.com:443
    > CONNECT www.baidu.com:443 HTTP/1.1
    > Host: www.baidu.com:443
    > User-Agent: curl/7.29.0
    > Proxy-Connection: Keep-Alive
    > 
    < HTTP/1.1 200 Connection Established
    < Proxy-agent: nginx
    < 
    * Proxy replied OK to CONNECT request
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *       subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
    *       start date: Jul 05 05:16:02 2022 GMT
    *       expire date: Aug 06 05:16:01 2023 GMT
    *       common name: baidu.com
    *       issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
    > GET / HTTP/1.1
    > User-Agent: curl/7.29.0
    > Host: www.baidu.com
    > Accept: */*
    > 
    < HTTP/1.1 200 OK
    < Accept-Ranges: bytes
    < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
    < Connection: keep-alive
    < Content-Length: 2443
    < Content-Type: text/html
    < Date: Fri, 14 Apr 2023 05:54:45 GMT
    < Etag: "588603e2-98b"
    < Last-Modified: Mon, 23 Jan 2017 13:23:46 GMT
    < Pragma: no-cache
    < Server: bfe/1.0.8.18
    < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
    < 
    { [data not shown]
    * Connection #0 to host 127.0.0.1 left intact

    从上面-v参数打印出的细节,可以看到客户端先往代理服务器127.0.0.1建立了HTTP CONNECT隧道,代理回复HTTP/1.1 200 Connection Established后就开始交互TLS/SSL握手和流量了

    相关文章:

    1. [NGINX] – 配置文件优化 – NGINX.CONF
    2. Nginx 相关内容 [持续补充2017.09.06-更]
    3. Nginx 反向代理与正向代理
    4. nginx 基于tcp/udp代理

    相关文章

    LeaferJS 1.0 重磅发布:强悍的前端 Canvas 渲染引擎
    10分钟搞定支持通配符的永久有效免费HTTPS证书
    300 多个 Microsoft Excel 快捷方式
    一步步配置基于kubeadmin的kubevip高可用
    istio全链路传递cookie和header灰度
    REST Web 服务版本控制

    发布评论