序言:
nginx,是个常见的高性能的HTTP和反向代理web服务器,在以往配置中一般认为无法转发https协议的访问,但是由于各种原因,我需要搭建一台代理服务器,在正常搭建之后发现连百度都访问不了,这能忍?
于是查询了一些资料,在github上发现了一个很有用有用有用的项目,可以实现代理https的转发,
链接如下:
[https://github.com/chobits/ngx_http_proxy_connect_module]
该项目部署操作也一并说明了,但是有一些基础设置略过了,导致实际配置不太连贯,这里重新整理补充一下并亲测可用,在这个过程中我会把一些必要且我知道原因操作解释一下,说得不对恳请给予指正
环境:
IP:172.16.1.3
centos7.8(其他版本应该也可以)
[nginx1.19](http://nginx.org/download/nginx-1.9.2.tar.gz)(我使用的是该版本,但实际上该项目1.13部分以及以后的版本,但需对应不同的patch包)
操作目录:/tmp/
操作步骤:
1、安装git命令工具,为了可以拉去github上的代码,然后开始拉代码
yum install -y git
git clone https://github.com/chobits/ngx_http_proxy_connect_module.git
2、安装patch工具和编译工具
yum install -y patch pcre pcre-devel gcc
3、下载nginx,进行patch,编译并安装
3.1下载nginx-1.19,解压并进入目录
wget http://nginx.org/download/nginx-1.19.9.tar.gz
tar -xzf nginx-1.19.9.tar.gz
cd nginx-1.19.9
3.2打上补丁包patch、编译、安装
patch -p1 < /tmp/ngx_http_proxy_connect_module/patch/proxy_connect.patch
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/tmp/ngx_http_proxy_connect_module(这里的prefix是实际nginx应用的目录,可更改;)
make && make install
4、更改nginx.conf配置,这里是我的配置,其上搭了一个本地yum源,加上后面的代理监听端口,所以有两个server,如果不需要本地监听80的可以整段去掉。另外、resolver所指定的域名服务器,建议使用本地域的dns服务器,避免使用代理时内网域名无法解析
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name 127.0.0.1;
root /home/scc/;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /home/scc/yum_source;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
#index index.html index.htm;
}
error_page 404 /404.html;
location =/40x.html{
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
server {
listen 3555;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# for logs
#access_log /home/reistlin/logs/proxy.access.log;
#error_log /home/reistlin/logs/proxy.error.log;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
}
5、本地防火墙添加规则允许该端口的监听,防火墙没开可以跳过,此处建议开并且限制允许地址
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.1.0/24" port protocol="tcp" port="3555" accept'
firewall-cmd --reload
6、启动nginx(6.1为添加至系统服务操作,可不做)
6.1新建一个/usr/lib/systemd/system/nginx.service文件,并写入nginx系统服务操作配置,如下:
[Unit]
Description=Nginx server
After=network.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
6.2启动nginx服务
systemctl start nginx
或/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
7检查监听情况
8通过浏览器测试
