使用正向代理http/https来做一些特殊访问,由于直接暴露于不安全,所以需要增加密码验证;但是实验了好多方案,此方案终于成功,由此记录一下;
构建nginx
增加https支持模块,由于验证需要使用到lua脚本,所以同时也需要集成openresty相关lib
1.openresty安装
由于我目前系统使用的debian,所以直接参考安装即可。其他系统安装请参考官方文档
# 1. install some prerequisites needed by adding GPG public keys (could be removed later):
sudo apt-get -y install --no-install-recommends wget gnupg ca-certificates
# 2. import our GPG key:
wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
# 3. add the our official APT repository.
# x86_64 or amd64 systems
codename=`grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release`
echo "deb http://openresty.org/package/debian $codename openresty" \
| sudo tee /etc/apt/sources.list.d/openresty.list
#arm64 or aarch64
codename=`grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release`
echo "deb http://openresty.org/package/arm64/debian $codename openresty" \
| tee /etc/apt/sources.list.d/openresty.list
# 4.update the APT index:
apt-get update
apt-get -y install openresty
2.安装luaJIT
安装并配置相关环境
# 下载包后解压
cd luajit2-2.1-20220411
make install PREFIX=/usr/local/LuaJIT
# 配置环境变量
vim ~/.profile
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
source ~/.profile
3.编译nginx、增加相关模块
需要安装以下模块,如果已经安装,可以不进行安装
nginx版本为1.20.2
ngx_http_proxy_connect_module(0.0.2)github-proxy-connect
lua-nginx-module(0.10.20)github-lua-nginx-module
ngx_devel_kit(0.3.1)github-ngx_devel_kit
# 编译nginx
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-module=/opt/ngx-fancyindex-0.5.2 --add-module=/opt/ngx_http_proxy_connect_module-0.0.2 --add-module=/opt/lua-nginx-module-0.10.20 --add-module=/opt/ngx_devel_kit-0.3.1
# 编译不进行直接安装
make
# 可以先到输出目录实验下,否则可能由于某些情况无法启动nginx
4.配置nginx正向代理、密码
主要修改nginx.conf中的信息
# 解决 failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found
http{
lua_package_path "/usr/local/openresty/lualib/?.lua;";
}
# nginx 正向代理配置
server {
listen 16888;
# dns resolver used by forward proxying
resolver 180.76.76.76;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 80;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
auth_basic "Authorized";
auth_basic_user_file passwd;
rewrite_by_lua_file proxy_auth.lua;
# forward proxy for non-CONNECT request
location / {
proxy_ssl_server_name on;
proxy_pass http://$host;
proxy_set_header Host $host;
proxy_hide_header Authorization;
proxy_hide_header Proxy-Authorization;
}
}
passwd生成
htpasswd -c -d /etc/nginx/passwd username
#输入密码后即可生成对应passwd文件
proxy_auth.lua
touch proxy_auth.lua
vim proxy_auth.lua
# 插入以下内容
--check Proxy-Authorization for https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
if not ngx.var.http_proxy_authorization then
ngx.header["Proxy-Authenticate"] = "Basic realm=\"Access to internal site\""
ngx.exit(407)
end
-- transfer Proxy-Authorization header to Authorization for auth basic module
ngx.req.set_header("Authorization", ngx.var.http_proxy_authorization)
5.启动后验证
curl -x 127.0.0.1:16888 https://www.baidu.com -U username:password
ps:相关插件已打包,如果下载不便可以直接下载
csdn下载
