安裝代理模塊

nginx 官方沒有支持正向代理的模塊，只能通過加載第三方模塊來實現(xiàn)

• 安裝依賴

yum -y install pcre-devel openssl openssl-devel

• 下載二進制包

https://nginx.org/download/nginx-1.22.1.tar.gz
https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.3.tar.gz

• 安裝 patch

yum install -y patch

• 編譯安裝

# 將nginx和ngx_http_proxy_connect_module解壓到 /opt 目錄下
[root@VM-0-17-centos opt]# ls
ngx_http_proxy_connect_module nginx-1.22.1
# 加載 ngx_http_proxy_connect_module
cd nginx-1.22.1/
patch -p1 < /opt/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure --prefix=/opt/nginx --add-module=/opt/ngx_http_proxy_connect_module --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module
make && make install

透明代理配置

修改配置文件：/opt/nginx/conf/nginx.conf

# http
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    
    # http
    server {
        listen       80;
     resolver  114.114.114.114;
     proxy_connect;
     proxy_connect_allow            443;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
    }
}

# https
stream {
    resolver 114.114.114.114;
    server {
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:$server_port;
    }
}

客戶端配置

修改 hosts，將需要訪問的域名解析到 NG 所在的機器

172.18.0.17 cip.cc

測試

curl -k  https://cip.cc

轉發(fā)鏈路

場景：外層 NG 無法提供80/443端口，只能提供普通端口，內部請求也必須通過多層的NG轉發(fā)

請求鏈路：內網(wǎng)機器 ==>> 內網(wǎng)NG1（80、443）==>> 內網(wǎng)NG2（8080、8081）==>> 外層NG（8080、8081）

• 內網(wǎng) NG1 配置

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
     resolver  114.114.114.114;
     proxy_connect;
     proxy_connect_allow            443;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;
     location / {
         proxy_pass http://172.18.1.10:8080;
         proxy_set_header Host $host;
     }
    }
}

stream {
    resolver 114.114.114.114;
    server {
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass 172.18.1.10:8081;
    }
}

• 內網(wǎng) NG2 配置

    server {
     listen       8080;
     location / {
         proxy_pass http://172.18.0.17:8080;
         proxy_set_header Host $host;
     }
    }
    
stream {
    resolver 114.114.114.114;
    server {
        listen 8081;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass 172.18.0.17:8081;
    }
}

• 外層 NG 配置

server {
    listen                           8080;
    server_name                      localhost;
    resolver                         114.114.114.114;
    proxy_connect;
    proxy_connect_allow              443 80;
    proxy_connect_connect_timeout    10s;
    proxy_connect_read_timeout       10s;
    proxy_connect_send_timeout       10s;
    location / {
        proxy_pass $scheme://$http_host$request_uri;
    }
}

stream {
    resolver 114.114.114.114;
    server {
        listen 8081;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:443;
    }
}

域名白名單

場景：限制透明代理轉發(fā)的域名，只允許指定域名出網(wǎng)

修改出口 NG 配置：stream

stream {
    resolver 114.114.114.114;
    
    map $ssl_preread_server_name $backend_pool {
        qyapi.weixin.qq.com qyapi.weixin.qq.com:443;
        nlp.tencentcloudapi.com  nlp.tencentcloudapi.com:443;
        open.work.weixin.qq.com open.work.weixin.qq.com:443;
    }

    server {
        listen 8081;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $backend_pool;
    }
}