原理:一般的nginx代理https请求是需要配置ssl证书信息的,走的是七层协议,而stream模块走的是四层协议,在没有第三方证书的情况下一般的nginx代理是无法满足需求的。

操作系统:centos7nginx版本:1.9.9nginx官网不同版本下载地址:http://nginx.org/download/模块下载:https://github.com/openresty官网说明:
http://nginx.org/en/docs/stream/ngx_stream_core_module.htmlyum install gcc-c++ 、yum -y install pcre*、yum -y install openssl* wget curlwget http://nginx.org/download/nginx-1.9.9.tar.gz tar -zxvf nginx-1.9.9.tar.gz cd nginx-1.9.9
 ./configure --help
--help                             print this message--prefix=PATH                      set installation prefix--sbin-path=PATH                   set nginx binary pathname--modules-path=PATH                set modules path--conf-path=PATH                   set nginx.conf pathname--error-log-path=PATH              set error log pathname--pid-path=PATH                    set nginx.pid pathname--lock-path=PATH                   set nginx.lock pathname--user=USER                        set non-privileged user forworker processes--group=GROUP                      set non-privileged group forworker processes--build=NAME                       set build name--builddir=DIR                     set build directory--with-select_module               enable select module--without-select_module            disable select module--with-poll_module                 enable poll module--without-poll_module              disable poll module--with-threads                     enable thread pool support--with-file-aio                    enable file AIO support--with-http_ssl_module             enable ngx_http_ssl_module--with-http_v2_module              enable ngx_http_v2_module--with-http_realip_module          enable ngx_http_realip_module--with-http_addition_module        enable ngx_http_addition_module--with-http_xslt_module            enable ngx_http_xslt_module--with-http_xslt_module=dynamic    enable dynamic ngx_http_xslt_module--with-http_image_filter_module    enable ngx_http_image_filter_module--with-http_image_filter_module=dynamicenable dynamic ngx_http_image_filter_module--with-http_geoip_module           enable ngx_http_geoip_module--with-http_geoip_module=dynamic   enable dynamic ngx_http_geoip_module--with-http_sub_module             enable ngx_http_sub_module--with-http_dav_module             enable ngx_http_dav_module--with-http_flv_module             enable ngx_http_flv_module--with-http_mp4_module             enable ngx_http_mp4_module--with-http_gunzip_module          enable ngx_http_gunzip_module--with-http_gzip_static_module     enable ngx_http_gzip_static_module--with-http_auth_request_module    enable ngx_http_auth_request_module--with-http_random_index_module    enable ngx_http_random_index_module--with-http_secure_link_module     enable ngx_http_secure_link_module--with-http_degradation_module     enable ngx_http_degradation_module--with-http_slice_module           enable ngx_http_slice_module--with-http_stub_status_module     enable ngx_http_stub_status_module--without-http_charset_module      disable ngx_http_charset_module--without-http_gzip_module         disable ngx_http_gzip_module--without-http_ssi_module          disable ngx_http_ssi_module--without-http_userid_module       disable ngx_http_userid_module--without-http_access_module       disable ngx_http_access_module--without-http_auth_basic_module   disable ngx_http_auth_basic_module--without-http_autoindex_module    disable ngx_http_autoindex_module--without-http_geo_module          disable ngx_http_geo_module--without-http_map_module          disable ngx_http_map_module--without-http_split_clients_module disable ngx_http_split_clients_module--without-http_referer_module      disable ngx_http_referer_module--without-http_rewrite_module      disable ngx_http_rewrite_module--without-http_proxy_module        disable ngx_http_proxy_module--without-http_fastcgi_module      disable ngx_http_fastcgi_module--without-http_uwsgi_module        disable ngx_http_uwsgi_module--without-http_scgi_module         disable ngx_http_scgi_module--without-http_memcached_module    disable ngx_http_memcached_module--without-http_limit_conn_module   disable ngx_http_limit_conn_module--without-http_limit_req_module    disable ngx_http_limit_req_module--without-http_empty_gif_module    disable ngx_http_empty_gif_module--without-http_browser_module      disable ngx_http_browser_module--without-http_upstream_hash_moduledisable ngx_http_upstream_hash_module--without-http_upstream_ip_hash_moduledisable ngx_http_upstream_ip_hash_module--without-http_upstream_least_conn_moduledisable ngx_http_upstream_least_conn_module--without-http_upstream_keepalive_moduledisable ngx_http_upstream_keepalive_module--without-http_upstream_zone_moduledisable ngx_http_upstream_zone_module--with-http_perl_module            enable ngx_http_perl_module--with-http_perl_module=dynamic    enable dynamic ngx_http_perl_module--with-perl_modules_path=PATH      set Perl modules path--with-perl=PATH                   set perl binary pathname--http-log-path=PATH               set http access log pathname--http-client-body-temp-path=PATH  set path to storehttp client request body temporary files--http-proxy-temp-path=PATH        set path to storehttp proxy temporary files--http-fastcgi-temp-path=PATH      set path to storehttp fastcgi temporary files--http-uwsgi-temp-path=PATH        set path to storehttp uwsgi temporary files--http-scgi-temp-path=PATH         set path to storehttp scgi temporary files--without-http                     disable HTTP server--without-http-cache               disable HTTP cache--with-mail                        enable POP3/IMAP4/SMTP proxy module--with-mail=dynamic                enable dynamic POP3/IMAP4/SMTP proxy module--with-mail_ssl_module             enable ngx_mail_ssl_module--without-mail_pop3_module         disable ngx_mail_pop3_module--without-mail_imap_module         disable ngx_mail_imap_module--without-mail_smtp_module         disable ngx_mail_smtp_module--with-stream                      enable TCP/UDP proxy module--with-stream=dynamic              enable dynamic TCP/UDP proxy module--with-stream_ssl_module           enable ngx_stream_ssl_module--with-stream_realip_module        enable ngx_stream_realip_module--with-stream_geoip_module         enable ngx_stream_geoip_module--with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module--with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module--without-stream_limit_conn_module disable ngx_stream_limit_conn_module--without-stream_access_module     disable ngx_stream_access_module--without-stream_geo_module        disable ngx_stream_geo_module--without-stream_map_module        disable ngx_stream_map_module--without-stream_split_clients_moduledisable ngx_stream_split_clients_module--without-stream_return_module     disable ngx_stream_return_module--without-stream_upstream_hash_moduledisable ngx_stream_upstream_hash_module--without-stream_upstream_least_conn_moduledisable ngx_stream_upstream_least_conn_module--without-stream_upstream_zone_moduledisable ngx_stream_upstream_zone_module--with-google_perftools_module     enable ngx_google_perftools_module--with-cpp_test_module             enable ngx_cpp_test_module--add-module=PATH                  enable external module--add-dynamic-module=PATH          enable dynamic external module--with-compat                      dynamic modules compatibility--with-cc=PATH                     set C compiler pathname--with-cpp=PATH                    set C preprocessor pathname--with-cc-opt=OPTIONS              set additional C compiler options--with-ld-opt=OPTIONS              set additional linker options--with-cpu-opt=CPU                 build for the specified CPU, valid values:pentium, pentiumpro, pentium3, pentium4,athlon, opteron, sparc32, sparc64, ppc64--without-pcre                     disable PCRE library usage--with-pcre                        force PCRE library usage--with-pcre=DIR                    set path to PCRE library sources--with-pcre-opt=OPTIONS            set additional build options for PCRE--with-pcre-jit                    build PCRE with JIT compilation support--with-zlib=DIR                    set path to zlib library sources--with-zlib-opt=OPTIONS            set additional build options for zlib--with-zlib-asm=CPU                use zlib assembler sources optimizedfor the specified CPU, valid values:pentium, pentiumpro--with-libatomic                   force libatomic_ops library usage--with-libatomic=DIR               set path to libatomic_ops library sources--with-openssl=DIR                 set path to OpenSSL library sources--with-openssl-opt=OPTIONS         set additional build options for OpenSSL--with-debug                       enable debug logging

NGINX stream (4层解决方案)#
./configure --prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-threads \
--with-stream \
--with-stream_ssl_preread_module \
--with-stream_ssl_modulemake && make installnginx.confworker_processes  1;events {worker_connections 1024;
}stream {#map $ssl_preread_server_name $name {#    default                  backend;#   backend.example.com      backend2;#}#upstream backend {#    server 192.168.8.99:37004;#    server 192.168.0.4:12345;#}#upstream backend2 {#    server 192.168.0.1:12345;#    server 192.168.0.2:12345;#}resolver 114.114.114.114;server {listen      443;#proxy_pass  backend;ssl_preread on;proxy_pass $ssl_preread_server_name:$server_port;}
}对于4层正向代理,NGINX对上层流量基本上是透传,也不需要HTTP CONNECT来建立隧道。适合于透明代理的模式,比如将访问的域名利用DNS解定向到代理服务器。另一个示例:stream {map $ssl_preread_server_name $name {default backend;example.com backend1;test.com backend2;}server {listen 443;proxy_pass $name;ssl_preread on;}
}
HTTP CONNECT隧道 (7层解决方案)#正向代理git clone https://github.com/chobits/ngx_http_proxy_connect_module.git#根据支持的版本进行打补丁 编译安装 此处以1.14为例yum install -y patch pcre pcre-develpatch -p1 < ngx_http_proxy_connect_module/patch/proxy_connect_1.14.patch./configure --prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--add-module=ngx_http_proxy_connect_modulemake && make installln -s /usr/local/nginx/sbin/nginx /usr/local/bin/nginx#配置示例server {listen       8000;      #设备监听端口server_name  localhost;#charset koi8-r;#access_log  logs/host.access.log  main;resolver  8.8.8.8;   #代理使用的DNS#forward proxy for CONNECT requestproxy_connect;                  #以下是代理参数    proxy_connect_allow            443 563;proxy_connect_connect_timeout  10s;proxy_connect_read_timeout     10s;proxy_connect_send_timeout     10s;location / {proxy_pass http://$host;        #设置代理url信息参数proxy_set_header Host $host;    #代理的head参数root   html;index  index.html index.htm;}#启动nginxnginx -tnginx 7层需要通过HTTP CONNECT来建立隧道,属于客户端有感知的普通代理方式,需要在客户端手动配置HTTP(S)代理服务器IP和端口#测试代理curl -I http://www.baidu.com -v -x 127.0.0.1:8000curl -I https://www.baidu.com -v -x 127.0.0.1:8000#配置全局代理export http_proxy='127.0.0.1:8000'   # http
export https_proxy='127.0.0.1:8000'  # https#测试全局代理
curl -v https://www.baidu.comcurl -v http://www.baidu.com
nginx version enable REWRITE phase patch
1.4.x ~ 1.12.x NO proxy_connect.patch
1.4.x ~ 1.12.x YES proxy_connect_rewrite.patch
1.13.x ~ 1.14.x NO proxy_connect_1014.patch
1.13.x ~ 1.14.x YES proxy_connect_rewrite_1014.patch
1.15.2 YES proxy_connect_rewrite_1015.patch
1.15.4 ~ 1.16.x YES proxy_connect_rewrite_101504.patch
1.17.x ~ 1.18.0 YES proxy_connect_rewrite_1018.patch
1.19.x ~ 1.21.0 YES proxy_connect_rewrite_1018.patch
1.21.1 YES proxy_connect_rewrite_102101.patch

参考资料:

使用NGINX作为HTTPS正向代理服务器-阿里云开发者社区

nginx无证书代理http/https协议两种解决方案——筑梦之路相关推荐

  1. 时间同步设置NTP和Chrony两种方式—— 筑梦之路

    之前写的:Chrony时间同步服务器的搭建--筑梦之路_筑梦之路的博客-CSDN博客_搭建chrony服务器 linux 下部署NTP服务器 时间同步_筑梦之路的博客-CSDN博客 操作系统:cent ...

  2. SSL证书信任问题处理,两种解决方案

    异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path build ...

  3. Nginx无证书反向代理

    [需求] 1.用户无感知:无需配置代理服务器,访问url及端口无变化: 2.同时转发http及https流量,且不使用自签发证书(安全需要). [方案] 1.反向代理: a.本地修改hosts文件或配 ...

  4. 阿里云个人站点基于nginx代理搭建https协议支持

    阿里云个人站点基于nginx代理搭建https协议支持 准备工作 购买免费个人版dv证书 配置nginx 开放防火墙端口 检测是否成功 准备工作 1.个人服务器 2.安装了ssl_moudle的ngi ...

  5. 最新阿里云服务器免费SSL证书配置HTTPS的两种方法(图文教程二)

    在大家学习如何利用免费SSL证书配置网站HTTPS之前,我们先要搞清楚为什么要开启HTTPS,这个绿色的小锁真的有用吗?所谓的HTTPS其实是(安全套接字层超文本传输协议)是以安全为目标的HTTP通道 ...

  6. 利用多线程爬虫搭建代理ip池的两种方法(含源码)

    搭建爬虫代理ip池的两种方法(含源码) 前言 一.ip池是什么? 二.爬取原理 三.使用步骤 方法一 爬取网站https://www.kuaidaili.com/ 验证 存取到mysql 方法二 爬取 ...

  7. 在Java中实现SFTP协议文件传输的两种解决方案

    在Java中实现SFTP协议文件传输的两种解决方案 1.1 背景 1.2 关于 FTP /FTPS 1.3 关于SFTP 解决方案一:使用 JSch 库 解决方案二:使用sshj 库 这篇博文来聊聊在 ...

  8. Nginx SSL漏洞(SWEET32)扫描和修复 —— 筑梦之路

    1.扫描nmap -sV --script ssl-enum-ciphers -p 443 www.baidu.comnmap --script="ssl-enum-ciphers" ...

  9. neo4j批量导入数据的两种解决方案

    neo4j批量导入数据的两种解决方案 参考文章: (1)neo4j批量导入数据的两种解决方案 (2)https://www.cnblogs.com/YoungF/p/11632488.html 备忘一 ...

最新文章

  1. 竞赛中如何做特征工程
  2. Python 学习日记5
  3. UOJ#449. 【集训队作业2018】喂鸽子
  4. CentOS 7.0卸载自带的mariadb
  5. Science nature合集 2021年度上半年
  6. Understand Tasks and Back Stack--Defining launch modes
  7. CoNEXT 2018:在Facebook上部署IETF QUIC
  8. 【BZOJ】1004: [HNOI2008]Cards(置换群+polya+burnside)
  9. 谷歌、脸书、魔兽世界都在用!InnoDB是什么?有哪些关键特性?
  10. 荣耀Magic4核心配置曝光:最强驯龙高手 性能远超iPhone 13 Pro
  11. 使用css的类名交集复合选择器 《转》
  12. md5校验工具hash
  13. Linux基础入门之VM和centos的安装使用
  14. 两个画图工具助力论文绘图
  15. uniapp uView 微信小程序弹框二维码canvas不显示,以及显示后跟随滑动的问题
  16. Qt中QOpengl的QMatrix4x4矩阵作用原理以及使用方法
  17. 大数据周周看:前英特尔高管加入谷歌云部门,网易与威马汽车合作打造“互联网+”时代智能汽车
  18. 万字长文Python面试题,建议先收藏
  19. 以太坊智能合约solidity去中心化投票系统
  20. 【接口自动化学习笔记】python+requests+excel实现接口自动化

热门文章

  1. 城市区域二手房信息python爬取、保存和初步分析—笔记
  2. ACM里的生成函数初探
  3. 怎么把webm转换成mp4?步骤教程
  4. PATC语言1-50
  5. webstrom怎么配置git并提交
  6. html5源码笔记【爱创课堂专业前端培训】
  7. Android 免root 备份数据,教你安卓手机免Root恢复手机数据的三种方法
  8. web前端项目实战_vue项目仿美团【爱创课堂】
  9. 犹他大学计算机图形学硕士专业,犹他大学专业设置.doc
  10. K8s 集群节点在线率达到 99.9% 以上,扩容效率提升 50%,我们做了这 3 个深度改造...