nginx无证书代理http/https协议两种解决方案——筑梦之路
原理:一般的nginx代理https请求是需要配置ssl证书信息的,走的是七层协议,而stream模块走的是四层协议,在没有第三方证书的情况下一般的nginx代理是无法满足需求的。
操作系统:centos7nginx版本:1.9.9nginx官网不同版本下载地址:http://nginx.org/download/模块下载:https://github.com/openresty官网说明:
http://nginx.org/en/docs/stream/ngx_stream_core_module.htmlyum install gcc-c++ 、yum -y install pcre*、yum -y install openssl* wget curlwget http://nginx.org/download/nginx-1.9.9.tar.gz tar -zxvf nginx-1.9.9.tar.gz cd nginx-1.9.9
./configure --help
--help print this message--prefix=PATH set installation prefix--sbin-path=PATH set nginx binary pathname--modules-path=PATH set modules path--conf-path=PATH set nginx.conf pathname--error-log-path=PATH set error log pathname--pid-path=PATH set nginx.pid pathname--lock-path=PATH set nginx.lock pathname--user=USER set non-privileged user forworker processes--group=GROUP set non-privileged group forworker processes--build=NAME set build name--builddir=DIR set build directory--with-select_module enable select module--without-select_module disable select module--with-poll_module enable poll module--without-poll_module disable poll module--with-threads enable thread pool support--with-file-aio enable file AIO support--with-http_ssl_module enable ngx_http_ssl_module--with-http_v2_module enable ngx_http_v2_module--with-http_realip_module enable ngx_http_realip_module--with-http_addition_module enable ngx_http_addition_module--with-http_xslt_module enable ngx_http_xslt_module--with-http_xslt_module=dynamic enable dynamic ngx_http_xslt_module--with-http_image_filter_module enable ngx_http_image_filter_module--with-http_image_filter_module=dynamicenable dynamic ngx_http_image_filter_module--with-http_geoip_module enable ngx_http_geoip_module--with-http_geoip_module=dynamic enable dynamic ngx_http_geoip_module--with-http_sub_module enable ngx_http_sub_module--with-http_dav_module enable ngx_http_dav_module--with-http_flv_module enable ngx_http_flv_module--with-http_mp4_module enable ngx_http_mp4_module--with-http_gunzip_module enable ngx_http_gunzip_module--with-http_gzip_static_module enable ngx_http_gzip_static_module--with-http_auth_request_module enable ngx_http_auth_request_module--with-http_random_index_module enable ngx_http_random_index_module--with-http_secure_link_module enable ngx_http_secure_link_module--with-http_degradation_module enable ngx_http_degradation_module--with-http_slice_module enable ngx_http_slice_module--with-http_stub_status_module enable ngx_http_stub_status_module--without-http_charset_module disable ngx_http_charset_module--without-http_gzip_module disable ngx_http_gzip_module--without-http_ssi_module disable ngx_http_ssi_module--without-http_userid_module disable ngx_http_userid_module--without-http_access_module disable ngx_http_access_module--without-http_auth_basic_module disable ngx_http_auth_basic_module--without-http_autoindex_module disable ngx_http_autoindex_module--without-http_geo_module disable ngx_http_geo_module--without-http_map_module disable ngx_http_map_module--without-http_split_clients_module disable ngx_http_split_clients_module--without-http_referer_module disable ngx_http_referer_module--without-http_rewrite_module disable ngx_http_rewrite_module--without-http_proxy_module disable ngx_http_proxy_module--without-http_fastcgi_module disable ngx_http_fastcgi_module--without-http_uwsgi_module disable ngx_http_uwsgi_module--without-http_scgi_module disable ngx_http_scgi_module--without-http_memcached_module disable ngx_http_memcached_module--without-http_limit_conn_module disable ngx_http_limit_conn_module--without-http_limit_req_module disable ngx_http_limit_req_module--without-http_empty_gif_module disable ngx_http_empty_gif_module--without-http_browser_module disable ngx_http_browser_module--without-http_upstream_hash_moduledisable ngx_http_upstream_hash_module--without-http_upstream_ip_hash_moduledisable ngx_http_upstream_ip_hash_module--without-http_upstream_least_conn_moduledisable ngx_http_upstream_least_conn_module--without-http_upstream_keepalive_moduledisable ngx_http_upstream_keepalive_module--without-http_upstream_zone_moduledisable ngx_http_upstream_zone_module--with-http_perl_module enable ngx_http_perl_module--with-http_perl_module=dynamic enable dynamic ngx_http_perl_module--with-perl_modules_path=PATH set Perl modules path--with-perl=PATH set perl binary pathname--http-log-path=PATH set http access log pathname--http-client-body-temp-path=PATH set path to storehttp client request body temporary files--http-proxy-temp-path=PATH set path to storehttp proxy temporary files--http-fastcgi-temp-path=PATH set path to storehttp fastcgi temporary files--http-uwsgi-temp-path=PATH set path to storehttp uwsgi temporary files--http-scgi-temp-path=PATH set path to storehttp scgi temporary files--without-http disable HTTP server--without-http-cache disable HTTP cache--with-mail enable POP3/IMAP4/SMTP proxy module--with-mail=dynamic enable dynamic POP3/IMAP4/SMTP proxy module--with-mail_ssl_module enable ngx_mail_ssl_module--without-mail_pop3_module disable ngx_mail_pop3_module--without-mail_imap_module disable ngx_mail_imap_module--without-mail_smtp_module disable ngx_mail_smtp_module--with-stream enable TCP/UDP proxy module--with-stream=dynamic enable dynamic TCP/UDP proxy module--with-stream_ssl_module enable ngx_stream_ssl_module--with-stream_realip_module enable ngx_stream_realip_module--with-stream_geoip_module enable ngx_stream_geoip_module--with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module--without-stream_limit_conn_module disable ngx_stream_limit_conn_module--without-stream_access_module disable ngx_stream_access_module--without-stream_geo_module disable ngx_stream_geo_module--without-stream_map_module disable ngx_stream_map_module--without-stream_split_clients_moduledisable ngx_stream_split_clients_module--without-stream_return_module disable ngx_stream_return_module--without-stream_upstream_hash_moduledisable ngx_stream_upstream_hash_module--without-stream_upstream_least_conn_moduledisable ngx_stream_upstream_least_conn_module--without-stream_upstream_zone_moduledisable ngx_stream_upstream_zone_module--with-google_perftools_module enable ngx_google_perftools_module--with-cpp_test_module enable ngx_cpp_test_module--add-module=PATH enable external module--add-dynamic-module=PATH enable dynamic external module--with-compat dynamic modules compatibility--with-cc=PATH set C compiler pathname--with-cpp=PATH set C preprocessor pathname--with-cc-opt=OPTIONS set additional C compiler options--with-ld-opt=OPTIONS set additional linker options--with-cpu-opt=CPU build for the specified CPU, valid values:pentium, pentiumpro, pentium3, pentium4,athlon, opteron, sparc32, sparc64, ppc64--without-pcre disable PCRE library usage--with-pcre force PCRE library usage--with-pcre=DIR set path to PCRE library sources--with-pcre-opt=OPTIONS set additional build options for PCRE--with-pcre-jit build PCRE with JIT compilation support--with-zlib=DIR set path to zlib library sources--with-zlib-opt=OPTIONS set additional build options for zlib--with-zlib-asm=CPU use zlib assembler sources optimizedfor the specified CPU, valid values:pentium, pentiumpro--with-libatomic force libatomic_ops library usage--with-libatomic=DIR set path to libatomic_ops library sources--with-openssl=DIR set path to OpenSSL library sources--with-openssl-opt=OPTIONS set additional build options for OpenSSL--with-debug enable debug logging
NGINX stream (4层解决方案)#
./configure --prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-threads \
--with-stream \
--with-stream_ssl_preread_module \
--with-stream_ssl_modulemake && make installnginx.confworker_processes 1;events {worker_connections 1024;
}stream {#map $ssl_preread_server_name $name {# default backend;# backend.example.com backend2;#}#upstream backend {# server 192.168.8.99:37004;# server 192.168.0.4:12345;#}#upstream backend2 {# server 192.168.0.1:12345;# server 192.168.0.2:12345;#}resolver 114.114.114.114;server {listen 443;#proxy_pass backend;ssl_preread on;proxy_pass $ssl_preread_server_name:$server_port;}
}对于4层正向代理,NGINX对上层流量基本上是透传,也不需要HTTP CONNECT来建立隧道。适合于透明代理的模式,比如将访问的域名利用DNS解定向到代理服务器。另一个示例:stream {map $ssl_preread_server_name $name {default backend;example.com backend1;test.com backend2;}server {listen 443;proxy_pass $name;ssl_preread on;}
}
HTTP CONNECT隧道 (7层解决方案)#正向代理git clone https://github.com/chobits/ngx_http_proxy_connect_module.git#根据支持的版本进行打补丁 编译安装 此处以1.14为例yum install -y patch pcre pcre-develpatch -p1 < ngx_http_proxy_connect_module/patch/proxy_connect_1.14.patch./configure --prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--add-module=ngx_http_proxy_connect_modulemake && make installln -s /usr/local/nginx/sbin/nginx /usr/local/bin/nginx#配置示例server {listen 8000; #设备监听端口server_name localhost;#charset koi8-r;#access_log logs/host.access.log main;resolver 8.8.8.8; #代理使用的DNS#forward proxy for CONNECT requestproxy_connect; #以下是代理参数 proxy_connect_allow 443 563;proxy_connect_connect_timeout 10s;proxy_connect_read_timeout 10s;proxy_connect_send_timeout 10s;location / {proxy_pass http://$host; #设置代理url信息参数proxy_set_header Host $host; #代理的head参数root html;index index.html index.htm;}#启动nginxnginx -tnginx 7层需要通过HTTP CONNECT来建立隧道,属于客户端有感知的普通代理方式,需要在客户端手动配置HTTP(S)代理服务器IP和端口#测试代理curl -I http://www.baidu.com -v -x 127.0.0.1:8000curl -I https://www.baidu.com -v -x 127.0.0.1:8000#配置全局代理export http_proxy='127.0.0.1:8000' # http
export https_proxy='127.0.0.1:8000' # https#测试全局代理
curl -v https://www.baidu.comcurl -v http://www.baidu.com
nginx version | enable REWRITE phase | patch |
---|---|---|
1.4.x ~ 1.12.x | NO | proxy_connect.patch |
1.4.x ~ 1.12.x | YES | proxy_connect_rewrite.patch |
1.13.x ~ 1.14.x | NO | proxy_connect_1014.patch |
1.13.x ~ 1.14.x | YES | proxy_connect_rewrite_1014.patch |
1.15.2 | YES | proxy_connect_rewrite_1015.patch |
1.15.4 ~ 1.16.x | YES | proxy_connect_rewrite_101504.patch |
1.17.x ~ 1.18.0 | YES | proxy_connect_rewrite_1018.patch |
1.19.x ~ 1.21.0 | YES | proxy_connect_rewrite_1018.patch |
1.21.1 | YES | proxy_connect_rewrite_102101.patch |
参考资料:
使用NGINX作为HTTPS正向代理服务器-阿里云开发者社区
nginx无证书代理http/https协议两种解决方案——筑梦之路相关推荐
- 时间同步设置NTP和Chrony两种方式—— 筑梦之路
之前写的:Chrony时间同步服务器的搭建--筑梦之路_筑梦之路的博客-CSDN博客_搭建chrony服务器 linux 下部署NTP服务器 时间同步_筑梦之路的博客-CSDN博客 操作系统:cent ...
- SSL证书信任问题处理,两种解决方案
异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path build ...
- Nginx无证书反向代理
[需求] 1.用户无感知:无需配置代理服务器,访问url及端口无变化: 2.同时转发http及https流量,且不使用自签发证书(安全需要). [方案] 1.反向代理: a.本地修改hosts文件或配 ...
- 阿里云个人站点基于nginx代理搭建https协议支持
阿里云个人站点基于nginx代理搭建https协议支持 准备工作 购买免费个人版dv证书 配置nginx 开放防火墙端口 检测是否成功 准备工作 1.个人服务器 2.安装了ssl_moudle的ngi ...
- 最新阿里云服务器免费SSL证书配置HTTPS的两种方法(图文教程二)
在大家学习如何利用免费SSL证书配置网站HTTPS之前,我们先要搞清楚为什么要开启HTTPS,这个绿色的小锁真的有用吗?所谓的HTTPS其实是(安全套接字层超文本传输协议)是以安全为目标的HTTP通道 ...
- 利用多线程爬虫搭建代理ip池的两种方法(含源码)
搭建爬虫代理ip池的两种方法(含源码) 前言 一.ip池是什么? 二.爬取原理 三.使用步骤 方法一 爬取网站https://www.kuaidaili.com/ 验证 存取到mysql 方法二 爬取 ...
- 在Java中实现SFTP协议文件传输的两种解决方案
在Java中实现SFTP协议文件传输的两种解决方案 1.1 背景 1.2 关于 FTP /FTPS 1.3 关于SFTP 解决方案一:使用 JSch 库 解决方案二:使用sshj 库 这篇博文来聊聊在 ...
- Nginx SSL漏洞(SWEET32)扫描和修复 —— 筑梦之路
1.扫描nmap -sV --script ssl-enum-ciphers -p 443 www.baidu.comnmap --script="ssl-enum-ciphers" ...
- neo4j批量导入数据的两种解决方案
neo4j批量导入数据的两种解决方案 参考文章: (1)neo4j批量导入数据的两种解决方案 (2)https://www.cnblogs.com/YoungF/p/11632488.html 备忘一 ...
最新文章
- 竞赛中如何做特征工程
- Python 学习日记5
- UOJ#449. 【集训队作业2018】喂鸽子
- CentOS 7.0卸载自带的mariadb
- Science nature合集 2021年度上半年
- Understand Tasks and Back Stack--Defining launch modes
- CoNEXT 2018:在Facebook上部署IETF QUIC
- 【BZOJ】1004: [HNOI2008]Cards(置换群+polya+burnside)
- 谷歌、脸书、魔兽世界都在用!InnoDB是什么?有哪些关键特性?
- 荣耀Magic4核心配置曝光:最强驯龙高手 性能远超iPhone 13 Pro
- 使用css的类名交集复合选择器 《转》
- md5校验工具hash
- Linux基础入门之VM和centos的安装使用
- 两个画图工具助力论文绘图
- uniapp uView 微信小程序弹框二维码canvas不显示,以及显示后跟随滑动的问题
- Qt中QOpengl的QMatrix4x4矩阵作用原理以及使用方法
- 大数据周周看:前英特尔高管加入谷歌云部门,网易与威马汽车合作打造“互联网+”时代智能汽车
- 万字长文Python面试题,建议先收藏
- 以太坊智能合约solidity去中心化投票系统
- 【接口自动化学习笔记】python+requests+excel实现接口自动化
热门文章
- 城市区域二手房信息python爬取、保存和初步分析—笔记
- ACM里的生成函数初探
- 怎么把webm转换成mp4?步骤教程
- PATC语言1-50
- webstrom怎么配置git并提交
- html5源码笔记【爱创课堂专业前端培训】
- Android 免root 备份数据,教你安卓手机免Root恢复手机数据的三种方法
- web前端项目实战_vue项目仿美团【爱创课堂】
- 犹他大学计算机图形学硕士专业,犹他大学专业设置.doc
- K8s 集群节点在线率达到 99.9% 以上,扩容效率提升 50%,我们做了这 3 个深度改造...