用nginx正向代理https网站

目次

• 1. 缘起
  
• 2. 部署nginx
  
• 3. 测试
  
• 3.1 http测试
  
• 3.2 https测试
  
• 4 给centos设置代理访问外网
  

1. 缘起

最近遇到了一个麻烦事情，就是公司的centos测试服务器放在内网情况，而且不能直接上外网，导致无法通过yum安装软件，非常捉急。
幸好，内网还是有可以可以访问外网的机器，所以就想到应该可以利用nginx搭建一个代理服务器，然后centos通过这个nginx来访问外网。当然，假如只是代理http还是很简单的，而要代理https还是需要稍费周折，因为nginx自己不能部署被代理的网站的证书，不能部署成https终结点来，因此与被代理客户端之间不能用ssl协议通讯，因此需要通过http协议中的CONNECT哀求买通和外网的连接，然后客户端到nginx走明文，nginx到外网走https协议。这里需要用到ngx_http_proxy_connect_module模块来实现CONNECT的代理功能。
2. 部署nginx

• 步调1： 从nginx官网下载nginx源码包。
  
• 步调2： 因为nginx原生是不支持CONNECT哀求的，需要安装一个扩展插件，即ngx_http_proxy_connect_module，从github下载ngx_http_proxy_connect_module，另外还要下载一个nginx内核补丁。
  
• 步调3： 解压nginx源码包，进入nginx源码目次，创建modules目次（mkdir modules)。
  
• 步调4： 将ngx_http_proxy_connect_module源码目次放到modules目次中。
  
• 步调5： 将nginx内核补丁放到nginx源码目次，姑且名字叫p1.patch
  
• 步调6： 在nginx源码目次，执行以下下令给nginx内核打上补丁：
  
  1. patch -p 1 < p1.patch

  复制代码
• 步调7：编译nginx，这里假设nginx安装到/opt/nginx目次中（在编译前确认pcre、zlib、openssl的库是否已经正常安装），编译下令如下：
  ./configure --prefix=/opt/nginx --with-http_ssl_module -add-module=./modules/ngx_http_proxy_connect_module
  make & make install
  
• 步调8：配置nginx
  配置文件如下：
  #user nobody;
  worker_processes 1;
  #error_log logs/error.log;
  #error_log logs/error.log notice;
  #error_log logs/error.log info;
  #pid logs/nginx.pid;
  events {
  worker_connections 1024;
  }
  http {
  include mime.types;
  default_type application/octet-stream;
  
  1. #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  2. #                  '$status $body_bytes_sent "$http_referer" '
  3. #                  '"$http_user_agent" "$http_x_forwarded_for"';
  5. #access_log  logs/access.log  main;
  7. sendfile        on;
  8. keepalive_timeout  65;

  复制代码
  server {
  # 代理端口
  listen 8080;
  server_name localhost;
  
  1.     # 解析被代理网站域名的dns服务器，根据实际情况自行配置
  2.     resolver  114.114.114.114;
  3.    
  4.     # 开启proxy connect功能
  5.     proxy_connect;
  6.    
  7.     # 设置允许代理的目标端口为443,即https的默认端口
  8.     proxy_connect_allow 443 80;
  10.     location / {
  11.    
  12.         # 正向代理配置，根据请求地址自动解析出目标网站地址并进行代理
  13.         proxy_pass $scheme://$host$request_uri;
  14.         
  15.         # 发送到被代理网站的请求需要添加host头
  16.         proxy_set_header Host $http_host;
  17.    
  18.                 proxy_buffers 256 4k;
  19.         proxy_max_temp_file_size 0;
  20.         proxy_connect_timeout 30;
  21.     }
  22. }

  复制代码
  }
  

以上配置完成后，通过nginx的8080端口，既可以代理普通http的哀求，也可以代理https的哀求。

• 步调9：启动nginx
  执行/opt/nginx/sbin/nginx，启动nginx
  

3. 测试

3.1 http测试

1. curl "http://www.baidu.com/" -x 127.0.0.1:8080 -v

复制代码

响应内容：

1. *   Trying 127.0.0.1:8080...
2. * Connected to (nil) (127.0.0.1) port 8080 (#0)
3. > GET http://www.baidu.com/ HTTP/1.1
4. > Host: www.baidu.com
5. > User-Agent: curl/7.81.0
6. > Accept: */*
7. > Proxy-Connection: Keep-Alive
8. >
9. * Mark bundle as not supporting multiuse
10. < HTTP/1.1 200 OK
11. < Server: nginx/1.24.0
12. < Date: Fri, 23 Feb 2024 09:08:01 GMT
13. < Content-Type: text/html
14. < Content-Length: 2381
15. < Connection: keep-alive
16. < Accept-Ranges: bytes
17. < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
18. < Etag: "588604eb-94d"
19. < Last-Modified: Mon, 23 Jan 2017 13:28:11 GMT
20. < Pragma: no-cache
21. < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
22. <
23. <!DOCTYPE html>
24. <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

复制代码

通过以上的输出可以看到http代理是没有通过CONNECT哀求举行连接的，响应正常。
3.2 https测试

1. curl "https://www.baidu.com/" -x 127.0.0.1:8080 -v
4. *   Trying 127.0.0.1:8080...
5. * Connected to (nil) (127.0.0.1) port 8080 (#0)
6. * allocate connect buffer!
7. * Establish HTTP proxy tunnel to www.baidu.com:443
8. > CONNECT www.baidu.com:443 HTTP/1.1
9. > Host: www.baidu.com:443
10. > User-Agent: curl/7.81.0
11. > Proxy-Connection: Keep-Alive
12. >
13. < HTTP/1.1 200 Connection Established
14. < Proxy-agent: nginx
15. <
16. * Proxy replied 200 to CONNECT request
17. * CONNECT phase completed!
18. * ALPN, offering h2
19. * ALPN, offering http/1.1
20. *  CAfile: /etc/ssl/certs/ca-certificates.crt
21. *  CApath: /etc/ssl/certs
22. * TLSv1.0 (OUT), TLS header, Certificate Status (22):
23. * TLSv1.3 (OUT), TLS handshake, Client hello (1):
24. * TLSv1.2 (IN), TLS header, Certificate Status (22):
25. * TLSv1.3 (IN), TLS handshake, Server hello (2):
26. * TLSv1.2 (IN), TLS header, Certificate Status (22):
27. * TLSv1.2 (IN), TLS handshake, Certificate (11):
28. * TLSv1.2 (IN), TLS header, Certificate Status (22):
29. * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
30. * TLSv1.2 (IN), TLS header, Certificate Status (22):
31. * TLSv1.2 (IN), TLS handshake, Server finished (14):
32. * TLSv1.2 (OUT), TLS header, Certificate Status (22):
33. * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
34. * TLSv1.2 (OUT), TLS header, Finished (20):
35. * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
36. * TLSv1.2 (OUT), TLS header, Certificate Status (22):
37. * TLSv1.2 (OUT), TLS handshake, Finished (20):
38. * TLSv1.2 (IN), TLS header, Finished (20):
39. * TLSv1.2 (IN), TLS header, Certificate Status (22):
40. * TLSv1.2 (IN), TLS handshake, Finished (20):
41. * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
42. * ALPN, server accepted to use http/1.1
43. * Server certificate:
44. *  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
45. *  start date: Jul  6 01:51:06 2023 GMT
46. *  expire date: Aug  6 01:51:05 2024 GMT
47. *  subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
48. *  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
49. *  SSL certificate verify ok.
50. * TLSv1.2 (OUT), TLS header, Supplemental data (23):
51. > GET / HTTP/1.1
52. > Host: www.baidu.com
53. > User-Agent: curl/7.81.0
54. > Accept: */*
55. >
56. * TLSv1.2 (IN), TLS header, Supplemental data (23):
57. * Mark bundle as not supporting multiuse
58. < HTTP/1.1 200 OK
59. < Accept-Ranges: bytes
60. < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
61. < Connection: keep-alive
62. < Content-Length: 2443
63. < Content-Type: text/html
64. < Date: Fri, 23 Feb 2024 09:11:25 GMT
65. < Etag: "58860410-98b"
66. < Last-Modified: Mon, 23 Jan 2017 13:24:32 GMT
67. < Pragma: no-cache
68. < Server: bfe/1.0.8.18
69. < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
70. <
71. <!DOCTYPE html>
72. * TLSv1.2 (IN), TLS header, Supplemental data (23):
73. * TLSv1.2 (IN), TLS header, Supplemental data (23):
74. <!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');
75.                 </script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=ftConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>&copy;2017&nbsp;Baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京ICP证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

复制代码

通过以上的输出可以看到https代理是通过CONNECT哀求举行连接的，中心有发生ssl的握手过程，也已经正常举行了响应。
4 给centos设置代理访问外网

给centos服务器设置两个http_proxy和https_proxy情况变量，假设nginx服务器的ip为192.168.0.1，那么在下令行执行以下两条下令，即：

1. export http_proxy="http://192.168.0.1:8080"
2. export https_proxy="https://192.168.0.1:8080"

复制代码

然后就可以顺畅地举行yum了。当然，假如可以的话，就将以上两条下令配置到bash.rc中，这样子免得每次登录都需要敲下令。

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。