Linux下Nginx forward proxy安装配置

正向代理（forward proxy），是一个位于客户端和源服务器之间的服务器，为了从源服务器取得内容，客户端向代理发送一个请求并指定目标(源服务器)，然后代理向源服务器转交请求并将获得的内容返回给客户端。客户端能够访问源服务器

环境：

# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

yum -y install pcre pcre-devel zlib zlib-devel openssl-devel openssl
#pwd
/root/software
wget http://nginx.org/download/nginx-1.19.7.tar.gz
# git clone https://codechina.csdn.net/mirrors/chobits/ngx_http_proxy_connect_module.git
tar -zxvf nginx-1.19.7.tar.gz
cd nginx-1.19.7/
# patch -p1 < /root/software/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch
# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --add-module=/root/software/ngx_http_proxy_connect_module
# make
# make install
关于安装那个版本的patch具体参考git，我这里直接走国内的mirrors

大概修改下nginx的配置,个人可以根据自己的情况做参数优化。我这里默认就是开启了日志 main

配置文件走了调用目录下的.conf文件

worker_processes  1;
error_log  logs/error.log  info;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    server {
        listen       80;
        server_name  localhost;
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
 include vhosts/*.conf ;
}

我的Proxy的配置如下：

 # pwd
/usr/local/nginx/conf
# mkdir vhosts
vi vhosts/forward.conf

# cat /usr/local/nginx/conf/vhosts/forward.conf
 server {
     listen                         3128;
     access_log /usr/local/nginx/logs/proxy-access.log main;
     error_log /usr/local/nginx/logs/error.log;
     # dns resolver used by forward proxying
     #resolver                       119.29.29.29;
     resolver                       119.29.29.29 valid=60s ipv6=off;


     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;


     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
 }

语法测试：

# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

启动：

#  /usr/local/nginx/sbin/nginx
# tail -f /usr/local/nginx/logs/error.log
2021/02/28 14:55:44 [notice] 14986#0: using the "epoll" event method
2021/02/28 14:55:44 [notice] 14986#0: nginx/1.19.7
2021/02/28 14:55:44 [notice] 14986#0: built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
2021/02/28 14:55:44 [notice] 14986#0: OS: Linux 3.10.0-862.11.6.el7.x86_64
2021/02/28 14:55:44 [notice] 14986#0: getrlimit(RLIMIT_NOFILE): 204800:204800
2021/02/28 14:55:44 [notice] 14987#0: start worker processes
2021/02/28 14:55:44 [notice] 14987#0: start worker process 14988

查看端口侦听：

# netstat -nltp|grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      14987/nginx: master
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      14987/nginx: master

测试下

# curl -I http://localhost
HTTP/1.1 200 OK
Server: nginx/1.19.7
Date: Sun, 28 Feb 2021 06:56:53 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Sun, 28 Feb 2021 06:47:57 GMT
Connection: keep-alive
ETag: "603b3c9d-264"
Accept-Ranges: bytes
# curl -I http://localhost:3128
HTTP/1.1 200 OK
Server: nginx/1.19.7
Date: Sun, 28 Feb 2021 06:57:09 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Sun, 28 Feb 2021 06:47:57 GMT
ETag: "603b3c9d-264"
Accept-Ranges: byte

测试下代理访问：

curl https://www.baidu.com/ -v -x 127.0.0.1:3128
curl https://www.sohu.com/ -v -x 10.211.55.3:3128
centos7 root@parallels:/usr/local/nginx/conf# curl https://www.baidu.com/ -v -x 127.0.0.1:3128
* About to connect() to proxy 127.0.0.1 port 3128 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
* Establish HTTP proxy tunnel to www.baidu.com:443
> CONNECT www.baidu.com:443 HTTP/1.1
> Host: www.baidu.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*     subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
*     start date: Apr 02 07:04:58 2020 GMT
*     expire date: Jul 26 05:31:02 2021 GMT
*     common name: baidu.com
*     issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Sun, 28 Feb 2021 06:58:21 GMT
< Etag: "58860402-98b"
< Last-Modified: Mon, 23 Jan 2017 13:24:18 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<
...                                                               |
... <other response headers & response body> ...                  |
...         

* Connection #0 to host 127.0.0.1 left intact

分析结果：

1 curl creates TCP connection with nginx (with proxy_connect module).

2 curl sends CONNECT request to create tunnel

3 nginx replies 200 that tunnel is established. The client is now being proxied to the remote host. Any data sent to nginx is now forwarded, unmodified, to the remote host)

4 curl sends "https://www.baidu.com" request via tunnel,

proxy_connect module will proxy data to remote host www.baidu.com

5 Any data received from remote host will be sent to client by proxy_connect module.

接着分析日志：

# tail -f /usr/local/nginx/logs/error.log
2021/02/28 15:30:45 [error] 21220#0: *58 proxy_connect: connection error while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.sohu.com:443 HTTP/1.1", host: "www.sohu.com:443"
2021/02/28 15:30:45 [error] 21220#0: *60 connect() to [240e:95c:3005::20b]:443 failed (101: Network is unreachable) while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.sohu.com:443 HTTP/1.1", host: "www.sohu.com:443"
2021/02/28 15:30:45 [error] 21220#0: *60 proxy_connect: connection error while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.sohu.com:443 HTTP/1.1", host: "www.sohu.com:443"

失败率有点高 哈 但是可以看到这个地方[240e:95c:3005::20b]:443 难道是IPV6？

参考官方文档修改：

修改：forward.conf中

resolver                       119.29.29.29 valid=60s ipv6=off;

明显成功率高多了

# seq 1 50|while read line;do curl https://www.sohu.com/ -v -x 10.211.55.3:3128;done

error.log没有报错