|
2) nginx.conf文件配置
- server {
- listen 443;
-
- # dns resolver used by forward proxying
- resolver 114.114.114.114;
- # forward proxy for CONNECT request
- proxy_connect;
- proxy_connect_allow 443;
- proxy_connect_connect_timeout 10s;
- proxy_connect_read_timeout 10s;
- proxy_connect_send_timeout 10s;
- # forward proxy for non-CONNECT request
- location / {
- proxy_pass http://$host;
- proxy_set_header Host $host;
- }
- }
使用场景
7层需要通过HTTP CONNECT来建立隧道,属于客户端有感知的普通代理方式,需要在客户端手动配置HTTP(S)代理服务器IP和端口。在客户端用curl 加-x参数访问如下:
- # curl https://www.baidu.com -svo /dev/null -x 39.105.196.164:443
- * About to connect() to proxy 39.105.196.164 port 443 (#0)
- * Trying 39.105.196.164...
- * Connected to 39.105.196.164 (39.105.196.164) port 443 (#0)
- * Establish HTTP proxy tunnel to www.baidu.com:443
- > CONNECT www.baidu.com:443 HTTP/1.1
- > Host: www.baidu.com:443
- > User-Agent: curl/7.29.0
- > Proxy-Connection: Keep-Alive
- >
- < HTTP/1.1 200 Connection Established
- < Proxy-agent: nginx
- <
- * Proxy replied OK to CONNECT request
- * Initializing NSS with certpath: sql:/etc/pki/nssdb
- * CAfile: /etc/pki/tls/certs/ca-bundle.crt
- CApath: none
- * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * Server certificate:
- * subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
- ...
- > GET / HTTP/1.1
- > User-Agent: curl/7.29.0
- > Host: www.baidu.com
- > Accept: */*
- >
- < HTTP/1.1 200 OK
- ...
- { [data not shown]
从上面-v参数打印出的细节,可以看到客户端先往代理服务器39.105.196.164建立了HTTP CONNECT隧道,代理回复HTTP/1.1 200 Connection Established后就开始交互TLS/SSL握手和流量了。
NGINX stream (4层解决方案)
既然是使用透传上层流量的方法,那可不可做成“4层代理”,对TCP/UDP以上的协议实现彻底的透传呢?答案是可以的。NGINX官方从1.9.0版本开始支持ngx_stream_core_module模块,模块默认不build,需要configure时加上--with-stream选项来开启。
问题
用NGINX stream在TCP层面上代理HTTPS流量肯定会遇到本文一开始提到的那个问题:代理服务器无法获取客户端想要访问的目的域名。因为在TCP的层面获取的信息仅限于IP和端口层面,没有任何机会拿到域名信息。要拿到目的域名,必须要有拆上层报文获取域名信息的能力,所以NGINX stream的方式不是完全严格意义上的4层代理,还是要略微借助些上层能力。
ngx_stream_ssl_preread_module模块
(编辑:91站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
