使用NatApp均能解决内网IP+端口映射到公网IP+端口的问题,但是无法控制访问来源,如果你的系统比较敏感又需要控制访问源,则可以使用NATAPP+OpenResty+Redis的方案实现内网穿透的自主IP授权。
内网穿透简介
内网穿透简单来说就是将内网外网通过应用级的隧道打通,让内网的数据让外网可以获取。
有如下典型的使用场景
- 本地开发环境内网穿透
- 支付回调
- 单点登录回调
- 数据推送
- 公司内网穿透
- 访问内网的办公软件
- 临时web系统演示
- 内部gitlab私密共享
- 家庭内网穿透
- 远程控制放在家里的树莓派,服务器
NATAPP实现内网穿透
NATAPP使用参加官网文档即可,不是本文介绍重点
NATAPP教程/文档
OpenResty+Redis实现自主IP授权
以Centos 7为例,配置步骤如下
Redis安装
yum install redis -y
OpenResty安装
#安装编译依赖
yum install pcre-devel openssl-devel gcc curl -y
#下载openresty源码包
wget https://openresty.org/download/openresty-1.15.8.2.tar.gz
#解压源码包
tar -xzvf openresty-1.15.8.2.tar.gz
#编译安装
cd openresty-1.15.8.2
./configure
gmake && gmake install
ln -sf /usr/local/openresty/nginx/sbin/nginx /sbin/nginx
#设置配置文件软链接
ln -s /usr/local/openresty/nginx/conf/nginx.conf /etc/nginx.conf
sockproc 安装
lua调用shell命令需要
git clone https://github.com/juce/sockproc
cd sockproc
make
cp sockproc /sbin/sockproc
sockproc /tmp/shell.sock
chmod 0666 /tmp/shell.sock
下载lua-resty-shell组件
lua调用shell的组件
git clone https://github.com/juce/lua-resty-shell
cd lua-resty-shell
cp lib/resty/shell.lua /usr/local/openresty/lualib/resty/
lua脚本编写
lua脚本实现ip白名单添加
编辑addip.lua
cd /usr/local/openresty/lualib
vim addip.lua
addip.lua内容
local REDIS_HOST = "127.0.0.1"
local REDIS_PORT = "6379"
local REDIS_CONN_TIMEOUT = 3
local WHITEIPS_KEY = "ip_white"
local ip = ngx.var.http_x_real_ip
local redis = require "resty.redis";
local red=redis:new();
function addWhitelist(ip)
local exists = red:sismember(WHITEIPS_KEY,ip);
if tonumber(exists) ~= 1 then
red:sadd(WHITEIPS_KEY, ip);
ngx.log(ngx.INFO,"add your ip to whitelist,ip:" .. ip);
ngx.say("add your ip to whitelist,ip:" .. ip)
else
ngx.log(ngx.INFO,"your ip already in whitelist,ip:" .. ip);
ngx.say("your ip already in whitelist,ip:" .. ip)
end
return true;
end
ngx.log(ngx.DEBUG,"remote_addr is ",ip);
red:set_timeout(REDIS_CONN_TIMEOUT);
local ok,err = red:connect(REDIS_HOST,REDIS_PORT);
if not ok then
ngx.log(ngx.INFO,"redis connection error ");
return ngx.exit(ngx.HTTP_BAD_GATEWAY);
end
addWhitelist(ip);
ok, err = red:set_keepalive(1000,100);
if not ok then
red:close();
end
lua脚本实现ip校验
编辑checkip.lua
cd /usr/local/openresty/lualib
vim checkip.lua
checkip.lua内容
local REDIS_HOST = "127.0.0.1"
local REDIS_PORT = "6379"
local REDIS_CONN_TIMEOUT = 3
local WHITEIPS_KEY = "ip_white"
local ip = ngx.var.http_x_real_ip
local redis = require "resty.redis";
local red=redis:new();
function ignoreWhitelist(ip)
local exists = red:sismember(WHITEIPS_KEY,ip);
if tonumber(exists) == 1 then
ngx.log(ngx.INFO," this is white ip ");
return true;
end
return false;
end
ngx.log(ngx.INFO,"remote_addr is ",ip);
red:set_timeout(REDIS_CONN_TIMEOUT);
local ok,err = red:connect(REDIS_HOST,REDIS_PORT);
if not ok then
ngx.log(ngx.INFO,"redis connection error ");
return ngx.exit(ngx.HTTP_BAD_GATEWAY);
end
local flg = ignoreWhitelist(ip);
if flg==false then
return ngx.exit(ngx.HTTP_FORBIDDEN);
end
ok, err = red:set_keepalive(1000,100);
if not ok then
red:close();
end
配置认证文件
安装httpd
yum install httpd-tools -y
添加认证账号
htpasswd -d /usr/local/openresty/nginx/conf/pass_file username
配置OpenResty
OpenResty核心配置文件
server {
listen 80;
server_name onegit.natapp1.cc;
access_log /var/log/access_log.log main;
# 获取NATAPP header中的访问用户ip
set_by_lua_block $http_x_real_ip {
local ip = ngx.req.get_headers()["X-Real-IP"]
return ip and ip or ngx.var.remote_addr
}
location / {
# 校验ip是否在白名单中
access_by_lua_file /usr/local/openresty/lualib/checkip.lua;
# 内网系统地址 ${nat_url}
proxy_pass http://x.x.x.x;
}
# 动态ip白名单添加访问地址
location = /api/addip {
auth_basic "登录认证";
# 认证账号密码存储文件
auth_basic_user_file /usr/local/openresty/nginx/conf/pass_file;
default_type 'text/html';
content_by_lua_file /usr/local/openresty/lualib/addip.lua;
}
}
启动或重启OpenResty
#启动OpenResty
nginx
#重启OpenResty
nginx -s reload
访问步骤
- 添加访问ip到ip白名单中
访问地址${nat_url}/api/addip,并输入htpasswd配置的认证账号密码,自动添加当前访问用户的ip到白名单中。
其中${nat_url}为natapp中分配的隧道公网访问地址 - 访问隧道配置的内网系统
访问${nat_url}即可
2030
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
