默认nginx是不支持https的正向代理的,要想通过nginx的正向代理,作为https服务器,需要增加一个模块并重新编译nginx。
环境:
centos 7
所需要的文件:
https://github.com/chobits/ngx_http_proxy_connect_module
http://nginx.org/packages/centos/7/SRPMS/nginx-1.12.2-1.el7_4.ngx.src.rpm
安装编译工具
yum install gcc gcc-c++ make -y
yum install rpm-build rpmdevtools -y
安装依赖
yum install pcre-devel pcre -y
yum install zlib-devel zlib -y
yum install openssl-devel openssl -y
yum install redhat-lsb-core -y
下载nginx源码、模块源码及rpm构建包
cd /root
# 用于支持https代理的模块
git clone https://github.com/chobits/ngx_http_proxy_connect_module.git
# rpm构建及nginx源码
wget http://nginx.org/packages/centos/7/SRPMS/nginx-1.12.2-1.el7_4.ngx.src.rpm
修改nginx的src rpm包,增加ngx_http_proxy_connect_module模块
# 初始化rpmbuild目录
cd /root
rpmdev-setuptree
cp /root/nginx-1.12.2-1.el7_4.ngx.src.rpm /root/rpmbuild/SOURCES/
cd /root/rpmbuild/SOURCES/
rpm2cpio nginx-1.12.2-1.el7_4.ngx.src.rpm |cpio -dvi
rm /root/rpmbuild/SOURCES/nginx-1.12.2-1.el7_4.ngx.src.rpm
tar -xf nginx-1.12.2.tar.gz
cd /root/rpmbuild/SOURCES/nginx-1.12.2
# 针对不同nginx版本,需要用不同的path文件,详见该项目github首页
patch -p1 < /root/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite.patch
cd cd /root/rpmbuild/SOURCES/
tar -czvf nginx-1.12.2.tar.gz nginx-1.12.2
修改nginx.spec文件,增加模块的编译选项
将nginx.spec中的configure命令中,增加--add-module=/root/ngx_http_proxy_connect_module选项。
修改后的命令:
%build
./configure %{BASE_CONFIGURE_ARGS} \
--add-module=/root/ngx_http_proxy_connect_module \
--with-cc-opt="%{WITH_CC_OPT}" \
--with-ld-opt="%{WITH_LD_OPT}" \
--with-debug
make %{?_smp_mflags}
%{__mv} %{bdir}/objs/nginx \
%{bdir}/objs/nginx-debug
./configure %{BASE_CONFIGURE_ARGS} \
--add-module=/root/ngx_http_proxy_connect_module \
--with-cc-opt="%{WITH_CC_OPT}" \
--with-ld-opt="%{WITH_LD_OPT}"
make %{?_smp_mflags}
编译rpm包
rpmbuild -bb nginx.spec
rpm包,在/root/rpmbuild/RPMS路径下。
修改nginx配置文件
基本的http代理,配置文件/etc/nginx/conf.d/proxy.conf如下。为了适配https,我们需要增加connect语句相关的配置。
简单的http代理,配置文件
server {
resolver 114.114.114.114;
listen 9999;
access_log /var/log/nginx/http_proxy.access.log main;
error_log /var/log/nginx/http_proxy.error.log;
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}
https/http代理配置文件
server {
resolver 114.114.114.114;
listen 9999;
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
access_log /var/log/nginx/http_proxy.access.log main;
error_log /var/log/nginx/http_proxy.error.log;
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}