Nginx反向代理http和https

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_32642039/article/details/78696119

作者CSDN主页:http://blog.csdn.net/qq_32642039/article/details/78489918
作者个人博客:http://www.51centos.com/
作者简书主页:http://www.jianshu.com/p/60f1957dcb55

一、需求介绍

今天遇到一个需求,开发人员需要我配置nginx反向代理微信(https)的链接。

二、流程

1.普通的反向代理可以直接通过proxy_pass来做,不赘述。

server {
   listen 80;
   resolver 8.8.8.8;

   location / {
   proxy_pass https://$host;
   proxy_ignore_headers   Expires Cache-Control;
   proxy_set_header        Host            $host:$server_port;
   proxy_set_header        X-Real-IP       $remote_addr;
   proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header        X-Forwarded-Proto $scheme;
  }
}

2.http反向代理https

遇到的问题
(1)nginx不支持http直接反向代理https域名,会有证书不信任的问题。这方面资料也很少,花了点时间,嘿嘿。

解决方法:

需要安装第三方模块ngx_http_proxy_connect_module,只支持较低版本nginx。
最新的模块与以下版本的nginx兼容:

1.12.1(稳定版本1.12.x1.10.3(稳定版本1.10.x1.8.1(稳定版本的1.8.x1.6.31.6.x的稳定版本)
1.4.71.4.x的稳定版本)

(2)
微信连接只支持在微信客户端打开,待会解决。

三、安装和配置

1.安装

(1)从源代码安装这个模块:

$ wget http://nginx.org/download/nginx-1.9.2.tar.gz
$ tar -xzvf nginx-1.9.2.tar.gz
$ cd nginx-1.9.2/
$ patch -p1 < /path/to/ngx_http_proxy_connect_module/proxy_connect.patch
$ ./configure --add-module=/path/to/ngx_http_proxy_connect_module
$ make && make install

(2)配置虚拟主机

 server {
     listen                         3128;

     # dns resolver used by forward proxying
     resolver                       8.8.8.8;

     # forward proxy for CONNECT request
     proxy_connect;
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;

     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host;
     }
 }

(3)测试

a.使用微信连接测试

curl -v -x 69.69.69.69:80 https://mp.weixin.qq.com/mp/ad_biz_info?__biz=MzU0MDM0OTg5NQ==&sn=fdd5e5340c2b999acca17a10132cda71&from=moments&tid=1622934775&wx_aid=8827363490&comp_id=18206551&gdt_vid=wx0gar4wdhazsz2200&wx_traceid=wx0gar4wdhazsz2200#wechat_redirect

访问结果只放一部分,证明代理成功。

[root@Abcdefg vhosts]# * About to connect() to proxy 69.69.69.69 port 80 (#0)
*   Trying 69.69.69.69...
* Connected to 69.69.69.69 (69.69.69.69) port 80 (#0)
* Establish HTTP proxy tunnel to mp.weixin.qq.com:443
> CONNECT mp.weixin.qq.com:443 HTTP/1.1
> Host: mp.weixin.qq.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.0 200 Connection Established
< Proxy-agent: nginx
< 
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=mp.weixin.qq.com,OU=R&D,O=Shenzhen Tencent Computer Systems Company Limited,L=Shenzhen,ST=Guangdong,C=CN
*   start date: Nov 16 00:00:00 2017 GMT
*   expire date: Feb 15 23:59:59 2019 GMT
*   common name: mp.weixin.qq.com
*   issuer: CN=GeoTrust SSL CA - G3,O=GeoTrust Inc.,C=US
> GET /mp/ad_biz_info?__biz=MzU0MDM0OTg5NQ== HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mp.weixin.qq.com
> Accept: */*

b.使用百度链接测试,成功。

curl -v -x 69.69.69.69:80 https://baike.baidu.com/tashuo/browse/content?id=222bebc5d8b95a24b0bd5e9c

四、微信客户端测试

iphone连接wifi,选择代理服务器,填写反向代理服务器的IP地址69.69.69.69和对应的端口3128。然后通过微信客户端测试访问连接,成功。(markdown图片不清楚,不放了。)

参考链接:
https://github.com/chobits/ngx_http_proxy_connect_module

展开阅读全文

没有更多推荐了,返回首页