nginx转发tls和tcp
使用的版本是1.22.0
转发tcp
获取前4字节 判断转发。peek只是看一眼,不会把流数据读出来
stream {
upstream serverA{
server 127.0.0.1:8001;
}
upstream serverB{
server 127.0.0.1:8002;
}
lua_add_variable $proxy;
server {
listen 11301;
preread_by_lua_block {
local sock = ngx.req.socket()
local data = sock:peek(4)
if (data == "serA") then
ngx.var.proxy= "serverA";
else
ngx.var.proxy= "serverB";
end
}
proxy_pass $proxy;
}
}
转发tls
利用tls的servername进行转发,可以写死规则 也可以正则。
同理可以转发基于tls的grpc
(nginx也对grpc的转发有单独的支持,这里)
map $ssl_preread_server_name $targetBackend {
~^org11(.*) node1;
~^org22(.*) node1;
org1 node1;
org2 node2;
org3 node1-grpc;
}
upstream node1 {
server 127.0.0.1:11301;
}
upstream node2 {
server 127.0.0.1:11302;
}
upstream node1-grpc {
server 127.0.0.1:12301;
}
server {
listen 18301;
ssl_preread on;
proxy_pass $targetBackend;
access_log logs/access.log proxy;
}
也可以在lua里动态获取servername
local server_name = ngx_ssl.server_name()
tcp转tls 转发后再转tcp
client–(tcp)–>客户端nginx–(tls)–>服务端nginx–(tcp)–>server
服务端nginx配置
# This configure file setup proxy for aby3's party 0.
stream {
map $ssl_server_name $stream_map {
aby3_task_1 upstream_task_1;
aby3_task_2 upstream_task_2;
}
upstream upstream_task_1 {
server 127.0.0.1:1313;
}
upstream upstream_task_2 {
server 127.0.0.1:1314;
}
server {
listen 8185 ssl;
ssl_certificate /home/chainmaker/nginx-cfg/cert/server1.crt;
ssl_certificate_key /home/chainmaker/nginx-cfg/cert/server1.key;
proxy_pass $stream_map;
proxy_ssl off;
ssl_preread off;
}
}
客户端nginx
stream {
server {
listen 8184 ssl;
proxy_pass 192.168.30.110:8185;
proxy_ssl on;
# Certificate of TLS server, this TLS server is nginx, nginx
# will send certificate to client.
ssl_certificate /home/chainmaker/nginx/cert/server1.crt;
ssl_certificate_key /home/chainmaker/nginx/cert/server1.key;
proxy_ssl_server_name on;
proxy_ssl_name aby3_task_1;
}
server {
listen 9184 ssl;
proxy_pass 192.168.30.110:9185;
proxy_ssl on;
# Certificate of TLS server, this TLS server is nginx, nginx
# will send certificate to client.
ssl_certificate /home/chainmaker/nginx/cert/server1.crt;
ssl_certificate_key /home/chainmaker/nginx/cert/server1.key;
proxy_ssl_server_name on;
proxy_ssl_name aby3_task_2;
}
}