前言
根据官网的介绍,可以轻松实现单端口的反向代理;代码分为portal端与bridge端:
- portal端指代具有公网IP的一侧;
- bridge端指代实际应用运行的一侧;
portal端配置如下:
{
"inbounds": [
{
"tag": "in_tomcat",
"port": 10001,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 8443,
"network": "tcp"
}
},
{
"tag": "in_interconn",
"port": 10000,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
}
],
"reverse": {
"portals": [
{
"tag": "portal",
"domain": "test.example.org"
}
]
},
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"in_tomcat"
],
"outboundTag": "portal"
},
{
"type": "field",
"inboundTag": [
"in_interconn"
],
"outboundTag": "portal"
}
]
}
}
bridge端配置如下:
{
"outbounds": [
{
"tag": "out_tomcat",
"protocol": "freedom",
"settings": {
"redirect": "127.0.0.1:8443"
}
},
{
"tag": "out_interconn",
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "xxx.xxx.xxx.xxx",
"port": 10000,
"users": [
{
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
]
}
}
],
"reverse": {
"bridges": [
{
"tag": "bridge",
"domain": "test.example.org"
}
]
},
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"bridge"
],
"domain": [
"full:test.example.org"
],
"outboundTag": "out_interconn"
},
{
"type": "field",
"inboundTag": [
"bridge"
],
"outboundTag": "out_tomcat"
}
]
}
}
简单介绍下:
portal端需要两个进站规则:
1. 接受从bridge端发起的连接;(与bridge端对接,实现内网穿透)
2. 接受外部发起的请求;(即我们访问的端口)
bridge端需要两个出站规则:
1. 发起与portal端的连接;(与portal端的1对接)
2. 转发外部发起的请求;(即我们访问的端口最终转发的内容)
需求
现在我的需求是,bridge端新增了一个443端口的apache2服务器的应用,需要通过portal端的10002端口访问;
因此
portal端
需要新增一个进站规则:
{
"tag": "in_apache2",
"port": 10002,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 443,
"network": "tcp"
}
}
portal端的路由规则也需要添加:
{
"type": "field",
"inboundTag": [
"in_apache2"
],
"outboundTag": "portal_interconn"
}
bridge端
添加出站规则:
{
"tag": "out_apache2",
"protocol": "freedom",
"settings": {
"redirect": "127.0.0.1:443"
}
}
到目前为止都很顺利,但是如何让bridge这一进站规则区分来自两个不同端口的流量呢?
通过查文档,我发现可以通过port这一字段进行过滤匹配,因此修改后的bridge端路由规则如下:
"routing": {
"rules": [
{
"type": "field",
"inboundTag": [
"bridge"
],
"domain": [
"full:test.example.org"
],
"outboundTag": "out_interconn"
},
//Add below
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "443",
"outboundTag": "out_apache2"
},
//Add above
{
"type": "field",
"inboundTag": [
"bridge"
],
"port": "8443", //Added
"outboundTag": "out_tomcat"
}
]
}
这里的port需要与portal端写的进站规则那里的settings.port字段匹配;
以上;
注意事项
1. portal与bridge端建立连接的部分,id须一致;(即上面例子中的xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
2. portal端的reverse.portals.domain字段内容必须与bridge端的reverse.bridges.domain一致;(即上面例子中的test.example.org)
3. 关于2中的domain,官网说不必真实存在,实际上,我建议一定不要真实存在,因为这个只是用来区分流量的,如果与日常使用的域名重合了,反而会出问题;
4. 此外,domain必须是域名,不能带‘/’;
5. tag只会用作本地路由规则识别使用,不会随着穿透传递,因此portal端的reverse.portals与bridge端的revers.bridges字段tags不相同也是可以对接的(同2,只要domain相同即可)
6. 本文只讨论使用反向代理+内网穿透的配置步骤,对其余功能不作任何评论;