Nginx模块块stream和ngx_http_proxy_connect_module使用体验

因项目环境限制，部署环境分为互联网环境（可访问互联网）和政务外网环境（不可访问互联网）；但是因业务需要，需要实现政务外网环境访问访问外网；（原因不究~~~）

互联网区Server1 nginx搭建

ngx_http_proxy_connect_module ：https://github.com/chobits/ngx_http_proxy_connect_module

yum install gcc gcc-c++ make automake autoconf libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel wget
wget https://nginx.org/download/nginx-1.18.0.tar.gz
wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/master.zip
tar xf nginx-1.18.0.tar.gz 
unzip master.zip
cd nginx-1.18.0
patch -p1 < /usr/local/src/ngx_http_proxy_connect_module-master/patch/proxy_connect.patch 

# nginx版本高于1.9.11，可以使用--add-dynamic-module=/path加载动态模块,配置文件里需要load_module模块位置；使用--add-module=PATH编译，配置文件里不用使用load_module指定模块; 

./configure --prefix=/usr/local/nginx-1.18.0  --with-stream --add-dynamic-module=/usr/local/src/ngx_http_proxy_connect_module-master/

make
make install

worker_processes  auto;
error_log  logs/error.log  info;

load_module /usr/local/nginx-1.18.0/modules/ngx_http_proxy_connect_module.so; #加载模块的配置必须必须放在这个位置

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;

    server {
       listen       11001;
       server_name  localhost;
       
       location /forecast_pic{
		proxy_pass http://x.x.x.x:xx/forecast_pic ;
            root   html;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
include proxy.conf;		 #为了方便查看，我把ngx_http_proxy_connect_module代理的配置单独放在这个文件里了
}

# cat proxy.conf 
server {
     listen			    11003;
    
     # dns resolver used by forward proxying
     resolver                       100.125.0.14;

     location / {
                proxy_pass http://$host$request_uri;      
                proxy_set_header HOST $http_host;
                proxy_buffers 256 4k;
                proxy_max_temp_file_size 0k;
                proxy_connect_timeout 30;
                proxy_send_timeout 60;
                proxy_read_timeout 60;
                proxy_next_upstream error timeout invalid_header http_502;
    }
}

server {
    listen                         11004;
    # dns resolver used by forward proxying
    resolver                       100.125.0.14;  #指定cns

     # forward proxy for CONNECT request
    proxy_connect;
    proxy_connect_allow            443;			#指定https端口
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;

    # forward proxy for non-CONNECT request
    location / {
        proxy_pass http://$host;
        proxy_set_header Host $host;
    }
}

政务外网区 Server2 Nginx搭建

stream ：https://nginx.org/en/docs/stream/ngx_stream_core_module.html

nginx从1.9.0开始，新增加了一个stream模块，用来实现四层协议的转发、代理或者负载均衡等。（代理oracle、mysql等也是非常好用的，推荐~）

yum install gcc gcc-c++ make automake autoconf libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel wget
wget https://nginx.org/download/nginx-1.18.0.tar.gz
tar xf nginx-1.18.0.tar.gz 
cd nginx-1.18.0/
./configure --prefix=/usr/local/nginx-1.18.0/ --with-stream && make && make install

worker_processes  1;
events {
    worker_connections  1024;
}
stream {
   upstream proxy1 {   
        server 16.168.135.174:11003 weight=1 max_fails=2 fail_timeout=30s;   
    }
    upstream proxy2 {   
        server 16.168.135.174:11004 weight=1 max_fails=2 fail_timeout=30s;   
    }
 server {
        listen       11003;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass proxy1;
   }
 server {
        listen       11004;
        proxy_connect_timeout 1s;
        proxy_timeout 3s;
        proxy_pass proxy2;
	  }
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       11001;
        server_name  localhost;
		location / {
             if ($request_method = 'OPTIONS') {
	   			add_header 'Access-Control-Allow-Origin' *;
            	add_header 'Access-Control-Allow-Credentials' 'true';
           		add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
            	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,token,timestamp';
            	add_header 'Access-Control-Max-Age' 1728000;
            	add_header 'Content-Type' 'text/plain charset=UTF-8';
            	add_header 'Content-Length' 0;
           	 return 204;	
		}
	}
        location /forecast_pic {
	    	proxy_pass http://x.x.x.x:xx1/forecast_pic;
            root   html;
            index  index.html index.htm;
        }
		location /FJAtmoCompr {
	    	proxy_pass http://x.x.x.x:xx2/FJAtmoCompr;
		}
		location /cdwarn {
	    	proxy_pass http://x.x.x.x:xx3/cdwarn;
		}
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

政务外网区 Server3 代理使用测试

为了长期使用，我们将代理设置为系统环境变量

vim /etc/profile

export http_proxy='16.167.5.198:11003'
export https_proxy='16.167.5.198:11004'
export ftp_proxy='16.167.5.198:11003'

source /etc/profile