Linux通过DMZ服务器的NGINX正向代理指定域名
仅供学习参考
1.技术栈
正向代理:NGINX+ngx_http_proxy_connect_module
[NGINX 1.14.2].( https:// nginx.org/download/ngin x-1.14.2.tar.gz ) chobits/ngx_http_proxy_connect_module: A forward proxy module for CONNECT request handling (github.com)
流量控制:privoxy Privoxy - Home Page
安装方式:源代码安装,Linux DS:RedHat7 or SUSE 12
2.源代码准备
如有:gcc gcc-c++ zlib pcre openssl 整体安装将更为便捷
https://nginx.org/download/nginx-1.14.2.tar.gz
https://www.openssl.org/source/openssl-1.1.1m.tar.gz
http://zlib.net/zlib-1.2.11.tar.gz
https://free.nchc.org.tw/osdn//sfnet/p/pc/pcre/pcre/8.44/pcre-8.44.tar.gz
https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.2.zip
https://www.privoxy.org/sf-download-mirror/Sources/3.0.33%20%28stable%29/privoxy-3.0.33-stable-src.tar.gz3.编译安装NGINX及所需模块
本人环境对于NGINX安装仅缺失PCRE,故仅编译PCRE及附加模块
# 源代码下载
wget https://nginx.org/download/nginx-1.14.2.tar.gz
tar -zxvf nginx-1.14.2.tar.gz
cd nginx-1.14.2
wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.2.zip
tar -zxvf v0.0.2.zip
mv ngx_* ngx_http_proxy_connect_module
wget https://free.nchc.org.tw/osdn//sfnet/p/pc/pcre/pcre/8.44/pcre-8.44.tar.gz
tar -zxvf pcre-8.44.tar.gz
# 安装补丁
patch -p1 < ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1014.patch
./configure --with-pcre=pcre-8.44 --add-module=ngx_http_proxy_connect_module
make -j2 && make install4.配置NGINX正向代理
cd /usr/local/nginx/conf/
vim nginx.conf
# 添加一个server配置
server {
listen 3128;
# dns resolver used by forward proxying
resolver 8.8.8.8;
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
nginx -t
nginx此时正向代理已经生效,验证测试
curl -I --proxy NGINX_HOST:3128 https:TARGET_HOST
# 返回结果将包含两层连接,第一层连接到nginx服务器,第二层连接到目标主机
# 3主机验证,主机A:发起方,主机B:代理方NGINX_HOST,主机C:TARGET_HOST,80端口提供web服务,仅允许主机B访问
## 仅允许主机B访问主机C的80端口
$HOST_C:iptables -I INPUT -p tcp --dport 80 -j DROP
$HOST_C:iptables -I INPUT -s HOST_B_IP -p tcp --dport 80 -j ACCEPT
## 主机A访问主机C80端口被拒绝
$HOST_A:curl http://HOST_C
### 超时
## 全局代理
vim /etc/profile
### 追加,host替换为指定ip
http_proxy=$HOST_B:3128
https_proxy=$HOST_B$:3128
ftp_proxy=$HOST_B:3128
export http_proxy
export ftp_proxy
export https_proxy
### 刷新配置
source /etc/profile5.Privoxy编译配置
编译Privoxy时发现需要预编译pcre,此处就单独编译吧,编译后需执行:
ldconfig
共享链接库
wget https://www.privoxy.org/sf-download-mirror/Sources/3.0.33%20%28stable%29/privoxy-3.0.33-stable-src.tar.gz
tar xzvf privoxy-3.0.33-stable-src.tar.gz
cd privoxy-3.0.33-stable
# 添加privoxy用户及组
groupadd privoxy
useradd privoxy -r -s /usr/sbin/nologin
# 编译pcre库
wget https://free.nchc.org.tw/osdn//sfnet/p/pc/pcre/pcre/8.44/pcre-8.44.tar.gz
tar -zxvf pcre-8.44
cd pcre-8.44
./configure
make -j2 && make install
ldconfig
# 编译privoxy
cd privoxy-3.0.33-stable
autoheader
autoconf
./configure
make && make -s install USER=privoxy Group=privoxy
配置,编译安装后,privoxy执行时会读取当前路径下的
config
文件
cd /usr/local/etc/privoxy
vim pac.action
---------------------------------------------------
{{alias}}
default = +forward-override{forward .}
pac = +forward-override{forward $NGINX_HOST:3128}
{default}
{pac}
.sap.com
---------------------------------------------------
vim config
---------------------------------------------------
# 添加我们自定义的PAC规则
actionsfile pac.action
# 下面这几行是系统预定义的转发规则,注释掉
# actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
# actionsfile default.action # Main actions file
# actionsfile user.action # User customizations
# 下面这几行是系统预定义的过滤规则,注释掉
# filterfile default.filter
# filterfile user.filter # User customizations
---------------------------------------------------
privoxy
## 代理到privoxy
vim /etc/profile
http_proxy=127.0.0.1:8118
https_proxy=127.0.0.1:8118