|
对于新安装的环境,参考正常的安装步骤,直接在configure的时候加上--with-stream,--with-stream_ssl_preread_module和--with-stream_ssl_module选项即可。示例如下:
- ./configure
- --user=www
- --group=www
- --prefix=/usr/local/nginx
- --with-http_ssl_module
- --with-http_stub_status_module
- --with-http_realip_module
- --with-threads
- --with-stream
- --with-stream_ssl_preread_module
- --with-stream_ssl_module
对于已经安装编译安装完的环境,需要加入以上3个与stream相关的模块,步骤如下:
- # 停止NGINX服务
- # systemctl stop nginx
- # 备份原执行文件
- # cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
- # 在源代码路径重新编译
- # cd /usr/local/src/nginx-1.16.0
- # ./configure
- --user=www
- --group=www
- --prefix=/usr/local/nginx
- --with-http_ssl_module
- --with-http_stub_status_module
- --with-http_realip_module
- --with-threads
- --with-stream
- --with-stream_ssl_preread_module
- --with-stream_ssl_module
- # make
- # 不要make install
- # 将新生成的可执行文件拷贝覆盖原来的nginx执行文件
- # cp objs/nginx /usr/local/nginx/sbin/nginx
- # nginx -V
- nginx version: nginx/1.16.0
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
- built with OpenSSL 1.0.2k-fips 26 Jan 2017
- TLS SNI support enabled
- configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-threads --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module
2) nginx.conf文件配置
NGINX stream与HTTP不同,需要在stream块中进行配置,但是指令参数与HTTP块都是类似的,主要配置部分如下:
- stream {
- resolver 114.114.114.114;
- server {
- listen 443;
- ssl_preread on;
- proxy_connect_timeout 5s;
- proxy_pass $ssl_preread_server_name:$server_port;
- }
- }
使用场景
对于4层正向代理,NGINX对上层流量基本上是透传,也不需要HTTP CONNECT来建立隧道。适合于透明代理的模式,比如将访问的域名利用DNS解定向到代理服务器。我们可以通过在客户端绑定/etc/hosts来模拟。
在客户端:
- cat /etc/hosts
- ...
- # 把域名www.baidu.com绑定到正向代理服务器39.105.196.164
- 39.105.196.164 www.baidu.com
- # 正常利用curl来访问www.baidu.com即可。
- # curl https://www.baidu.com -svo /dev/null
- * About to connect() to www.baidu.com port 443 (#0)
- * Trying 39.105.196.164...
- * Connected to www.baidu.com (39.105.196.164) port 443 (#0)
- * Initializing NSS with certpath: sql:/etc/pki/nssdb
- * CAfile: /etc/pki/tls/certs/ca-bundle.crt
- CApath: none
- * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- * Server certificate:
- * subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
- * start date: 5月 09 01:22:02 2019 GMT
- * expire date: 6月 25 05:31:02 2020 GMT
- * common name: baidu.com
- * issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
- > GET / HTTP/1.1
- > User-Agent: curl/7.29.0
- > Host: www.baidu.com
- > Accept: */*
- >
- < HTTP/1.1 200 OK
- < Accept-Ranges: bytes
- < Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
- < Connection: Keep-Alive
- < Content-Length: 2443
- < Content-Type: text/html
- < Date: Fri, 21 Jun 2019 05:46:07 GMT
- < Etag: "5886041d-98b"
- < Last-Modified: Mon, 23 Jan 2017 13:24:45 GMT
- < Pragma: no-cache
- < Server: bfe/1.0.8.18
- < Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
- <
- { [data not shown]
- * Connection #0 to host www.baidu.com left intact
常见问题
1) 客户端手动设置代理导致访问不成功 (编辑:孝感站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
