用nginx正向代理https网站

1. 缘起

  最近碰到了一个麻烦事情，就是公司的centos测试服务器放在内网环境，而且不能直接上外网，导致无法通过yum安装软件，非常捉急。
  幸好，内网还是有可以可以访问外网的机器，所以就想到应该可以利用nginx搭建一个代理服务器，然后centos通过这个nginx来访问外网。当然，如果只是代理http还是很简单的，而要代理https还是需要稍费周折，因为nginx本身不能部署被代理的网站的证书，不能部署成https终结点来，因此与被代理客户端之间不能用ssl协议通讯，因此需要通过http协议中的connect请求打通和外网的连接，然后客户端到nginx走明文，nginx到外网走https协议。这里需要用到ngx_http_proxy_connect_module模块来实现connect的代理功能。

2. 部署nginx

• 步骤1：   从nginx官网下载nginx源码包。
• 步骤2：   因为nginx原生是不支持connect请求的，需要安装一个扩展插件，即ngx_http_proxy_connect_module，从github下载ngx_http_proxy_connect_module，另外还要下载一个nginx内核补丁。
• 步骤3： 解压nginx源码包，进入nginx源码目录，创建modules目录（mkdir modules)。
• 步骤4： 将ngx_http_proxy_connect_module源码目录放到modules目录中。
• 步骤5： 将nginx内核补丁放到nginx源码目录，姑且名字叫p1.patch
• 步骤6： 在nginx源码目录，执行以下命令给nginx内核打上补丁：

	patch -p 1 < p1.patch

• 步骤7：编译nginx，这里假设nginx安装到/opt/nginx目录中（在编译前确认pcre、zlib、openssl的库是否已经正常安装），编译命令如下：

./configure --prefix=/opt/nginx --with-http_ssl_module -add-module=./modules/ngx_http_proxy_connect_module
make & make install

• 步骤8：配置nginx
     配置文件如下：

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    keepalive_timeout  65;


  server {
        # 代理端口
		listen 8080;
        server_name  localhost;
        
        # 解析被代理网站域名的dns服务器，根据实际情况自行配置
        resolver  114.114.114.114;
        
        # 开启proxy connect功能
        proxy_connect;
        
        # 设置允许代理的目标端口为443,即https的默认端口
        proxy_connect_allow 443 80;

        location / { 
        
            # 正向代理配置，根据请求地址自动解析出目标网站地址并进行代理
            proxy_pass $scheme://$host$request_uri;
            
            # 发送到被代理网站的请求需要添加host头
            proxy_set_header host $http_host;
        
			proxy_buffers 256 4k; 
            proxy_max_temp_file_size 0;
            proxy_connect_timeout 30; 
        }
    }
}

   以上配置完成后，通过nginx的8080端口，既可以代理普通http的请求，也可以代理https的请求。

• 步骤9：启动nginx
    执行/opt/nginx/sbin/nginx，启动nginx

3. 测试

3.1 http测试

curl "http://www.baidu.com/" -x 127.0.0.1:8080 -v

响应内容：

*   trying 127.0.0.1:8080...
* connected to (nil) (127.0.0.1) port 8080 (#0)
> get http://www.baidu.com/ http/1.1
> host: www.baidu.com
> user-agent: curl/7.81.0
> accept: */*
> proxy-connection: keep-alive
> 
* mark bundle as not supporting multiuse
< http/1.1 200 ok
< server: nginx/1.24.0
< date: fri, 23 feb 2024 09:08:01 gmt
< content-type: text/html
< content-length: 2381
< connection: keep-alive
< accept-ranges: bytes
< cache-control: private, no-cache, no-store, proxy-revalidate, no-transform
< etag: "588604eb-94d"
< last-modified: mon, 23 jan 2017 13:28:11 gmt
< pragma: no-cache
< set-cookie: bdorz=27315; max-age=86400; domain=.baidu.com; path=/
< 
<!doctype html>
<!--status ok--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=x-ua-compatible content=ie=edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn"></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=http://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3a%2f%2fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeuricomponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftcon> <div id=ftconw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>about baidu</a> </p> <p id=cp>&copy;2017&nbsp;baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京icp证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

   通过以上的输出可以看到http代理是没有通过connect请求进行连接的，响应正常。

3.2 https测试

 curl "https://www.baidu.com/" -x 127.0.0.1:8080 -v

*   trying 127.0.0.1:8080...
* connected to (nil) (127.0.0.1) port 8080 (#0)
* allocate connect buffer!
* establish http proxy tunnel to www.baidu.com:443
> connect www.baidu.com:443 http/1.1
> host: www.baidu.com:443
> user-agent: curl/7.81.0
> proxy-connection: keep-alive
> 
< http/1.1 200 connection established
< proxy-agent: nginx
< 
* proxy replied 200 to connect request
* connect phase completed!
* alpn, offering h2
* alpn, offering http/1.1
*  cafile: /etc/ssl/certs/ca-certificates.crt
*  capath: /etc/ssl/certs
* tlsv1.0 (out), tls header, certificate status (22):
* tlsv1.3 (out), tls handshake, client hello (1):
* tlsv1.2 (in), tls header, certificate status (22):
* tlsv1.3 (in), tls handshake, server hello (2):
* tlsv1.2 (in), tls header, certificate status (22):
* tlsv1.2 (in), tls handshake, certificate (11):
* tlsv1.2 (in), tls header, certificate status (22):
* tlsv1.2 (in), tls handshake, server key exchange (12):
* tlsv1.2 (in), tls header, certificate status (22):
* tlsv1.2 (in), tls handshake, server finished (14):
* tlsv1.2 (out), tls header, certificate status (22):
* tlsv1.2 (out), tls handshake, client key exchange (16):
* tlsv1.2 (out), tls header, finished (20):
* tlsv1.2 (out), tls change cipher, change cipher spec (1):
* tlsv1.2 (out), tls header, certificate status (22):
* tlsv1.2 (out), tls handshake, finished (20):
* tlsv1.2 (in), tls header, finished (20):
* tlsv1.2 (in), tls header, certificate status (22):
* tlsv1.2 (in), tls handshake, finished (20):
* ssl connection using tlsv1.2 / ecdhe-rsa-aes128-gcm-sha256
* alpn, server accepted to use http/1.1
* server certificate:
*  subject: c=cn; st=beijing; l=beijing; o=beijing baidu netcom science technology co., ltd; cn=baidu.com
*  start date: jul  6 01:51:06 2023 gmt
*  expire date: aug  6 01:51:05 2024 gmt
*  subjectaltname: host "www.baidu.com" matched cert's "*.baidu.com"
*  issuer: c=be; o=globalsign nv-sa; cn=globalsign rsa ov ssl ca 2018
*  ssl certificate verify ok.
* tlsv1.2 (out), tls header, supplemental data (23):
> get / http/1.1
> host: www.baidu.com
> user-agent: curl/7.81.0
> accept: */*
> 
* tlsv1.2 (in), tls header, supplemental data (23):
* mark bundle as not supporting multiuse
< http/1.1 200 ok
< accept-ranges: bytes
< cache-control: private, no-cache, no-store, proxy-revalidate, no-transform
< connection: keep-alive
< content-length: 2443
< content-type: text/html
< date: fri, 23 feb 2024 09:11:25 gmt
< etag: "58860410-98b"
< last-modified: mon, 23 jan 2017 13:24:32 gmt
< pragma: no-cache
< server: bfe/1.0.8.18
< set-cookie: bdorz=27315; max-age=86400; domain=.baidu.com; path=/
< 
<!doctype html>
* tlsv1.2 (in), tls header, supplemental data (23):
* tlsv1.2 (in), tls header, supplemental data (23):
<!--status ok--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=x-ua-compatible content=ie=edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5en1bjq8aauym2zgoy3k/r/www/cache/bdorz/baidu.min.css><title>百度一下，你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <input type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input type=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class="bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trnews class=mnav>新闻</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href=http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/bdorz/login.gif?login&amp;tpl=mn&amp;u=http%3a%2f%2fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write('<a href="http://www.baidu.com/bdorz/login.gif?login&tpl=mn&u='+ encodeuricomponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ '" name="tj_login" class="lb">登录</a>');
                </script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftcon> <div id=ftconw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>about baidu</a> </p> <p id=cp>&copy;2017&nbsp;baidu&nbsp;<a href=http://www.baidu.com/duty/>使用百度前必读</a>&nbsp; <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a>&nbsp;京icp证030173号&nbsp; <img src=//www.baidu.com/img/gs.gif> </p> </div> </div> </div> </body> </html>

  通过以上的输出可以看到https代理是通过connect请求进行连接的，中间有发生ssl的握手过程，也已经正常进行了响应。

4 给centos设置代理访问外网

  给centos服务器设置两个http_proxy和https_proxy环境变量，假设nginx服务器的ip为192.168.0.1，那么在命令行执行以下两条命令，即：

export http_proxy="http://192.168.0.1:8080"
export https_proxy="https://192.168.0.1:8080"

  然后就可以顺畅地进行yum了。当然，如果可以的话，就将以上两条命令配置到bash.rc中，这样子免得每次登录都需要敲命令。