Using nginx and frp/ngrok to achieve intranet penetration, the website will be set up in their own home or within the company

Keywords: Nginx network Tomcat Linux

title: Use nginx and frp/ngrok to achieve intranet penetration, and set up the website at home or within the company
date: 2019-04-17 13:27:43
categories: Architecture
author: mrzhou
tags:

  • nginx
  • web
  • frp
  • ngrok

Using nginx and frp/ngrok to achieve intranet penetration, the website will be set up in their own home or within the company

In fact, this demand has always been relatively strong in China. For some small businesses, or individuals, it is very convenient to set up the website inside the enterprise or at home. But now in China, if there is no registered domain name, it is often unable to be resolved to the corresponding server, but the use of https is not affected. For the above reasons, it is unrestricted to set up servers in your own home or within your company.

frp or ngrok?

At present, these two tools seem to be the most widely used. ngrok needs to compile by itself, which is also relatively convenient, but FRP can download the compiled version directly, and linux/win version has been compiled, which can be directly used after downloading. So here's a direct example of frp.

Why nginx?

Intranet penetration, however, still requires a fixed IP network server. If you buy or rent a public network server, you can't just use it for transit, but you should use it for other services. If we use frp or ngrok directly to monitor ports 80 and 443, it still feels a little wasteful. So we use nginx to manage the front end, and then we can transfer the request to the corresponding service port. Of course, frp/ngrok will be placed behind nginx. tomcat or iis, apache and so on can also be placed behind nginx.

The focus is still on nginx configuration

In the following configuration, I also set up tomcat on the public network server, port 8080, but it is not open to the public. I can only use 127.0.0.1:8080 for access, and then set up frps, the port is open to 7000, and this 7000 is also used for frpc connection. Turn access to port 80 to port 443, then use nginx reverse proxy to forward requests from port 443 to FRPs using http protocol, and then to servers on the intranet. Since nginx has been configured with pan-domain certificate support, all substations are displayed as secure websites.

upstream tomcat9 {
	server 127.0.0.1:8080;
}

upstream frps {
	server 127.0.0.1:7000;
}
server {
	listen 80;
	server_name www.easex.cn;
	location / {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;

		proxy_pass http://tomcat9/;
	}	
}
server {
	listen 80;
	server_name *.easex.cn;
	return 301 https://$http_host$request_uri;
}
server {
	listen 443 ssl http2;
	server_name *.easex.cn;
	
	ssl_certificate  	cert/easex.cn/fullchina.cer;
	ssl_certificate_key cert/easex.cn/easex.cn.key;
	ssl_session_timeout 5m;
	ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
	ssl_prefer_server_ciphers on;
	
	access_log logs/easex.cn_access.log;
	error_log  logs/easex.cn_error.log;
				
	location / {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;

		proxy_pass http://frps/;
	}

}

Posted by esmarts on Wed, 08 May 2019 17:30:38 -0700