nginx forward proxy http/https and proxy mail service

Keywords: Linux Nginx OpenSSL curl network


nginx forward proxy http/https and proxy mail service

  • Demand background:

In the company's Intranet environment, you cannot directly connect to the external network. The intranet service is required to access the Internet through the forward proxy.

  • Installation environment preparation:

Nginx itself does not support https protocol request forwarding. In order for nginx to achieve this effect, we need to use the third-party module ngx_http_proxy_connect_module. The first mock exam is:

Installation media version:



  • setup script

1.establish nginx account

# groupadd -g 9996 nginx
# useradd -u 9996 -g 9996 nginx -s /sbin/nologin


# cd /opt
# tar xf pcre-8.38.tar.gz
# tar xf nginx-1.12.2.tar.gz
# unzip

3.Installation dependency, if not installed, install

# yum install-y gcc gcc-c++ openssl openssl-devel

4.install pcre

# cd /opt/pcre-8.38
# ./configure --prefix=/usr/local/pcre
# make && make install

5.add to ngx_http_proxy_connect_module Module, switching to nginx Under the unpacking directory

# cd /opt/nginx-1.12.2
# patch -p1 < /opt/ngx_http_proxy_connect_module-master/patch/proxy_connect.patch

6.Build install nginx

# ./configure --prefix=/etc/nginx1.12.2 --with-http_ssl_module --with-pcre=/opt/pcre-8.38 --add-module=/opt/ngx_http_proxy_connect_module-master  --pid-path=/var/run/  --with-mail --with-stream
# make && make install

7.Check installation compilation

# /etc/nginx1.12.2/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx1.12.2 --with-http_ssl_module --with-pcre=/opt/pcre-8.38 --add-module=/opt/ngx_http_proxy_connect_module-master --pid-path=/var/run/ --with-mail --with-stream

  • http/https proxy configuration

server {
    resolver;  #DNS resolution address
    listen 10080;              #Monitor address
    resolver_timeout 10s;      #Timeout
    proxy_connect;           #Enable connection http method support
    proxy_connect_allow            443 563;  #Ports that agents can connect to
    proxy_connect_connect_timeout  10s;      #Agent connection time out
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;
    access_log  /weblogs/nginx/proxy.access.log;
    error_log   /weblogs/nginx /proxy.error.log;
    location / {
        proxy_pass $scheme://$http_host$request_uri;
        proxy_set_header Host $http_host;
        proxy_buffers 256 4k;
        proxy_max_temp_file_size 0;
        proxy_connect_timeout 30s;
        #allow;  #ip restrictions
        #deny all ;
  • Mail agent configuration

1.stay nginx.conf Last added in stream paragraph

    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
      access_log /weblogs/nginx/nginx_proxy.log proxy ;
     include vhost/*.stream;
//Note: the configuration of the stream segment should be in the same directory as the http segment. The configuration file has ended. Stream

2.Add mail agent configuration

server {
        listen       25;
  • Client configuration http/https

1. Proxy http/https configuration

Add the following to / etc/profile

export http_proxy=
export https_proxy=
#source /etc/profile

2. Test command (on the client)

Test agent http
# curl -I -v -x
> Host:
Test agent https
# curl -I -v -x
> Host:
  • Agent mail

Method 1: add resolution to client / etc/hosts
 Method 2: change the mail domain name to forward proxy IP in the corresponding mail configuration

Posted by nats on Thu, 21 May 2020 07:53:45 -0700