nginx forward proxy http/https and proxy mail service
Demand background:
In the company's Intranet environment, you cannot directly connect to the external network. The intranet service is required to access the Internet through the forward proxy.
Installation environment preparation:
Nginx itself does not support https protocol request forwarding. In order for nginx to achieve this effect, we need to use the third-party module ngx_http_proxy_connect_module. The first mock exam is: https://github.com/chobits/ngx_http_proxy_connect_module
Installation media version:
pcre-8.38.tar.gz
nginx-1.12.2.tar.gz
ngx_http_proxy_connect_module-master.zip
setup script
1.establish nginx account # groupadd -g 9996 nginx # useradd -u 9996 -g 9996 nginx -s /sbin/nologin 2.decompression # cd /opt # tar xf pcre-8.38.tar.gz # tar xf nginx-1.12.2.tar.gz # unzip ngx_http_proxy_connect_module-master.zip 3.Installation dependency, if not installed, install # yum install-y gcc gcc-c++ openssl openssl-devel 4.install pcre # cd /opt/pcre-8.38 # ./configure --prefix=/usr/local/pcre # make && make install 5.add to ngx_http_proxy_connect_module Module, switching to nginx Under the unpacking directory # cd /opt/nginx-1.12.2 # patch -p1 < /opt/ngx_http_proxy_connect_module-master/patch/proxy_connect.patch 6.Build install nginx # ./configure --prefix=/etc/nginx1.12.2 --with-http_ssl_module --with-pcre=/opt/pcre-8.38 --add-module=/opt/ngx_http_proxy_connect_module-master --pid-path=/var/run/ --with-mail --with-stream # make && make install 7.Check installation compilation # /etc/nginx1.12.2/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx1.12.2 --with-http_ssl_module --with-pcre=/opt/pcre-8.38 --add-module=/opt/ngx_http_proxy_connect_module-master --pid-path=/var/run/ --with-mail --with-stream
http/https proxy configuration
server {
resolver 114.114.114.114; #DNS resolution address
listen 10080; #Monitor address
resolver_timeout 10s; #Timeout
proxy_connect; #Enable connection http method support
proxy_connect_allow 443 563; #Ports that agents can connect to
proxy_connect_connect_timeout 10s; #Agent connection time out
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
access_log /weblogs/nginx/proxy.access.log;
error_log /weblogs/nginx /proxy.error.log;
location / {
proxy_pass $scheme://$http_host$request_uri;
proxy_set_header Host $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0;
proxy_connect_timeout 30s;
#allow 127.0.0.1; #ip restrictions
#deny all ;
}
}-
Mail agent configuration
1.stay nginx.conf Last added in stream paragraph
stream{
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /weblogs/nginx/nginx_proxy.log proxy ;
include vhost/*.stream;
}
//Note: the configuration of the stream segment should be in the same directory as the http segment. The configuration file has ended. Stream
2.Add mail agent configuration
server {
listen 25;
proxy_pass smtp.sseinfo.com:25;
}Client configuration http/https
1. Proxy http/https configuration Add the following to / etc/profile export http_proxy=10.10.11.193:9999 export https_proxy=10.10.11.193:9999 #source /etc/profile 2. Test command (on the client) Test agent http # curl -I http://www.baidu.com -v -x 10.10.11.93:10080 > Host: www.baidu.com Test agent https # curl -I https://www.baidu.com -v -x 10.10.11.93:10080 > Host:
Agent mail
Method 1: add resolution to client / etc/hosts Method 2: change the mail domain name to forward proxy IP in the corresponding mail configuration