nginx forward proxy http/https and proxy mail service

Keywords: Linux Nginx OpenSSL curl network

nginx forward proxy http/https and proxy mail service

  • Demand background:

In the company's Intranet environment, you cannot directly connect to the external network. The intranet service is required to access the Internet through the forward proxy.


  • Installation environment preparation:

Nginx itself does not support https protocol request forwarding. In order for nginx to achieve this effect, we need to use the third-party module ngx_http_proxy_connect_module. The first mock exam is: https://github.com/chobits/ngx_http_proxy_connect_module

Installation media version:


      pcre-8.38.tar.gz

   nginx-1.12.2.tar.gz

   ngx_http_proxy_connect_module-master.zip


  • setup script

1.establish nginx account

# groupadd -g 9996 nginx
# useradd -u 9996 -g 9996 nginx -s /sbin/nologin

2.decompression 

# cd /opt
# tar xf pcre-8.38.tar.gz
# tar xf nginx-1.12.2.tar.gz
# unzip ngx_http_proxy_connect_module-master.zip

3.Installation dependency, if not installed, install

# yum install-y gcc gcc-c++ openssl openssl-devel

4.install pcre

# cd /opt/pcre-8.38
# ./configure --prefix=/usr/local/pcre
# make && make install

5.add to ngx_http_proxy_connect_module Module, switching to nginx Under the unpacking directory

# cd /opt/nginx-1.12.2
# patch -p1 < /opt/ngx_http_proxy_connect_module-master/patch/proxy_connect.patch

6.Build install nginx

# ./configure --prefix=/etc/nginx1.12.2 --with-http_ssl_module --with-pcre=/opt/pcre-8.38 --add-module=/opt/ngx_http_proxy_connect_module-master  --pid-path=/var/run/  --with-mail --with-stream
# make && make install

7.Check installation compilation

# /etc/nginx1.12.2/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx1.12.2 --with-http_ssl_module --with-pcre=/opt/pcre-8.38 --add-module=/opt/ngx_http_proxy_connect_module-master --pid-path=/var/run/ --with-mail --with-stream


  • http/https proxy configuration


server {
 
    resolver 114.114.114.114;  #DNS resolution address
    listen 10080;              #Monitor address
    resolver_timeout 10s;      #Timeout
    proxy_connect;           #Enable connection http method support
    proxy_connect_allow            443 563;  #Ports that agents can connect to
    proxy_connect_connect_timeout  10s;      #Agent connection time out
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;
    access_log  /weblogs/nginx/proxy.access.log;
    error_log   /weblogs/nginx /proxy.error.log;
 
    location / {
        proxy_pass $scheme://$http_host$request_uri;
        proxy_set_header Host $http_host;
 
        proxy_buffers 256 4k;
        proxy_max_temp_file_size 0;
 
        proxy_connect_timeout 30s;
        
        #allow 127.0.0.1;  #ip restrictions
        #deny all ;
             }
}
  • Mail agent configuration


1.stay nginx.conf Last added in stream paragraph

stream{
 
    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
      access_log /weblogs/nginx/nginx_proxy.log proxy ;
 
     include vhost/*.stream;
  }
      
//Note: the configuration of the stream segment should be in the same directory as the http segment. The configuration file has ended. Stream

2.Add mail agent configuration

server {
        listen       25;
        proxy_pass smtp.sseinfo.com:25;
 
}
  • Client configuration http/https

1. Proxy http/https configuration

Add the following to / etc/profile

export http_proxy=10.10.11.193:9999
export https_proxy=10.10.11.193:9999
#source /etc/profile

2. Test command (on the client)

Test agent http
 
# curl -I http://www.baidu.com -v -x 10.10.11.93:10080
> Host: www.baidu.com
 
Test agent https
 
# curl -I https://www.baidu.com -v -x 10.10.11.93:10080
> Host:
  • Agent mail

Method 1: add resolution to client / etc/hosts
 Method 2: change the mail domain name to forward proxy IP in the corresponding mail configuration





Posted by nats on Thu, 21 May 2020 07:53:45 -0700