两台虚拟机配置nginx反向代理和squid正向代理
爱迪生
由于工作需要搭建一个前端代理服务器(外网)一台,后端web服务器(内网)两台。说话要配个图才能更好的理解:
看第一张图就行了,我的代理是用nginx做反向代理,其实nginx也可以做正向代理,本来打算只用nginx的,但是因为nginx不支持https的正向代理,在网上查了好多资料,虽然有办法解决,但是看nginx官网说作者不打算在后续的版本增加nginx的https正向代理功能,又从网上查了好多都说nginx是为反向代理而生的,正向代理并不是它的特长,看有人推荐用squid做正向代理,并且支持多种连接协议。多提一句,做正向代理squid的效率比nginx要差很多,这个是从网上查的,没有具体实验。所以最终就采用nginx做反向代理,采用squid做正向代理,同时部署在有外网的服务器上监听不同的端口就可以了。下面是具体的配置文件信息:
先看下外网服务器的网卡配置信息:
eth0网卡配置:
eth1网卡配置:
网关配置:
下面是nginx配置文件信息:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream mysvr {
server 192.168.10.129:8080;
# server 192.168.10.121:3333 backup; #?.?
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
proxy_pass http://mysvr; #璇锋?杞..mysvr 瀹.??..?″.?.〃
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}接着是squid配置文件信息:
acl manager proto cache_object acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.10.1/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 # 缓存目录 cache_dir ufs /usr/local/squid/var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
其中要注意的就是记得把服务器的转发功能打开,具体配置修改上网查
1.修改/etc/sysctl.conf文件,让包转发功能在系统启动时自动生效:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
2.因为我们的数据库和redis都是1网段的,所以当时还遇到个问题,具体参考:
https://www.oschina.net/question/3335049_2240133
3.有正向代理的情况时,在java代码中也要开配置相关的代理请求:
/**
* 代理服务器
*/
public static final String PROXY_HOST = "192.168.10.128";
/**
* 代理服务器端口
*/
public static final Integer PROXY_PORT = 3128;
static{
System.setProperty("proxySet", "true");
System.setProperty("http.proxyHost", Application.PROXY_HOST);
System.setProperty("http.proxyPort", Application.PROXY_PORT+"");
System.setProperty("https.proxyHost", Application.PROXY_HOST);
System.setProperty("https.proxyPort", Application.PROXY_PORT+"");
}
或者
// 依次是目标请求地址,端口号,协议类型
HttpHost proxy = new HttpHost(Application.PROXY_HOST, Application.PROXY_PORT);
requestConfig = RequestConfig.custom().setProxy(proxy).setSocketTimeout(socketTimeout).setConnectTimeout(connectTimeout).build();外网的服务器配好了,下面就看下内网的服务器配置信息,工程照常发布就行,主要就是服务器的网络配置正确就没有问题了:
需要注意的就是测试时可以开启临时的代理:
export http_proxy=http://192.168.10.128:3128
export https_proxy=http://192.168.10.128:3128
这样就可以了。今天就写到这里,如果有什么遗漏的地方请评论指出。
相关推荐
scaleqiao 2020-10-22
SZStudy 2020-07-04
ssihc0 2020-06-14
某些公司会墙特定网站,如果你有一个可访问的域名和服务器,就可以通过nginx反向代理来来解决这些问题。比如现在我们用mirror.example.com镜像www.baidu.com,以下是详细操作。
byourb 2020-06-05
阳光岛主 2020-06-01
岁月如歌 2020-04-15
carolAnn 2020-04-14
Strongding 2020-04-08
ysmh00 2020-03-27
APCDE 2020-02-21
Freshairx 2020-02-19
tinydu 2020-02-12
carolAnn 2020-02-01
liwf 2020-01-13
nginxs 2020-01-05
Caleb0 2019-12-27
Strongding 2019-12-24