上图描述了几种私网访问公网的方式,下面来解释一下
代理的实现方式
正向代理与反向代理的区别
功能:代理后端web服务器
代理后端web服务器配置
具体配置
proxy_pass http://192.168.81.210
功能:修改web服务器返回的响应头中的location头域跟refresh头域数值
https://blog.csdn.net/weixin_44953658/article/details/105494108
url跳转配置
具体配置
proxy_redirect http://192.168.1.154:8080/wuman/ http://www.boke.com/wuman/;
语法格式:proxy_set_header field value;
默认配置:proxy_set_header HOST $proxy_host;
proxy_set_header Connection close;
配置区域:http,server,location
如果web服务器设置了多个虚拟主机,那么这一项必须配置,如果不配置,只显示配置文件目录中最靠前的站点,字母a-z排序
用户请求的时候HOST的值是know.com也就是url中输入的内容,那么代理服务器会向后端传递的请求就会是know.com
proxy_set_header HOST $http_host;
将 r e m o t e a d d r 的 值 放 进 变 量 X − R e a l − I P 中 , remote_addr的值放进变量X-Real-IP中, remoteaddr的值放进变量X−Real−IP中,remote_addr的值为客户端的ip,从而记录客户端的访问ip
proxy_set_header X-Real-IP $remote_addr;
客户单通过代理访问后端服务,后端服务通过该变量来记录真实客户端地址,也就是说如果不加如下配置则nginx服务器记录的是代理服务器的ip而不是客户端的ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Nginx代理与后端服务器连接超时时间
在指定时间内如果无法与后端服务器建立tcp连接则断开
超时时间配置
proxy_connect_timeout 60s;
Nginx代理等待后端服务器的响应时间
与后端服务器建立了tcp连接,但在指定时间内后端服务器没有响应对应的页面信息则断开
响应时间配置
proxy_read_timeout 60s;
后端服务器数据回传给nginx代理超时时间
与后端tcp连接建立成功、响应成功、在指定时间内没有显示内容则断开
回传时间配置
proxy_send_timeout 60s;
nginx会把后端返回的内容先放到缓冲区,然后再返回给客户端,边收边传,不是全部接收完在传给客户端,而缓存会全部接受完在传给客户端
代理缓存区配置
proxy_buffering on;
设置nginx代理保存用户头信息的缓冲区大小
也就是存放缓冲信息目录的大小
配置缓冲区大小
proxy_buffer_size 128k;
设置缓冲区文件数量以及大小
配置缓冲文件大小
proxy_buffers 4 128;
可以把常用的代理配置写到单独的文件中,在使用include调用,显得文件不是特别乱,但是个人习惯还是写出来,增加熟练度
vim /etc/nginx/proxy_params
proxy_set_header HOST $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_time 30;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
最高法院反向代理常用配置
client_max_body_size 200m;
proxy_redirect off;
proxy_set_headed Host $host:80;
proxy_set_headed X-Real-IP $remote_addr;
proxy_set_headed X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_connect_time 30;
proxy_send_time 30;
proxy_read_time 60;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_next_upstream error timeout invalid_header http_500 http_404;
proxy_max_temp_file_size 128m;
proxy_pass http://;
角色 | 外网IP | 内网IP | 网卡类型 |
---|---|---|---|
proxy | eth0:192.168.81.210 | ens33:172.16.1.100 | vm8、vm1 |
web | eth0:192.168.81.220 | ens33:172.16.1.200 | vm1 |
客户端 | 192.168.81.1 | 无内网ip | vm8 |
代理服务器两块网卡,vm8:192.168.81.210表示外网地址与客户端连接,vm1:172.16.1.100表示内网地址与web进行连接
web服务器二块网卡,vm1:172.16.1.200与代理互连,vm8与客户端相连,主要是为了xshell连接
Nginx如果只想让某一网段来访问此服务器,可以在listen后面写上监听的ip,类似基于ip的访问,设置完后只有这个网段的主机可以访问
注意:一定要将客户端的vm1网卡关掉,否则在日志中查看时都是172网段(因为vm1与web在同一网段),一定要让客户端ping不同172网段的主机,如果不把vm1网卡关掉,那么listen只设置172.16.1.200,客户端访问172.16.1.200也是可以访问到的,因为是同一网段
效果关掉vm1,可以达到效果
[root@localhost ~]# cat /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx
baseurl=http://nginx.org/packages/centos/7/$basearch
enabled=1
gpgcheck=0
[root@localhost ~]# yum -y install nginx
[root@localhost conf.d]# vim www_know.conf
#www.know.com
server {
listen 172.16.1.200:80;
server_name www.know.com;
access_log /nginx_log/www_know_access.log main;
location / {
root /web/know;
index index.html;
#allow 172.16.1.100;
#deny all;
}
location /download {
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
auth_basic "后端文件系统";
auth_basic_user_file /etc/nginx/.auth_passwd;
}
}
仅允许代理服务器172.16.1.网段可以访问,如果开放allow、deny表示只有172.16.1.100可以访问
listen这块如果要修改请用restart进行重启,否则不生效
重启服务:
[root@localhost conf.d]# systemctl restart nginx
[root@localhost conf.d]# vim www_know_proxy.conf
server {
listen 80;
server_name www.know.com;
location / {
proxy_pass http://172.16.1.200:80;
}
}
重载nginx
[root@localhost conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost conf.d]# systemctl reload nginx
配置客户端hosts文件,要写代理服务器的外网ip
192.168.81.210 www.know.com
代理服务器
192.168.81.1 - - [14/Apr/2020:18:01:45 +0800] "GET /images/b.jpg HTTP/1.1" 404 555 "http://www.know.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36"
web服务器
172.16.1.100 - - [14/Apr/2020:18:01:45 +0800] "GET /images/b.jpg HTTP/1.0" 404 555 "http://www.know.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "-"
注意:首先在nginx.conf配置文件中定义的日志格式加上$http_x_forwarded_for
server {
listen 80;
server_name www.know.com;
location / {
proxy_pass http://172.16.1.200:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
日志输出
代理服务器没啥变化
192.168.81.1 - - [14/Apr/2020:18:21:14 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36"
web服务器在最后一列加入了客户端源ip
172.16.1.100 - - [14/Apr/2020:18:23:37 +0800] "GET / HTTP/1.0" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "192.168.81.1"
web服务器配置
[root@localhost conf.d]# vim www_know.conf
server {
listen 172.16.1.200:8080;
server_name www.know.com;
access_log /nginx_log/www_know_access.log main;
location / {
root /web/know;
index index.html;
#allow 172.16.1.100;
#deny all;
}
}
[root@localhost conf.d]# systemctl restart nginx
代理服务器配置
[root@localhost conf.d]# vim www_know_proxy.conf
server {
listen 80;
server_name www.know.com;
location / {
proxy_pass http://172.16.1.200:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
配置know.com
[root@localhost conf.d]# vim www_know.conf
server {
listen 172.16.1.200:80;
server_name www.know.com;
access_log /nginx_log/www_know_access.log main;
location / {
root /web/know;
index index.html;
#allow 172.16.1.100;
#deny all;
}
}
配置WordPress
[root@localhost conf.d]# vim wordpress.conf
server {
listen 172.16.1.200:80;
server_name jiang.wordpress.com;
root /web/wordpress;
index index.php index.html;
access_log /nginx_log/jiang_wordpress_access.log main;
location ~ \.php$ {
root /web/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
重载nginx
[root@localhost conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost conf.d]# systemctl reload nginx
配置know站点代理
[root@localhost conf.d]# vim www_know_proxy.conf
server {
listen 80;
server_name www.know.com;
access_log /nginx_log/www_know_proxy.log main;
location / {
proxy_pass http://172.16.1.200:80;
proxy_set_header HOST $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
配置WordPress站点代理
[root@localhost conf.d]# vim jiang_wordpress_proxt.conf
#jiang.wordpresscom
server {
listen 80;
server_name jiang.wordpress.com;
access_log /nginx_log/jiang_wordpress_proxy.log main;
location / {
proxy_pass http://172.16.1.200:80;
proxy_set_header HOST $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 4 128k;
}
}
重启nginx服务
[root@localhost conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@localhost conf.d]# systemctl restart nginx
想要看到效果可以在日志格式中加上$http_host
代理端
[root@localhost conf.d]# vim /etc/nginx/nginx.conf
log_format main '$remote_addr - $http_host - $remote_user [$time_local] $http_host $msec "$request" $request_time '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
日志输出
www.know.com
192.168.81.1 - www.know.com - admin [14/Apr/2020:22:24:15 +0800] www.know.com 1586874255.239 "GET / HTTP/1.1" 0.002 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "-"
jiang.wordpress.com
192.168.81.1 - jiang.wordpress.com - - [14/Apr/2020:22:25:25 +0800] jiang.wordpress.com 1586874325.404 "GET / HTTP/1.1" 3.007 200 18460 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "-"
web端
[root@localhost conf.d]# vim /etc/nginx/nginx.conf
log_format main '$remote_addr - $http_host - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
日志输出
www.know.com
172.16.1.100 - www.know.com - admin [14/Apr/2020:22:27:08 +0800] "GET / HTTP/1.0" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "192.168.81.1"
jiang.wordpress.com
172.16.1.100 - jiang.wordpress.com - - [14/Apr/2020:22:27:46 +0800] "GET / HTTP/1.0" 200 18447 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36" "192.168.81.1"
通常将常用的代理参数写到一个指定文件,然后用到时用include调用
[root@localhost nginx]# vim proxy_params
proxy_set_header HOST $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 4 128k;
[root@localhost nginx]# vim conf.d/www_know_proxy.conf
server {
listen 80;
server_name www.know.com;
access_log /nginx_log/www_know_proxy.log main;
location / {
include proxy_params; //确保proxy_params位于conf.d上级目录,否则建议使用绝对路径include /etc/nginx/proxy_params
}
}
1.检查web服务器是否能提供服务
检查配置文件
server {
listen 80;
server_name www.know.com;
location / {
root /web/know;
index index.html;
}
}
根据日志判断错误类型
检查网站目录、索引是否存在以及目录的属主
检查nginx服务是否启动
2.检查代理服务器配置
检查配置文件
server {
listen 80;
server_name www.know.com;
location / {
proxy_pass http://172.16.1.200:80;
include /etc/nginx/proxy_params;
}
}
检查dns解析
代理配置无误,web服务器配置无误,就是代理不到
解决办法:在web服务器也配置请求头,成功后在删掉
server {
listen 80;
server_name www.know.com;
location / {
root /web/know;
index index.html;
include proxy_params;
}
}
代理的80端口可以对应多个后端的80端口
前端的80端口可以对应不同的后端端口