nginx配置正向代理以及增加密码验证

使用正向代理http/https来做一些特殊访问,由于直接暴露于不安全,所以需要增加密码验证;但是实验了好多方案,此方案终于成功,由此记录一下;

构建nginx

增加https支持模块,由于验证需要使用到lua脚本,所以同时也需要集成openresty相关lib

1.openresty安装

官方安装说明(debian)

由于我目前系统使用的debian,所以直接参考安装即可。其他系统安装请参考官方文档

# 1. install some prerequisites needed by adding GPG public keys (could be removed later):
sudo apt-get -y install --no-install-recommends wget gnupg ca-certificates
# 2. import our GPG key:
wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
# 3. add the our official APT repository.
# x86_64 or amd64 systems
codename=`grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release`

echo "deb http://openresty.org/package/debian $codename openresty" \
    | sudo tee /etc/apt/sources.list.d/openresty.list

#arm64 or aarch64 
codename=`grep -Po 'VERSION="[0-9]+ \(\K[^)]+' /etc/os-release`

echo "deb http://openresty.org/package/arm64/debian $codename openresty" \
    | tee /etc/apt/sources.list.d/openresty.list

# 4.update the APT index:
apt-get update
apt-get -y install openresty

2.安装luaJIT

安装并配置相关环境


# 下载包后解压
cd luajit2-2.1-20220411
make install PREFIX=/usr/local/LuaJIT

# 配置环境变量
vim ~/.profile
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.1
source ~/.profile

3.编译nginx、增加相关模块

需要安装以下模块,如果已经安装,可以不进行安装
nginx版本为1.20.2
ngx_http_proxy_connect_module(0.0.2)github-proxy-connect
lua-nginx-module(0.10.20)github-lua-nginx-module
ngx_devel_kit(0.3.1)github-ngx_devel_kit

# 编译nginx
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-module=/opt/ngx-fancyindex-0.5.2 --add-module=/opt/ngx_http_proxy_connect_module-0.0.2 --add-module=/opt/lua-nginx-module-0.10.20 --add-module=/opt/ngx_devel_kit-0.3.1
# 编译不进行直接安装
make 

# 可以先到输出目录实验下,否则可能由于某些情况无法启动nginx

4.配置nginx正向代理、密码

主要修改nginx.conf中的信息

# 解决 failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: module 'resty.core' not found
 http{

 lua_package_path "/usr/local/openresty/lualib/?.lua;";
 }

# nginx 正向代理配置
 server {
    listen                         16888;
    # dns resolver used by forward proxying
    resolver                       180.76.76.76;

    # forward proxy for CONNECT request
    proxy_connect;
    proxy_connect_allow            443 80;
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout     10s;
    proxy_connect_send_timeout     10s;
    auth_basic "Authorized";
    auth_basic_user_file passwd; 
    rewrite_by_lua_file proxy_auth.lua;

    # forward proxy for non-CONNECT request
    location / {
		proxy_ssl_server_name on;
        proxy_pass http://$host;
        proxy_set_header Host $host;
        proxy_hide_header Authorization;
        proxy_hide_header Proxy-Authorization;
              
    }
}

passwd生成

htpasswd -c -d /etc/nginx/passwd username
#输入密码后即可生成对应passwd文件 

proxy_auth.lua

touch proxy_auth.lua
vim proxy_auth.lua
# 插入以下内容
--check Proxy-Authorization for https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
if not ngx.var.http_proxy_authorization then
	ngx.header["Proxy-Authenticate"] = "Basic realm=\"Access to internal site\""
	ngx.exit(407)
end

-- transfer Proxy-Authorization header to Authorization for auth basic module
ngx.req.set_header("Authorization", ngx.var.http_proxy_authorization)

5.启动后验证

curl -x 127.0.0.1:16888 https://www.baidu.com -U username:password

ps:相关插件已打包,如果下载不便可以直接下载
csdn下载

你可能感兴趣的:(记录猿生,nginx,lua,debian)