Nginx内外网代理配置记录

一、背景

        客户现场内网服务器不提供外网环境,仅在另一台服务器上提供外网访问权限,所以需要通过网络代理的方式,将内网服务器需要访问的外网请求代理到外网服务器去受理。

二、解决

        如此流程需要用到两台服务器,所以对应的也需要两套Nginx配置。

1、内网服务器配置

        内网Nginx,它的作用是拦截需要访问的外网请求,然后转发到外网服务器。为了方便拦截,还需要将目标外网地址的域名解析在本机hosts文件单独配置会本机IP。

        本机hosts文件路径:C:\Windows\System32\drivers\etc

        本机hosts文件配置如下:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

127.0.0.1 ocr.tencentcloudapi.com
127.0.0.1 aip.baidubce.com

        笔者要访问腾讯云和百度云的接口,所以将两个域名进行了回环解析配置,这样在访问这两个域名时,实际请求的地址为本机ip。

        接下来进行内网nginx配置,文件路径:nginx-1.19.7\conf\nginx.conf

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    #请求体缓存大小 
    client_body_buffer_size 100m;
    #上传文件的大小限制  默认1m
    client_max_body_size 100m;
    # HTTPS server
    server {
        listen  443 ssl;
        server_name  ocr.tencentcloudapi.com aip.baidubce.com;

        ssl_certificate      cert/https.crt;
        ssl_certificate_key  cert/https.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            proxy_pass http://192.168.5.147:8039;
            proxy_redirect off;
            proxy_set_header Host $host;
			proxy_connect_timeout 60;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwared-Proto $scheme; 
        }  
    }
}

        核心配置只有 server 节点中,监听 https 请求 443 端口,识别到访问的是两个域名则转发到下面 location 配置的 ip 中。

2、外网服务器配置

        外网Nginx主要作用就是将收集到的请求进行真实访问即可,配置如下

worker_processes  1;
events {
    worker_connections  1024;
}
http {
    resolver 8.8.8.8;
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #请求体缓存大小 
    client_body_buffer_size 100m;
    #上传文件的大小限制  默认1m
    client_max_body_size 100m;
    #gzip  on;
    server {
        # 配置防火墙开启的端口号
        listen 8039;
        server_name ocr.tencentcloudapi.com aip.baidubce.com;
        access_log  logs/host.access.log;
        location / {
            proxy_pass https://$host$request_uri;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwared-Proto $scheme; 
        }       
    }
}

        拦截8039收集到的请求,然后识别是目标两个域名则进行域名拼接直接访问

三、总结

        至此,整个内网服务器转发访问外网请求配置结束,实际测试通过访问内网服务器的软件成功实现对应功能即为访问通过。需要额外注意的是关于Nginx中SSL证书的配置,使用Open SSL或者付费网站生成证书即可。

你可能感兴趣的:(Nginx,nginx,运维)