tmtongming 2017-05-08
爱迪生
由于工作需要搭建一个前端代理服务器(外网)一台,后端web服务器(内网)两台。说话要配个图才能更好的理解:
看第一张图就行了,我的代理是用nginx做反向代理,其实nginx也可以做正向代理,本来打算只用nginx的,但是因为nginx不支持https的正向代理,在网上查了好多资料,虽然有办法解决,但是看nginx官网说作者不打算在后续的版本增加nginx的https正向代理功能,又从网上查了好多都说nginx是为反向代理而生的,正向代理并不是它的特长,看有人推荐用squid做正向代理,并且支持多种连接协议。多提一句,做正向代理squid的效率比nginx要差很多,这个是从网上查的,没有具体实验。所以最终就采用nginx做反向代理,采用squid做正向代理,同时部署在有外网的服务器上监听不同的端口就可以了。下面是具体的配置文件信息:
先看下外网服务器的网卡配置信息:
eth0网卡配置:
eth1网卡配置:
网关配置:
下面是nginx配置文件信息:
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; upstream mysvr { server 192.168.10.129:8080; # server 192.168.10.121:3333 backup; #?.? } server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; proxy_pass http://mysvr; #璇锋?杞..mysvr 瀹.??..?″.?.〃 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
接着是squid配置文件信息:
acl manager proto cache_object acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.10.1/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access deny all # Squid normally listens to port 3128 http_port 3128 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 # 缓存目录 cache_dir ufs /usr/local/squid/var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /usr/local/squid/var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
其中要注意的就是记得把服务器的转发功能打开,具体配置修改上网查
1.修改/etc/sysctl.conf文件,让包转发功能在系统启动时自动生效:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
2.因为我们的数据库和redis都是1网段的,所以当时还遇到个问题,具体参考:
https://www.oschina.net/question/3335049_2240133
3.有正向代理的情况时,在java代码中也要开配置相关的代理请求:
/** * 代理服务器 */ public static final String PROXY_HOST = "192.168.10.128"; /** * 代理服务器端口 */ public static final Integer PROXY_PORT = 3128; static{ System.setProperty("proxySet", "true"); System.setProperty("http.proxyHost", Application.PROXY_HOST); System.setProperty("http.proxyPort", Application.PROXY_PORT+""); System.setProperty("https.proxyHost", Application.PROXY_HOST); System.setProperty("https.proxyPort", Application.PROXY_PORT+""); } 或者 // 依次是目标请求地址,端口号,协议类型 HttpHost proxy = new HttpHost(Application.PROXY_HOST, Application.PROXY_PORT); requestConfig = RequestConfig.custom().setProxy(proxy).setSocketTimeout(socketTimeout).setConnectTimeout(connectTimeout).build();
外网的服务器配好了,下面就看下内网的服务器配置信息,工程照常发布就行,主要就是服务器的网络配置正确就没有问题了:
需要注意的就是测试时可以开启临时的代理:
export http_proxy=http://192.168.10.128:3128
export https_proxy=http://192.168.10.128:3128
这样就可以了。今天就写到这里,如果有什么遗漏的地方请评论指出。
某些公司会墙特定网站,如果你有一个可访问的域名和服务器,就可以通过nginx反向代理来来解决这些问题。比如现在我们用mirror.example.com镜像www.baidu.com,以下是详细操作。