Nginx配置TCP请求转发

背景

有时候内网的服务器需要把服务提供给外网访问，但是这个内网的服务器没有公网ip，所以可以在一台有公网ip的nginx服务器配置TCP请求转发，把内网服务的端口映射出来到公网

Nginx配置TCP转发

1.编译安装 stream 组件

如果你的nginx为源码编译，需要增加一下编译参数

./configure --with-stream

如果你的nginx为yum直接安装的，需要检查相关编译参数是否含有--with-stream

如下的 --with-stream=dynamic

# /usr/sbin/nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1g FIPS  21 Apr 2020 (running with OpenSSL 1.1.1k  FIPS 25 Mar 2021)
TLS SNI support enabled
configure arguments: 
--prefix=/usr/share/nginx 
--sbin-path=/usr/sbin/nginx 
--modules-path=/usr/lib64/nginx/modules 
--conf-path=/etc/nginx/nginx.conf 
... 
--with-stream=dynamic 
...

2.配置TCP转发

TCP转发主配置文件

添加与http同级配置
如下的 TCP请求转发
include /etc/nginx/tcp.d/*.conf;

# cat /etc/nginx/nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 51024;
}

#TCP请求转发
include /etc/nginx/tcp.d/*.conf;

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    #log_format gitlab_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio';
    #log_format gitlab_mattermost_access '$remote_addr - $remote_user [$time_local] "$request_method $filtered_request_uri $server_protocol" $status $body_bytes_sent "$filtered_http_referer" "$http_user_agent" $gzip_ratio';
    access_log  /var/log/nginx/access.log  main;
    map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
    }

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    server_tokens  	off;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/upstreams/*.conf;

    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
	return 404; #不存在的域名返回值
	#rewrite ^.*$ http://www.baidu.com/ last;

        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}

创建存放配置目录

# mkdir -p /etc/nginc/tcp.d/

TCP转发子配置文件

# cat /etc/nginx/tcp.d/stream.conf 
#麦穗
stream {
    # 添加socket转发的代理
    upstream socket_proxy {
        hash $remote_addr consistent;
        # 转发的目的地址和端口
        server 10.40.0.103:5050 weight=5 max_fails=3 fail_timeout=30s;
    }

    # 提供转发的服务，即访问localhost:5050，会跳转至代理socket_proxy指定的转发地址
    server {
       listen 5050;
       proxy_connect_timeout 1s;
       proxy_timeout 3s;
       proxy_pass socket_proxy;
    }
}