nginx 的四层代理
需要编译四层模块
1 2 3 4 5 6 | [root@python vhast]# cd ~/nginx-1.15.9/[root@python nginx-1.15.9]# ./configure --prefix=/data/web --sbin-path=/usr/bin --user=nginx --group=nginx --with-http_stub_status_module --with-http_auth_request_module --with-http_sub_module --add-module=/root/nginx-http-concat --with-http_addition_module --with-http_secure_link_module --with-http_geoip_module --with-http_ssl_module --add-module=/root/ngx_cache_purge --with-http_slice_module --with-http_v2_module --with-stream[root@python nginx-1.15.9]# make[root@python nginx-1.15.9]# mv /usr/bin/nginx{,.07.19.11.53}[root@python nginx-1.15.9]# cp objs/nginx /usr/bin/[root@python nginx-1.15.9]# cd /data/web/conf/vhast/ |
模块
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | Syntax: stream { ... }Default: —Context: mainSyntax: server { ... }Default: —Context: streamSyntax: listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];Default: —Context: server |
传输层相关的变量
return模块
1 2 3 | Syntax: return value;Default: —Context: server |
修改配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | [root@python vhast]# cat ../nginx.conf#user nobody;worker_processes 1;#error_log logs/error.log;#error_log logs/error.log notice;#error_log logs/error.log info;#pid logs/nginx.pid;events { worker_connections 1024;} include /data/web/conf/vhast/siceng.con; [root@python vhast]# cat siceng.con stream { error_log logs/stream_error.log debug; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { listen 10004; #listen 10004 proxy_protocol; return '10004 vars:bytes_received: $bytes_receivedbytes_sent: $bytes_sentproxy_protocol_addr: $proxy_protocol_addrproxy_protocol_port: $proxy_protocol_portremote_addr: $remote_addrremote_port: $remote_portserver_addr: $server_addrserver_port: $server_portsession_time: $session_timestatus : $statusbinary_remote_addr: $binary_remote_addr\n'; }} |
测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [root@python ~]# telnet localhost 10004Trying ::1...telnet: connect to address ::1: Connection refusedTrying 127.0.0.1...Connected to localhost.Escape character is '^]'.10004 vars:bytes_received: 0bytes_sent: 0proxy_protocol_addr: proxy_protocol_port: remote_addr: 127.0.0.1remote_port: 34218server_addr: 127.0.0.1server_port: 10004session_time: 0.000status : 000binary_remote_addr: Connection closed by foreign host. |
proxy_protocol 协议
读取proxy_protocol协议的超时控制
1 2 3 | Syntax: proxy_protocol_timeout timeout;Default: proxy_protocol_timeout 30s; Context: stream, server |
stream 的proxy_protocol 协议处理流程
配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | [root@python vhast]# cat siceng.con stream { error_log logs/stream_error.log debug; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { #listen 10004; listen 10004 proxy_protocol; return '10004 vars:bytes_received: $bytes_receivedbytes_sent: $bytes_sentproxy_protocol_addr: $proxy_protocol_addrproxy_protocol_port: $proxy_protocol_portremote_addr: $remote_addrremote_port: $remote_portserver_addr: $server_addrserver_port: $server_portsession_time: $session_timestatus : $statusbinary_remote_addr: $binary_remote_addr\n'; }} |
测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [root@python vhast]# telnet 127.0.0.1 10004Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is '^]'.PROXY TCP4 202.112.144.236 10.210.10 5678 80\r\nConnection closed by foreign host. #手动输入后敲回车10004 vars:bytes_received: 0bytes_sent: 0proxy_protocol_addr: 202.112.144.236proxy_protocol_port: 5678remote_addr: 127.0.0.1remote_port: 34224server_addr: 127.0.0.1server_port: 10004session_time: 8.258status : 000binary_remote_addr: Connection closed by foreign host. |
配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [root@python vhast]# cat siceng.con stream { error_log logs/stream_error.log debug; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { #listen 10004; listen 10004 proxy_protocol; set_real_ip_from 127.0.0.1; return '10004 vars:bytes_received: $bytes_receivedbytes_sent: $bytes_sentproxy_protocol_addr: $proxy_protocol_addrproxy_protocol_port: $proxy_protocol_portremote_addr: $remote_addrremote_port: $remote_portserver_addr: $server_addrserver_port: $server_portsession_time: $session_timestatus : $statusbinary_remote_addr: $binary_remote_addr\n'; }} |
测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [root@python vhast]# telnet 127.0.0.1 10004Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is '^]'.PROXY TCP4 202.112.144.236 10.210.10 5678 80\r\nConnection closed by foreign host.10004 vars:bytes_received: 0bytes_sent: 0proxy_protocol_addr: 202.112.144.236proxy_protocol_port: 5678remote_addr: 202.112.144.236remote_port: 5678server_addr: 127.0.0.1server_port: 10004session_time: 5.803status : 000binary_remote_addr: Connection closed by foreign host. |
四层限制客户端IP0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | [root@python vhast]# cat siceng.con stream { log_format bash '$remote_addr [$time_local]' '$protocol $status $bytes_sent $bytes_received' '$session_time'; error_log logs/stream_error.log debug; access_log logs/siceng.log bash; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { listen 10004; #listen 10004 proxy_protocol; set_real_ip_from 127.0.0.1; allow 192.168.183.4; deny all; return '10004 vars:bytes_received: $bytes_receivedbytes_sent: $bytes_sentproxy_protocol_addr: $proxy_protocol_addrproxy_protocol_port: $proxy_protocol_portremote_addr: $remote_addrremote_port: $remote_portserver_addr: $server_addrserver_port: $server_portsession_time: $session_timestatus : $statusbinary_remote_addr: $binary_remote_addr\n'; }} |
测试
1 2 3 4 5 6 7 8 | [root@python vhast]# telnet 127.0.0.1 10004Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is '^]'.Connection closed by foreign host.[root@python vhast]# tail -f ../../logs/siceng.log 127.0.0.1 [19/Jul/2019:04:02:03 +0800]TCP 403 0 00.000127.0.0.1 [19/Jul/2019:04:02:53 +0800]TCP 403 0 00.000 |
修改配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | [root@python vhast]# cat siceng.con stream { log_format bash '$remote_addr [$time_local]' '$protocol $status $bytes_sent $bytes_received' '$session_time'; error_log logs/stream_error.log debug; access_log logs/siceng.log bash; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { #listen 10004; listen 10004 proxy_protocol; set_real_ip_from 127.0.0.1; allow 192.168.183.4; deny all; return '10004 vars:bytes_received: $bytes_receivedbytes_sent: $bytes_sentproxy_protocol_addr: $proxy_protocol_addrproxy_protocol_port: $proxy_protocol_portremote_addr: $remote_addrremote_port: $remote_portserver_addr: $server_addrserver_port: $server_portsession_time: $session_timestatus : $statusbinary_remote_addr: $binary_remote_addr\n'; }} |
测试
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [root@python vhast]# telnet 127.0.0.1 10004Trying 127.0.0.1...Connected to 127.0.0.1.Escape character is '^]'.PROXY TCP4 192.168.183.4 10.210.10 5678 80\r\n10004 vars:bytes_received: 0bytes_sent: 0proxy_protocol_addr: 192.168.183.4proxy_protocol_port: 5678remote_addr: 192.168.183.4remote_port: 5678server_addr: 127.0.0.1server_port: 10004session_time: 12.731status : 000binary_remote_addr: (· Connection closed by foreign host |
四层反代里
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | 上游server { error_log logs/ssl-error.log debug; server_name ""; listen 9001 proxy_protocol; 只处理proxy_protocol请求 location /{ return 200 'hjjjuuyuu\n'; } 四层代理 server { listen 4453; proxy_pass 127.0.0.1:9001; proxy_protocol on; 添加proxy_protocol协议头部 } |
测试
1 2 | [root@python vhast]# curl 127.0.0.1:4453/hjjjuuyuu |
配置
1 2 3 4 5 | server { listen 4453; proxy_pass 127.0.0.1:9001; #proxy_protocol on;} |
测试
1 2 | [root@python vhast]# curl 127.0.0.1:4453/curl: (7) Failed connect to 127.0.0.1:4453; 拒绝连接 |
udp反向代理
1 2 3 4 5 6 7 8 9 | server { listen 4436 udp; proxy_pass 127.0.0.1:9999; proxy_requests 1; proxy_responses 2; proxy_timeout 2s; access_log logs/udp.log bash; #proxy_protocol on;} |
透传IP
草都可以从石头缝隙中长出来更可况你呢
分类:
web
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏