nginx 的四层代理

需要编译四层模块

[root@python vhast]# cd ~/nginx-1.15.9/
[root@python nginx-1.15.9]# ./configure --prefix=/data/web --sbin-path=/usr/bin --user=nginx --group=nginx --with-http_stub_status_module --with-http_auth_request_module --with-http_sub_module --add-module=/root/nginx-http-concat --with-http_addition_module --with-http_secure_link_module --with-http_geoip_module  --with-http_ssl_module  --add-module=/root/ngx_cache_purge  --with-http_slice_module   --with-http_v2_module  --with-stream
[root@python nginx-1.15.9]# make
[root@python nginx-1.15.9]# mv /usr/bin/nginx{,.07.19.11.53}
[root@python nginx-1.15.9]# cp objs/nginx /usr/bin/
[root@python nginx-1.15.9]# cd /data/web/conf/vhast/  

     模块

Syntax: stream { ... }
Default: —
Context: main


Syntax: server { ... }
Default: —
Context: stream


Syntax: listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] 
[bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
Default: —
Context: server

  传输层相关的变量

return模块
Syntax: return value;
Default: —
Context: server

修改配置

[root@python vhast]# cat ../nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


    include  /data/web/conf/vhast/siceng.con;  


[root@python vhast]# cat siceng.con 
stream {	
	error_log logs/stream_error.log debug;
	server {
		listen 10002 proxy_protocol;
		return '10002 server git ip: $remote_addr!\n';
	}
	server {
		listen 10003 proxy_protocol;
		return '10003 server git ip: $remote_addr!\n';
	}
	server {
		listen 10004;
		#listen 10004 proxy_protocol;
		return '10004  vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr\n';
	}

}

  测试

[root@python ~]# telnet localhost 10004
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
10004  vars:
bytes_received: 0
bytes_sent: 0
proxy_protocol_addr: 
proxy_protocol_port: 
remote_addr: 127.0.0.1
remote_port: 34218
server_addr: 127.0.0.1
server_port: 10004
session_time: 0.000
status : 000
binary_remote_addr: 
Connection closed by foreign host.

  

proxy_protocol 协议
 

读取proxy_protocol协议的超时控制

 
Syntax: proxy_protocol_timeout timeout;
Default: proxy_protocol_timeout 30s; 
Context: stream, server

stream 的proxy_protocol 协议处理流程

配置

[root@python vhast]# cat siceng.con 
stream {	
	error_log logs/stream_error.log debug;
	server {
		listen 10002 proxy_protocol;
		return '10002 server git ip: $remote_addr!\n';
	}
	server {
		listen 10003 proxy_protocol;
		return '10003 server git ip: $remote_addr!\n';
	}
	server {
		#listen 10004;
		listen 10004 proxy_protocol;
		return '10004  vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr\n';
	}

}

  测试

[root@python vhast]# telnet 127.0.0.1 10004
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
PROXY TCP4 202.112.144.236 10.210.10 5678 80\r\nConnection closed by foreign host.  #手动输入后敲回车
10004  vars:
bytes_received: 0
bytes_sent: 0
proxy_protocol_addr: 202.112.144.236
proxy_protocol_port: 5678
remote_addr: 127.0.0.1
remote_port: 34224
server_addr: 127.0.0.1
server_port: 10004
session_time: 8.258
status : 000
binary_remote_addr: 
Connection closed by foreign host.

  配置

[root@python vhast]# cat siceng.con 
stream {	
	error_log logs/stream_error.log debug;
	server {
		listen 10002 proxy_protocol;
		return '10002 server git ip: $remote_addr!\n';
	}
	server {
		listen 10003 proxy_protocol;
		return '10003 server git ip: $remote_addr!\n';
	}
	server {
		#listen 10004;
		listen 10004 proxy_protocol;
		set_real_ip_from 127.0.0.1;
		return '10004  vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr\n';
	}

}

  测试

 

[root@python vhast]# telnet 127.0.0.1 10004
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
PROXY TCP4 202.112.144.236 10.210.10 5678 80\r\nConnection closed by foreign host.
10004  vars:
bytes_received: 0
bytes_sent: 0
proxy_protocol_addr: 202.112.144.236
proxy_protocol_port: 5678
remote_addr: 202.112.144.236
remote_port: 5678
server_addr: 127.0.0.1
server_port: 10004
session_time: 5.803
status : 000
binary_remote_addr: 
Connection closed by foreign host.

  四层限制客户端IP0

[root@python vhast]# cat siceng.con 
stream {	
	log_format bash '$remote_addr [$time_local]'
		'$protocol $status $bytes_sent $bytes_received'
		'$session_time';
	error_log logs/stream_error.log debug;
	access_log logs/siceng.log bash;
	
	server {
		listen 10002 proxy_protocol;
		return '10002 server git ip: $remote_addr!\n';
	}
	server {
		listen 10003 proxy_protocol;
		return '10003 server git ip: $remote_addr!\n';
	}
	server {
		listen 10004;
		#listen 10004 proxy_protocol;
		set_real_ip_from 127.0.0.1;
		allow 192.168.183.4;
		deny all;
		return '10004  vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr\n';
	}

}

  测试

[root@python vhast]# telnet  127.0.0.1 10004
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[root@python vhast]# tail -f ../../logs/siceng.log 
127.0.0.1 [19/Jul/2019:04:02:03 +0800]TCP 403 0 00.000
127.0.0.1 [19/Jul/2019:04:02:53 +0800]TCP 403 0 00.000

  修改配置

[root@python vhast]# cat siceng.con 
stream {	
	log_format bash '$remote_addr [$time_local]'
		'$protocol $status $bytes_sent $bytes_received'
		'$session_time';
	error_log logs/stream_error.log debug;
	access_log logs/siceng.log bash;
	
	server {
		listen 10002 proxy_protocol;
		return '10002 server git ip: $remote_addr!\n';
	}
	server {
		listen 10003 proxy_protocol;
		return '10003 server git ip: $remote_addr!\n';
	}
	server {
		#listen 10004;
		listen 10004 proxy_protocol;
		set_real_ip_from 127.0.0.1;
		allow 192.168.183.4;
		deny all;
		return '10004  vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr\n';
	}

}

  测试

[root@python vhast]# telnet  127.0.0.1 10004
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
PROXY TCP4 192.168.183.4 10.210.10 5678 80\r\n
10004  vars:
bytes_received: 0
bytes_sent: 0
proxy_protocol_addr: 192.168.183.4
proxy_protocol_port: 5678
remote_addr: 192.168.183.4
remote_port: 5678
server_addr: 127.0.0.1
server_port: 10004
session_time: 12.731
status : 000
binary_remote_addr: (· 
Connection closed by foreign host

  四层反代里

上游
server {
	error_log logs/ssl-error.log debug;
	server_name "";
	listen 9001 proxy_protocol;  只处理proxy_protocol请求
	location /{
		return 200 'hjjjuuyuu\n';
	}
   四层代理
	server {
		listen 4453;
		proxy_pass 127.0.0.1:9001;
		proxy_protocol on;  添加proxy_protocol协议头部
	}

  测试

[root@python vhast]# curl 127.0.0.1:4453/
hjjjuuyuu

  配置

	server {
		listen 4453;
		proxy_pass 127.0.0.1:9001;
		#proxy_protocol on;
	}

  测试

[root@python vhast]# curl 127.0.0.1:4453/
curl: (7) Failed connect to 127.0.0.1:4453; 拒绝连接

  udp反向代理

	server {
		listen 4436 udp;
		proxy_pass 127.0.0.1:9999;
		proxy_requests 1;
		proxy_responses 2;
		proxy_timeout 2s;
		access_log logs/udp.log bash;
		#proxy_protocol on;
	}

  透传IP

 

 

 

 

 

 

  

 

 

 

 

 
posted @ 2019-07-19 18:36  烟雨楼台,行云流水  阅读(3393)  评论(0编辑  收藏  举报