概述: “The
ngx_stream_core_module module is available since version 1.9.0. This module is not built by default, it should be enabled with the --with-stream configuration parameter.” 来自官方的说明,nginx从1.9.0开始支持了tcp模式的代理,我们只需要在编译的时候加上 --with-stream 参数即可,而该参数默认是关闭的。下面在centos7下演示,实现tcp 443端口代理http非80端口的ssl配置。1、首先我们需要增加系统对正则和ssl支持的模块,如下:
#yum install -y openssl-devel pcre-devel
2、例如这样编译安装:
#cd /usr/local/src/
#tar -zxvf nginx-1.18.0.tar.gz
#useradd nginx
#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-stream --with-http_v2_module --with-http_sub_module --with-http_gunzip_module --with-http_realip_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_ssl_module
#cd /usr/local/nginxe/sbin/
# ./nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-stream --with-http_v2_module --with-http_sub_module --with-http_gunzip_module --with-http_realip_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_ssl_module
3、tcp代理的配置与使用 ,我们需要注意:stream与http段是同一级别的指令(同一级别?哈哈个人定义这样的说法),所以不能相互包含,而是独立。
http {
......
}
stream {
upstream tcp_proxy0102{
least_conn;
server 172.1.1.245:8888 weight=5;
server 172.1.1.246:8888 weight=5;
}
server {
listen 80 so_keepalive=on;
listen 443;
allow 47.0.0.0/8;
allow 8.0.0.0/8;
allow 172.16.0.0/16;
allow 1.5.2.28/32;
deny all;
proxy_connect_timeout 5s;
proxy_timeout 5s;
proxy_pass tcp_proxy0102;
}
}
4、server段非80端口ssl的配置
server {
listen 8888 ssl;
server_name 1.xinyuer.cn;
error_log /var/log/nginx/1.xinyuer.cn-er.log;
access_log /var/log/nginx/1.xinyuer.cn-ac.log;
ssl_certificate /usr/local/nginx/ssl/1.pem;
ssl_certificate_key /usr/local/nginx/ssl/1.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ecdh_curve secp384r1;
proxy_ssl_server_name on;
location / {
proxy_pass https://tech.xinyuer.cn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
}
}
