需要编译四层模块
[root@python vhast]# cd ~/nginx-1.15.9/ [root@python nginx-1.15.9]# ./configure --prefix=/data/web --sbin-path=/usr/bin --user=nginx --group=nginx --with-http_stub_status_module --with-http_auth_request_module --with-http_sub_module --add-module=/root/nginx-http-concat --with-http_addition_module --with-http_secure_link_module --with-http_geoip_module --with-http_ssl_module --add-module=/root/ngx_cache_purge --with-http_slice_module --with-http_v2_module --with-stream [root@python nginx-1.15.9]# make [root@python nginx-1.15.9]# mv /usr/bin/nginx{,.07.19.11.53} [root@python nginx-1.15.9]# cp objs/nginx /usr/bin/ [root@python nginx-1.15.9]# cd /data/web/conf/vhast/
模块
Syntax: stream { ... } Default: — Context: main Syntax: server { ... } Default: — Context: stream Syntax: listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]]; Default: — Context: server
传输层相关的变量
return模块
Syntax: return value; Default: — Context: server
修改配置
[root@python vhast]# cat ../nginx.conf #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } include /data/web/conf/vhast/siceng.con; [root@python vhast]# cat siceng.con stream { error_log logs/stream_error.log debug; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { listen 10004; #listen 10004 proxy_protocol; return '10004 vars: bytes_received: $bytes_received bytes_sent: $bytes_sent proxy_protocol_addr: $proxy_protocol_addr proxy_protocol_port: $proxy_protocol_port remote_addr: $remote_addr remote_port: $remote_port server_addr: $server_addr server_port: $server_port session_time: $session_time status : $status binary_remote_addr: $binary_remote_addr\n'; } }
测试
[root@python ~]# telnet localhost 10004 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: proxy_protocol_port: remote_addr: 127.0.0.1 remote_port: 34218 server_addr: 127.0.0.1 server_port: 10004 session_time: 0.000 status : 000 binary_remote_addr: Connection closed by foreign host.
proxy_protocol 协议
读取proxy_protocol协议的超时控制
Syntax: proxy_protocol_timeout timeout; Default: proxy_protocol_timeout 30s; Context: stream, server
stream 的proxy_protocol 协议处理流程
配置
[root@python vhast]# cat siceng.con stream { error_log logs/stream_error.log debug; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { #listen 10004; listen 10004 proxy_protocol; return '10004 vars: bytes_received: $bytes_received bytes_sent: $bytes_sent proxy_protocol_addr: $proxy_protocol_addr proxy_protocol_port: $proxy_protocol_port remote_addr: $remote_addr remote_port: $remote_port server_addr: $server_addr server_port: $server_port session_time: $session_time status : $status binary_remote_addr: $binary_remote_addr\n'; } }
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. PROXY TCP4 202.112.144.236 10.210.10 5678 80\r\nConnection closed by foreign host. #手动输入后敲回车 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: 202.112.144.236 proxy_protocol_port: 5678 remote_addr: 127.0.0.1 remote_port: 34224 server_addr: 127.0.0.1 server_port: 10004 session_time: 8.258 status : 000 binary_remote_addr: Connection closed by foreign host.
配置
[root@python vhast]# cat siceng.con stream { error_log logs/stream_error.log debug; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { #listen 10004; listen 10004 proxy_protocol; set_real_ip_from 127.0.0.1; return '10004 vars: bytes_received: $bytes_received bytes_sent: $bytes_sent proxy_protocol_addr: $proxy_protocol_addr proxy_protocol_port: $proxy_protocol_port remote_addr: $remote_addr remote_port: $remote_port server_addr: $server_addr server_port: $server_port session_time: $session_time status : $status binary_remote_addr: $binary_remote_addr\n'; } }
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. PROXY TCP4 202.112.144.236 10.210.10 5678 80\r\nConnection closed by foreign host. 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: 202.112.144.236 proxy_protocol_port: 5678 remote_addr: 202.112.144.236 remote_port: 5678 server_addr: 127.0.0.1 server_port: 10004 session_time: 5.803 status : 000 binary_remote_addr: Connection closed by foreign host.
四层限制客户端IP0
[root@python vhast]# cat siceng.con stream { log_format bash '$remote_addr [$time_local]' '$protocol $status $bytes_sent $bytes_received' '$session_time'; error_log logs/stream_error.log debug; access_log logs/siceng.log bash; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { listen 10004; #listen 10004 proxy_protocol; set_real_ip_from 127.0.0.1; allow 192.168.183.4; deny all; return '10004 vars: bytes_received: $bytes_received bytes_sent: $bytes_sent proxy_protocol_addr: $proxy_protocol_addr proxy_protocol_port: $proxy_protocol_port remote_addr: $remote_addr remote_port: $remote_port server_addr: $server_addr server_port: $server_port session_time: $session_time status : $status binary_remote_addr: $binary_remote_addr\n'; } }
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Connection closed by foreign host. [root@python vhast]# tail -f ../../logs/siceng.log 127.0.0.1 [19/Jul/2019:04:02:03 +0800]TCP 403 0 00.000 127.0.0.1 [19/Jul/2019:04:02:53 +0800]TCP 403 0 00.000
修改配置
[root@python vhast]# cat siceng.con stream { log_format bash '$remote_addr [$time_local]' '$protocol $status $bytes_sent $bytes_received' '$session_time'; error_log logs/stream_error.log debug; access_log logs/siceng.log bash; server { listen 10002 proxy_protocol; return '10002 server git ip: $remote_addr!\n'; } server { listen 10003 proxy_protocol; return '10003 server git ip: $remote_addr!\n'; } server { #listen 10004; listen 10004 proxy_protocol; set_real_ip_from 127.0.0.1; allow 192.168.183.4; deny all; return '10004 vars: bytes_received: $bytes_received bytes_sent: $bytes_sent proxy_protocol_addr: $proxy_protocol_addr proxy_protocol_port: $proxy_protocol_port remote_addr: $remote_addr remote_port: $remote_port server_addr: $server_addr server_port: $server_port session_time: $session_time status : $status binary_remote_addr: $binary_remote_addr\n'; } }
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. PROXY TCP4 192.168.183.4 10.210.10 5678 80\r\n 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: 192.168.183.4 proxy_protocol_port: 5678 remote_addr: 192.168.183.4 remote_port: 5678 server_addr: 127.0.0.1 server_port: 10004 session_time: 12.731 status : 000 binary_remote_addr: (· Connection closed by foreign host
四层反代里
上游 server { error_log logs/ssl-error.log debug; server_name ""; listen 9001 proxy_protocol; 只处理proxy_protocol请求 location /{ return 200 'hjjjuuyuu\n'; } 四层代理 server { listen 4453; proxy_pass 127.0.0.1:9001; proxy_protocol on; 添加proxy_protocol协议头部 }
测试
[root@python vhast]# curl 127.0.0.1:4453/ hjjjuuyuu
配置
server { listen 4453; proxy_pass 127.0.0.1:9001; #proxy_protocol on; }
测试
[root@python vhast]# curl 127.0.0.1:4453/ curl: (7) Failed connect to 127.0.0.1:4453; 拒绝连接
udp反向代理
server { listen 4436 udp; proxy_pass 127.0.0.1:9999; proxy_requests 1; proxy_responses 2; proxy_timeout 2s; access_log logs/udp.log bash; #proxy_protocol on; }
透传IP