Nginx Ngx_http_proxy_connect_module模块实现SSL正向代理

由于项目需要使用到https正向代理，而nginx官方模块仅支持做http正向代理，ngx_http_proxy_connect_module模块可以实现隧道SSL请求的代理服务器

关于正向代理原理可以参考下面的文章

 

模块地址:http://www.github.com/chobits/ngx_http_proxy_connect_module

目前该模块截止2023-04-14插件支持的版本

nginx version	enable	REWRITE phase patch
1.4.x ~ 1.12.x	NO	proxy_connect.patch
1.4.x ~ 1.12.x	YES	proxy_connect_rewrite.patch
1.13.x ~ 1.14.x	NO	proxy_connect_1014.patch
1.13.x ~ 1.14.x	YES	proxy_connect_rewrite_1014.patch
1.15.2	YES	proxy_connect_rewrite_1015.patch
1.15.4 ~ 1.16.x	YES	proxy_connect_rewrite_101504.patch
1.17.x ~ 1.18.x	YES	proxy_connect_rewrite_1018.patch
1.19.x ~ 1.21.0	YES	proxy_connect_rewrite_1018.patch
1.21.1 ~ 1.22.x	YES	proxy_connect_rewrite_102101.patch
1.23.x ~ 1.24.0	YES	proxy_connect_rewrite_102101.patch

下载插件

proxy_connect_rewrite_102101.patch 为补丁包

wget https://d.frps.cn/file/tools/nginx/model/ngx_http_proxy_connect_module.tar.gz
[root@web-03 ~]# tar xf ngx_http_proxy_connect_module.tar.gz   #解压

安装Nginx

NGINX_VERSION="nginx-1.22.1"

for i in openssl-1.1.1t pcre-8.45 zlib-1.2.13;do
    wget https://d.frps.cn/file/tools/nginx/${i}.tar.gz
done
   wget  https://d.frps.cn/file/tools/nginx/nginx-1.22.1.tar.gz
for i in openssl-1.1.1t pcre-8.45 zlib-1.2.13;do
    tar zxvf ${i}.tar.gz -C /usr/local/src
done
useradd nginx -s /sbin/nologin -M

安装patch命令

[root@web-03 nginx-1.22.1]# yum install -y patch

进入到Nginx目录，修改编译参数

[root@web-03 ~]# tar xf nginx-1.22.1.tar.gz 
[root@web-03 nginx-1.22.1]# patch -p1 < /root/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch 
patching file src/http/ngx_http_core_module.c
patching file src/http/ngx_http_parse.c
patching file src/http/ngx_http_request.c
patching file src/http/ngx_http_request.h
patching file src/http/ngx_http_variables.c

#patch -p1 <后面的路径需要绝对路径

编译

./configure --prefix=/opt/nginx-1.22 --with-openssl=/usr/local/src/openssl-1.1.1t  --with-pcre=/usr/local/src/pcre-8.45  --with-zlib=/usr/local/src/zlib-1.2.13  --with-http_ssl_module --with-http_stub_status_module --with-stream --with-http_stub_status_module --with-http_gzip_static_module  --add-module=/root/ngx_http_proxy_connect_module

#编译安装
make && make install

#--add-module=/root/ngx_http_proxy_connect_module 模块目录(注意指定目录！)

检查安装

[root@web-03 nginx-1.22.1]# /opt/nginx-1.22/sbin/nginx -V
nginx version: nginx/1.22.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.1.1t  7 Feb 2023
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx-1.22 --with-openssl=/usr/local/src/openssl-1.1.1t --with-pcre=/usr/local/src/pcre-8.45 --with-zlib=/usr/local/src/zlib-1.2.13 --with-http_ssl_module --with-http_stub_status_module --with-stream --with-http_stub_status_module --with-http_gzip_static_module --add-module=/root/ngx_http_proxy_connect_module

创建验证文件

修改Nginx配置文件

server{
    resolver 114.114.114.114;
    resolver_timeout 30s;
    listen 80;
    proxy_connect;                          #启用 CONNECT HTTP方法
    proxy_connect_allow            443 80;  #指定代理CONNECT方法可以连接的端口号或范围的列表
    proxy_connect_connect_timeout  20s;     #定义客户端与代理服务器建立连接的超时时间
    proxy_connect_read_timeout     20s;     #定义客户端从代理服务器读取响应的超时时间
    proxy_connect_send_timeout     20s;     #设置客户端将请求传输到代理服务器的超时时间

    location / {

        proxy_pass $scheme://$http_host$request_uri;

    }  
}

设置本地代理

[root@web-03 conf]# export http_proxy=http://127.0.0.1:80/
[root@web-03 conf]# export https_proxy=https://127.0.0.1:80/

测试代理

[root@web-03 conf]# curl https://www.baidu.com -svo /dev/null
* About to connect() to proxy 127.0.0.1 port 80 (#0)
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
* Establish HTTP proxy tunnel to www.baidu.com:443
> CONNECT www.baidu.com:443 HTTP/1.1
> Host: www.baidu.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection Established
< Proxy-agent: nginx
< 
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
*       start date: Jul 05 05:16:02 2022 GMT
*       expire date: Aug 06 05:16:01 2023 GMT
*       common name: baidu.com
*       issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Fri, 14 Apr 2023 05:54:45 GMT
< Etag: "588603e2-98b"
< Last-Modified: Mon, 23 Jan 2017 13:23:46 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
< 
{ [data not shown]
* Connection #0 to host 127.0.0.1 left intact

从上面-v参数打印出的细节，可以看到客户端先往代理服务器127.0.0.1建立了HTTP CONNECT隧道，代理回复HTTP/1.1 200 Connection Established后就开始交互TLS/SSL握手和流量了