nginx 反向代理支持解密https

参考资料: https://www.v2ex.com/t/341913 https://zimiao.moe/posts/7056/ https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

版本要求 > 1.11.5 wget https://nginx.org/download/nginx-1.14.2.tar.gz

apt-get install libpcre3 libpcre3-dev

最小需求配置

1
./configure --prefix=/usr/local/nginx --user=www-data --group=www-data --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --with-http_v2_module --with-http_gzip_static_module --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module

参考debian存储库的配置

1
2
3
4
5
6
./configure --prefix=/usr/local/nginx --user=www-data --group=www-data --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock

make
make install

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

/etc/systemd/system/nginx.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
stream {
    map $ssl_preread_server_name $name {
        launcher-website-prod07.ol.epicgames.com     backend;
        # myip.ipip.net                  backend2;
    }

    upstream backend {
        server 212.64.116.144:443;
        # server 192.168.0.2:12345;
    }

    # upstream backend2 {
    #     server 192.168.0.3:12345;
    #     server 192.168.0.4:12345;
    # }

    server {
        listen 443;
        proxy_pass  $name;
        ssl_preread on;
        resolver 8.8.8.8;
        # proxy_pass $ssl_preread_server_name:$server_port;
    }
}

使用iptables 转发

1
2
3
https://www.cnblogs.com/davidwang456/p/3540837.html

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443

已过时:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
https://blog.csdn.net/zyjcxc/article/details/78149130
http://www.mamicode.com/info-detail-1305140.html
https://blog.csdn.net/qq_32642039/article/details/78696119

https://github.com/chobits/ngx_http_proxy_connect_module

apt-get install libpcre3 libpcre3-dev openssl libssl-dev

git clone https://github.com/chobits/ngx_http_proxy_connect_module.git

wget http://nginx.org/download/nginx-1.8.1.tar.gz
tar -xzvf nginx-1.8.1.tar.gz
cd nginx-1.8.1/
patch -p1 < /root/ngx_http_proxy_connect_module/patch/proxy_connect.patch
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --add-module=/root/ngx_http_proxy_connect_module