searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

Nginx之stream模块透明代理实践

2023-08-24 12:16:04
208
0
  • Nginx编译安装

下载最新的nginx源码

nginx官网下载nginx-1.24.0.tar.gz

解压 tar zxvf nginx-1.24.0.tar.gz

下载最新的安装nginx依赖

yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel

进入编译安装目录

cd nginx-1.24.0

./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-stream

make && make install

  • Nginx配置

配置内核

# grep "TPROXY" /boot/config-`uname -r`

CONFIG_NETFILTER_XT_TARGET_TPROXY=m

 

临时添加

# sysctl -w net.ipv4.ip_forward=1

# sysctl -w net.ipv4.ip_nonlocal_bind=1

永久添加

vi /etc/sysctl.conf

新增如下两行

net.ipv4.ip_forward=1

net.ipv4.ip_nonlocal_bind=1

 

配置nginx 的策略路由:

iptables -F

iptables -F -t mangle

iptables -t mangle -A PREROUTING -p tcp --sport 10018 -j MARK --set-mark 1

ip rule add fwmark 1 lookup 100

ip route flush table 100

ip route add local 0.0.0.0/0 dev lo table 100

添加到 vi /etc/rc.d/init.d/network 的exit $rc前面 使其永久生效

 

Nginx的配置文件:

#配置work的进程数量,最好把这个值设置成CPU核数

worker_processes  4;

 

#配置Nginx worker进程最大打开文件数,最好与ulimit -n的值保持一致

worker_rlimit_nofile 65536;

 

events {

    #单个进程允许的客户端最大连接数

    worker_connections 65536;

}

 

 

http {

  upstream http-sdwan {

    server 192.168.1.3:8181;

    server 192.168.1.4:8181;

  }

 

  server {

    listen       8181;

    server_name  192.168.1.44;

 

    access_log   /var/log/nginx/access_neimeng_sdwan.log;

    error_log   /var/log/nginx/error_neimeng_sdwan.log;

    proxy_connect_timeout 600;

    proxy_send_timeout 600;

    proxy_read_timeout 600;

 

    location / {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://http-sdwan;

        proxy_buffer_size 1024k;

        proxy_buffers 8 1024k;

        proxy_busy_buffers_size 1024k;

        proxy_temp_file_write_size 1024k;

        proxy_max_temp_file_size 0;

        proxy_intercept_errors on;

 

    }

 

  }

}

 

stream {

    upstream callhome {

        server 192.168.1.3:10018 max_fails=3 fail_timeout=30s;

        server 192.168.1.4:10018 max_fails=3 fail_timeout=30s;

    }

    server {

        listen 8008;

        proxy_pass callhome;

        proxy_bind $remote_addr transparent;

        proxy_connect_timeout 2s;

        proxy_timeout 900s;

    }

}

 

keepalived配置

 

! Configuration File for keepalived

 

global_defs {

    router_id 192.168.1.120

}

 

vrrp_script chk_nginx {

  script "/etc/keepalived/check_odl.sh 8008"

  interval 2

  weight 0

}

 

vrrp_instance VI_1 {

    state BACKUP

    interface ens192

    virtual_router_id 201

    priority 100

    advert_int 1

    mcast_src_ip 192.168.1.120

    # 设置为非抢占模式

    nopreempt

    authentication {

        auth_type PASS

        auth_pass 10002000

    }

    track_script {

       chk_nginx

    }

    virtual_ipaddress {

        192.168.1.44

    }

}

 

check_odl.sh

#!/bin/sh

CHK_PORT=$1

if [ -n "$CHK_PORT" ];then

  PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`

  if [ $PORT_PROCESS -eq 0 ];then

    echo "Port $CHK_PORT Is Not Used,End."

    exit 1

  fi

else

  echo "Check Port Cant Be Empty!"

fi

 

后端服务器配置策略路由

添加到 vi /etc/rc.d/init.d/network 的exit $rc前面 使其永久生效

#后端服务器192.168.1.3设置

iptables -t mangle -A OUTPUT -p tcp --src 192.168.1.3 –sport 8008-j MARK --set-xmark 1

ip rule add fwmark 1 lookup 100

ip route add default via 192.168.1.10 table 100

#后端服务器192.168.1.4设置

iptables -t mangle -A OUTPUT -p tcp --src 192.168.1.4 --sport 8008 -j MARK --set-xmark 1

ip rule add fwmark 1 lookup 100

ip route add default via 192.168.1.10 table 100

0条评论
0 / 1000
h****n
2文章数
0粉丝数
h****n
2 文章 | 0 粉丝
h****n
2文章数
0粉丝数
h****n
2 文章 | 0 粉丝
原创

Nginx之stream模块透明代理实践

2023-08-24 12:16:04
208
0
  • Nginx编译安装

下载最新的nginx源码

nginx官网下载nginx-1.24.0.tar.gz

解压 tar zxvf nginx-1.24.0.tar.gz

下载最新的安装nginx依赖

yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel

进入编译安装目录

cd nginx-1.24.0

./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-stream

make && make install

  • Nginx配置

配置内核

# grep "TPROXY" /boot/config-`uname -r`

CONFIG_NETFILTER_XT_TARGET_TPROXY=m

 

临时添加

# sysctl -w net.ipv4.ip_forward=1

# sysctl -w net.ipv4.ip_nonlocal_bind=1

永久添加

vi /etc/sysctl.conf

新增如下两行

net.ipv4.ip_forward=1

net.ipv4.ip_nonlocal_bind=1

 

配置nginx 的策略路由:

iptables -F

iptables -F -t mangle

iptables -t mangle -A PREROUTING -p tcp --sport 10018 -j MARK --set-mark 1

ip rule add fwmark 1 lookup 100

ip route flush table 100

ip route add local 0.0.0.0/0 dev lo table 100

添加到 vi /etc/rc.d/init.d/network 的exit $rc前面 使其永久生效

 

Nginx的配置文件:

#配置work的进程数量,最好把这个值设置成CPU核数

worker_processes  4;

 

#配置Nginx worker进程最大打开文件数,最好与ulimit -n的值保持一致

worker_rlimit_nofile 65536;

 

events {

    #单个进程允许的客户端最大连接数

    worker_connections 65536;

}

 

 

http {

  upstream http-sdwan {

    server 192.168.1.3:8181;

    server 192.168.1.4:8181;

  }

 

  server {

    listen       8181;

    server_name  192.168.1.44;

 

    access_log   /var/log/nginx/access_neimeng_sdwan.log;

    error_log   /var/log/nginx/error_neimeng_sdwan.log;

    proxy_connect_timeout 600;

    proxy_send_timeout 600;

    proxy_read_timeout 600;

 

    location / {

        proxy_set_header X-Forwarded-Host $host;

        proxy_set_header X-Forwarded-Server $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://http-sdwan;

        proxy_buffer_size 1024k;

        proxy_buffers 8 1024k;

        proxy_busy_buffers_size 1024k;

        proxy_temp_file_write_size 1024k;

        proxy_max_temp_file_size 0;

        proxy_intercept_errors on;

 

    }

 

  }

}

 

stream {

    upstream callhome {

        server 192.168.1.3:10018 max_fails=3 fail_timeout=30s;

        server 192.168.1.4:10018 max_fails=3 fail_timeout=30s;

    }

    server {

        listen 8008;

        proxy_pass callhome;

        proxy_bind $remote_addr transparent;

        proxy_connect_timeout 2s;

        proxy_timeout 900s;

    }

}

 

keepalived配置

 

! Configuration File for keepalived

 

global_defs {

    router_id 192.168.1.120

}

 

vrrp_script chk_nginx {

  script "/etc/keepalived/check_odl.sh 8008"

  interval 2

  weight 0

}

 

vrrp_instance VI_1 {

    state BACKUP

    interface ens192

    virtual_router_id 201

    priority 100

    advert_int 1

    mcast_src_ip 192.168.1.120

    # 设置为非抢占模式

    nopreempt

    authentication {

        auth_type PASS

        auth_pass 10002000

    }

    track_script {

       chk_nginx

    }

    virtual_ipaddress {

        192.168.1.44

    }

}

 

check_odl.sh

#!/bin/sh

CHK_PORT=$1

if [ -n "$CHK_PORT" ];then

  PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`

  if [ $PORT_PROCESS -eq 0 ];then

    echo "Port $CHK_PORT Is Not Used,End."

    exit 1

  fi

else

  echo "Check Port Cant Be Empty!"

fi

 

后端服务器配置策略路由

添加到 vi /etc/rc.d/init.d/network 的exit $rc前面 使其永久生效

#后端服务器192.168.1.3设置

iptables -t mangle -A OUTPUT -p tcp --src 192.168.1.3 –sport 8008-j MARK --set-xmark 1

ip rule add fwmark 1 lookup 100

ip route add default via 192.168.1.10 table 100

#后端服务器192.168.1.4设置

iptables -t mangle -A OUTPUT -p tcp --src 192.168.1.4 --sport 8008 -j MARK --set-xmark 1

ip rule add fwmark 1 lookup 100

ip route add default via 192.168.1.10 table 100

文章来自个人专栏
加密认证
2 文章 | 1 订阅
0条评论
0 / 1000
请输入你的评论
0
0