需要编译四层模块
[root@python vhast]# cd ~/nginx-1.15.9/
[root@python nginx-1.15.9]# ./configure --prefix=/data/web --sbin-path=/usr/bin --user=nginx --group=nginx --with-http_stub_status_module --with-http_auth_request_module --with-http_sub_module --add-module=/root/nginx-http-concat --with-http_addition_module --with-http_secure_link_module --with-http_geoip_module --with-http_ssl_module --add-module=/root/ngx_cache_purge --with-http_slice_module --with-http_v2_module --with-stream
[root@python nginx-1.15.9]# make
[root@python nginx-1.15.9]# mv /usr/bin/nginx{,.07.19.11.53}
[root@python nginx-1.15.9]# cp objs/nginx /usr/bin/
[root@python nginx-1.15.9]# cd /data/web/conf/vhast/
模块
Syntax: stream { ... }
Default: —
Context: main
Syntax: server { ... }
Default: —
Context: stream
Syntax: listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size]
[bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
Default: —
Context: server
传输层相关的变量
return模块
Syntax: return value; Default: — Context: server
修改配置
[root@python vhast]# cat ../nginx.conf
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
include /data/web/conf/vhast/siceng.con;
[root@python vhast]# cat siceng.con
stream {
error_log logs/stream_error.log debug;
server {
listen 10002 proxy_protocol;
return '10002 server git ip: $remote_addr!
';
}
server {
listen 10003 proxy_protocol;
return '10003 server git ip: $remote_addr!
';
}
server {
listen 10004;
#listen 10004 proxy_protocol;
return '10004 vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr
';
}
}
测试
[root@python ~]# telnet localhost 10004 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: proxy_protocol_port: remote_addr: 127.0.0.1 remote_port: 34218 server_addr: 127.0.0.1 server_port: 10004 session_time: 0.000 status : 000 binary_remote_addr: Connection closed by foreign host.
proxy_protocol 协议
读取proxy_protocol协议的超时控制
Syntax: proxy_protocol_timeout timeout; Default: proxy_protocol_timeout 30s; Context: stream, server
stream 的proxy_protocol 协议处理流程
配置
[root@python vhast]# cat siceng.con
stream {
error_log logs/stream_error.log debug;
server {
listen 10002 proxy_protocol;
return '10002 server git ip: $remote_addr!
';
}
server {
listen 10003 proxy_protocol;
return '10003 server git ip: $remote_addr!
';
}
server {
#listen 10004;
listen 10004 proxy_protocol;
return '10004 vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr
';
}
}
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. PROXY TCP4 202.112.144.236 10.210.10 5678 80 Connection closed by foreign host. #手动输入后敲回车 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: 202.112.144.236 proxy_protocol_port: 5678 remote_addr: 127.0.0.1 remote_port: 34224 server_addr: 127.0.0.1 server_port: 10004 session_time: 8.258 status : 000 binary_remote_addr: Connection closed by foreign host.
配置
[root@python vhast]# cat siceng.con
stream {
error_log logs/stream_error.log debug;
server {
listen 10002 proxy_protocol;
return '10002 server git ip: $remote_addr!
';
}
server {
listen 10003 proxy_protocol;
return '10003 server git ip: $remote_addr!
';
}
server {
#listen 10004;
listen 10004 proxy_protocol;
set_real_ip_from 127.0.0.1;
return '10004 vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr
';
}
}
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. PROXY TCP4 202.112.144.236 10.210.10 5678 80 Connection closed by foreign host. 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: 202.112.144.236 proxy_protocol_port: 5678 remote_addr: 202.112.144.236 remote_port: 5678 server_addr: 127.0.0.1 server_port: 10004 session_time: 5.803 status : 000 binary_remote_addr: Connection closed by foreign host.
四层限制客户端IP0
[root@python vhast]# cat siceng.con
stream {
log_format bash '$remote_addr [$time_local]'
'$protocol $status $bytes_sent $bytes_received'
'$session_time';
error_log logs/stream_error.log debug;
access_log logs/siceng.log bash;
server {
listen 10002 proxy_protocol;
return '10002 server git ip: $remote_addr!
';
}
server {
listen 10003 proxy_protocol;
return '10003 server git ip: $remote_addr!
';
}
server {
listen 10004;
#listen 10004 proxy_protocol;
set_real_ip_from 127.0.0.1;
allow 192.168.183.4;
deny all;
return '10004 vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr
';
}
}
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Connection closed by foreign host. [root@python vhast]# tail -f ../../logs/siceng.log 127.0.0.1 [19/Jul/2019:04:02:03 +0800]TCP 403 0 00.000 127.0.0.1 [19/Jul/2019:04:02:53 +0800]TCP 403 0 00.000
修改配置
[root@python vhast]# cat siceng.con
stream {
log_format bash '$remote_addr [$time_local]'
'$protocol $status $bytes_sent $bytes_received'
'$session_time';
error_log logs/stream_error.log debug;
access_log logs/siceng.log bash;
server {
listen 10002 proxy_protocol;
return '10002 server git ip: $remote_addr!
';
}
server {
listen 10003 proxy_protocol;
return '10003 server git ip: $remote_addr!
';
}
server {
#listen 10004;
listen 10004 proxy_protocol;
set_real_ip_from 127.0.0.1;
allow 192.168.183.4;
deny all;
return '10004 vars:
bytes_received: $bytes_received
bytes_sent: $bytes_sent
proxy_protocol_addr: $proxy_protocol_addr
proxy_protocol_port: $proxy_protocol_port
remote_addr: $remote_addr
remote_port: $remote_port
server_addr: $server_addr
server_port: $server_port
session_time: $session_time
status : $status
binary_remote_addr: $binary_remote_addr
';
}
}
测试
[root@python vhast]# telnet 127.0.0.1 10004 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. PROXY TCP4 192.168.183.4 10.210.10 5678 80 10004 vars: bytes_received: 0 bytes_sent: 0 proxy_protocol_addr: 192.168.183.4 proxy_protocol_port: 5678 remote_addr: 192.168.183.4 remote_port: 5678 server_addr: 127.0.0.1 server_port: 10004 session_time: 12.731 status : 000 binary_remote_addr: (· Connection closed by foreign host
四层反代里
上游
server {
error_log logs/ssl-error.log debug;
server_name "";
listen 9001 proxy_protocol; 只处理proxy_protocol请求
location /{
return 200 'hjjjuuyuu
';
}
四层代理
server {
listen 4453;
proxy_pass 127.0.0.1:9001;
proxy_protocol on; 添加proxy_protocol协议头部
}
测试
[root@python vhast]# curl 127.0.0.1:4453/ hjjjuuyuu
配置
server {
listen 4453;
proxy_pass 127.0.0.1:9001;
#proxy_protocol on;
}
测试
[root@python vhast]# curl 127.0.0.1:4453/ curl: (7) Failed connect to 127.0.0.1:4453; 拒绝连接
udp反向代理
server {
listen 4436 udp;
proxy_pass 127.0.0.1:9999;
proxy_requests 1;
proxy_responses 2;
proxy_timeout 2s;
access_log logs/udp.log bash;
#proxy_protocol on;
}
透传IP
