反向代理
针对WebSocket
http + WebSocket 反向代理转发
server {
listen 443;
server_name xxx.com;
# 客户端请求连接是 /woshi
location /woshi {
proxy_redirect off;
# 后端地址是/path,woshi和path两者没有必然关系
proxy_pass http://xxx.com:1443/path;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
https + WebSocket 配置
server {
#listen 443;
listen 443 ssl default_server;
ssl_certificate /home/ssl/fullchain.pem;
ssl_certificate_key /home/ssl/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name xxx.com;
location /woshi {
proxy_redirect off;
proxy_pass http://xxx.com:1443/path;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
静态资源
server {
listen 80;
server_name xxx.com;
# 假设请求链接为 xxx.com/woshi/rdp/index.html
location /woshi {
# 使用root时,则资源位置为 /home/html/woshi/rdp/index.html
# root /home/html/;
# 使用alias时,则资源位置为 /home/html/rdp/index.html 对比可以发现,alias将location匹配内容去掉了
alias /home/html/;
}
}
针对非80,443端口丢失问题
server {
listen 80;
server_name xxx.com;
location / {
proxy_set_header X-Real-IP $remote_addr;
# 这行是关键,加上源端口
proxy_set_header Host $host:$server_port;
proxy_redirect off;
proxy_pass http:/xxx.com:65432/;
}
}
一份完整配置
- 首先匹配所有未知请求到镜像站,伪装
- 针对真正连接做反向代理
- 订阅地址
一份完整配置
##############################################
# I am a mirror site #
# author: ghdefe #
##############################################
# 不要跟陌生人说话
server {
listen 80 default_server;
server_name _;
# 重定向到https网页
return 301 https://www.xxx.com:443$request_uri;
}
# 不要跟陌生人说话
server {
listen 443 ssl default_server;
ssl_certificate /home/ssl/fullchain.pem;
ssl_certificate_key /home/ssl/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name _;
location / {
proxy_pass https://www.sina.com/;
proxy_set_header Accept-Encoding "none"; # 防止gzip导致的替换失败
proxy_connect_timeout 120;
proxy_read_timeout 600;
proxy_send_timeout 600;
send_timeout 600;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# 直连通道
server {
listen 80;
server_name youku.xxx.com *.iqiyi.com *.10010.com *.189.cn *.xiaomi.com *.10155.com *.wo.com.cn;
# 匹配时代理到正确地址
location /kugou {
proxy_redirect off;
proxy_pass http://127.0.0.1:1443/path;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 不匹配的规则一律转发到镜像站去
location / {
# 在非标准端口使用时加上$server_port
return 301 https://www.xxx.com:443$request_uri;
}
}
# ssl通道
server {
listen 443 ssl;
ssl_certificate /home/ssl/fullchain.pem;
ssl_certificate_key /home/ssl/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name youku.xxx.com *.iqiyi.com *.10010.com *.189.cn *.xiaomi.com *.10155.com *.wo.com.cn;
location /kugou {
proxy_redirect off;
proxy_pass http://127.0.0.1:1443/path;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
return 301 https://www.xxx.com:443$request_uri;
}
}
# 订阅
server {
listen 80;
server_name order.xxx.com;
return 301 https://$server_name:443$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /home/ssl/fullchain.pem;
ssl_certificate_key /home/ssl/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name order.xxx.com;
location / {
alias /home/html/order/;
index index.html index.htm;
# 防止404
try_files $uri $uri/ /;
}
}