正向代理简介

nginx 不仅可以做反向代理，还能用作正向代理来进行上网等功能。如果把局域网外的 Internet 想象成一个巨大的资源库，则局域网中的客户端要访问 Internet ，则需要通过代理服务器来访问，这种代理服务就称为正向代理（也就是大家常说的，通过正向代理进行上网功能）

如下图所示，内网机器 10.212.4.35 处于办公内网中，无法访问外部 Internet ；外网机器 10.211.1.6 处于另一个网络环境中，也就是可以上互联网的机器。内网机器和外网机器之间的数据传输通过网闸进行摆渡。在下面图中的环境，已将网络打通，内网机器 10.212.4.35 可以访问外网机器 10.211.1.6 的 8080 端口。则内网机器如果想上互联网，则只能通过外网机器代理实现。

安装部署nginx

在外网机器安装部署 nginx 、并配置代理。

这里所使用的 nginx 为 1.19.2 ，补丁版本为 1018

✏️ 下载模块

wget https://github.com/chobits/ngx_http_proxy_connect_module/archive/refs/tags/v0.0.2.zip
✏️ 解压
unzip v0.0.2.zip
✏️ 下载nginx
wget http://nginx.org/download/nginx-1.19.2.tar.gz
✏️ 打入补丁包
tar xf nginx-1.19.2.tar.gz
cd nginx-1.19.2
patch -p1 < /root/tools/ngx_http_proxy_connect_module-0.0.2/patch/proxy_connect_rewrite_1018.patch
✏️ 编译安装nginx
yum install gcc cmake make cmake unzip ncurses-devel gcc gcc-c++ -y
./configure --prefix=/usr/local/nginx --add-module=/root/tools/ngx_http_proxy_connect_module-0.0.2
make && make install
配置正向代理
✏️ 配置nginx
cd /usr/local/nginx/conf/
cp nginx.conf{,.bak}
vim nginx.conf
    server {
        listen                           80;
        server_name                      localhost;
        resolver                         114.114.114.114;
        proxy_connect;
        proxy_connect_allow              443 80;
        proxy_connect_connect_timeout    10s;
        proxy_connect_read_timeout       10s;
        proxy_coneect_send_timeout       10s;
        location / {
            proxy_pass $scheme://$http_host$request_uri;
✏️ 编写systemd启动脚本
cat > /etc/systemd/system/nginx.service << EOF
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
✏️ 启动nginx
systemctl daemon-reload
systemctl start nginx
✏️ 开放防火墙策略（这里由于是通过网闸出来的，所以源IP发生了改变为172.12.0.179）
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="172.12.0.179" port protocol="tcp" port="8080" accept"
firewall-cmd --reload
内网机器进行访问测试，并添加到环境变量
✏️ http的访问测试
# curl -I --proxy 172.11.0.179:8080  http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 05 Sep 2021 08:17:57 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
✏️ https的访问测试
# curl -I --proxy 172.11.0.179:8080  https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 05 Sep 2021 08:18:17 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
✏️ 添加到环境变量，直接使用
vim /etc/profile
export http_proxy=172.11.0.179:8080
export https_proxy=172.11.0.179:8080
✏️ 添加完成后，变可以直接上网了
# curl -I http://www.baidu.com
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Sun, 05 Sep 2021 08:26:35 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
# curl -I https://www.baidu.com
HTTP/1.1 200 Connection Established
Proxy-agent: nginx
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 277
Content-Type: text/html
Date: Sun, 05 Sep 2021 08:26:14 GMT
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
Server: bfe/1.0.8.18