配置Nginx作为HTTPS PROXY

配置Nginx作为HTTPS PROXY

补充编译需要的Lib

apt install libpcre++-dev libssl-dev zlib1g-dev g++ make patch git unzip curl socat

下载最新的Nginx

wget http://nginx.org/download/nginx-1.17.9.tar.gz
tar xzvf nginx-1.17.9.tar.gz

增加CONNECT模块

mkdir connect
cd connect
wget https://github.com/chobits/ngx_http_proxy_connect_module/raw/master/patch/proxy_connect_rewrite_101504.patch
wget https://raw.githubusercontent.com/chobits/ngx_http_proxy_connect_module/master/ngx_http_proxy_connect_module.c
wget https://github.com/chobits/ngx_http_proxy_connect_module/raw/master/config

打补丁

cd ../nginx-1.17.1
patch -p1 < /root/connect/proxy_connect.patch

安装OpenSSL 1.1.1(TLSv1.3)

cd /usr/local/src
git clone https://github.com/openssl/openssl.git
cd openssl
git branch -a
git checkout OpenSSL_1_1_1-stable

配置

./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --with-http_ssl_module --with-http_v2_module --with-http_stub_status_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --without-http_memcached_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --add-module=/root/connect --with-openssl=/usr/local/src/openssl

安装

make && make install

安装acme.sh

cd ~
curl https://get.acme.sh | sh
cd ~/.acme.sh
./acme.sh --issue -d blog.xx0o.com -k ec-384 --standalone --ecc

配置/etc/nginx/nginx.conf

#user  nobody;
worker_processes  auto;
#pid  logs/nginx.pid;

events {
	worker_connections 512;
	multi_accept on;
	use epoll;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr <$bytes_sent>- $remote_user [$time_local] "$request" '
                      '$status "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$ssl_client_s_dn"';

    map $remote_addr $log_ip {
	"~^192.168." 0;
	default 1;
    }

    access_log  /var/log/nginx/access.log  main if=$log_ip;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    gzip  on;

    send_timeout 600;

    root /usr/local/www;

    include /etc/nginx/sites/*.conf;
}

配置/etc/nginx/sites/tlsproxy.conf

server {
        	listen       443 ssl;
        server_name  blog.xx0o.com;

	ssl_certificate  /root/.acme.sh/blog.xx0o.com_ecc/fullchain.cer;
	ssl_certificate_key  /root/.acme.sh/blog.xx0o.com_ecc/blog.xx0o.com.key;
	ssl_client_certificate  /root/.acme.sh/caCert.pem;
	ssl_verify_client optional;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:TLS-AES-256-GCM-SHA384;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ecdh_curve X25519:secp384r1;
	ssl_session_timeout  10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	resolver_timeout 5s;
	#resolver 8.8.8.8 valid=300s ipv6=off;
	resolver 8.8.8.8 valid=300s;

	proxy_connect;
	proxy_connect_allow all;
	proxy_connect_connect_timeout  30s;
	proxy_connect_read_timeout 60s;
	proxy_connect_send_timeout 30s;

	proxy_connect_timeout 600;
	proxy_send_timeout 600;
	proxy_read_timeout 600;

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

	set $ssl_client_verify_connect "$request_method $ssl_client_verify";
	if ($ssl_client_verify_connect ~ "CONNECT FAILED") { return 401; }
	if ($ssl_client_verify_connect ~ "CONNECT NONE") { return 402; }
location / {
            root   /usr/local/www/;
            index  index.html index.htm;
	    if ($ssl_client_verify  "SUCCESS") {return 404;}
	    proxy_set_header Host $host;
	if ($ssl_client_verify ~!= "SUCCESS") {
	    if ($http_host != "blog.xx0o.com") {
		proxy_pass http://$http_host$request_uri;
		}
      }
    }

配置/etc/nginx/sites/default.conf(Let’s Encrypt Nginx Mode)

    server {
        listen       80;
	allow 13.58.30.69;
	allow 18.224.20.83;
	allow 34.213.106.112;
	allow 34.211.60.134;
	allow 52.29.173.72;
	allow 52.58.118.98;
	allow 64.78.149.164;
	allow 66.133.109.36;
	allow 192.168.100.0/24;
	allow 58.32.0.0/17;
	deny all;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/local/www;
            index  index.html index.htm;
        }

	location /status {
	    stub_status;
	}

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }

配置Iptables,避免80被滥用

采集到的IP有
Webroot模式--Staging
34.213.106.112
66.133.109.36
52.29.173.72
13.58.30.69
Webroot模式--Issue
64.78.149.164
Standalone模式
66.133.109.36
64.78.149.164

/sbin/iptables -A INPUT -p tcp --dport 80 -s 13.58.30.69 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -s 34.213.106.112 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -s 52.29.173.72 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -s 64.78.149.164 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -s 66.133.109.36 -j ACCEPT

特别需要注意的

proxy_pass http://$host;   #不支持带端口的请求
proxy_pass http://$http_host$request_uri;   #支持带端口的请求
resolver 1.1.1.1 valid=300s ipv6=off;   #ipv6=off很关键,否则所有ipv6的请求都会先失败
apt remove vim-tiny
apt install vim
vi .vimrc
:color desert
syntax on

/lib/systemd/system/nginx.service

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecStartPost=/bin/sleep 0.3
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
#ExecStopPost=/bin/rm /run/nginx.sock
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Written with StackEdit.

Comments

Anonymous said…
Best Places To Bet On Boxing - Mapyro
Where To Bet bsjeon.net On Boxing. It's งานออนไลน์ a sports betting event in which you bet on the outcome of a game. In the 출장마사지 boxing 바카라 사이트 world, each player must decide 1등 사이트 if or not to
April 11, 2022 at 10:55 AM
Post a Comment