今天研究了一下 Nginx 反代理,整个实现过程还不算完美,暂且做一下记录。
参考文献:
前面的编译安装工作,可以照搬参考文献 1。
# # 安装 gcc & git # apt-get install build-essential git gcc g++ make # # 下载最新版源码 # nginx 官网: # http://nginx.org/en/download.html # wget "http://nginx.org/download/nginx-1.7.8.tar.gz" # # 下载最新版 pcre # pcre 官网: # http://www.pcre.org/ # wget "ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.36.tar.gz" # # 下载最新版 openssl # opessl 官网: # https://www.openssl.org/ # wget "https://www.openssl.org/source/openssl-1.0.1j.tar.gz" # # 下载最新版 zlib # zlib 官网: # http://www.zlib.net/ # wget "http://zlib.net/zlib-1.2.8.tar.gz" # # 下载本扩展 # git clone https://github.com/cuber/ngx_http_google_filter_module # # 下载 substitutions 扩展 # git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module # # 解压缩 # tar xzvf nginx-1.7.8.tar.gz tar xzvf pcre-8.36.tar.gz tar xzvf openssl-1.0.1j.tar.gz tar xzvf zlib-1.2.8.tar.gz # # 进入 nginx 源码目录 # cd nginx-1.7.8 # # 设置编译选项 # ./configure \ --prefix=/opt/nginx-1.7.8 \ --with-pcre=../pcre-8.36 \ --with-openssl=../openssl-1.0.1j \ --with-zlib=../zlib-1.2.8 \ --with-http_ssl_module \ --add-module=../ngx_http_google_filter_module \ --add-module=../ngx_http_substitutions_filter_module # # 编译, 安装 # make sudo make install # # 启动 Nginx # sudo /opt/nginx-1.7.8/sbin/nginx # 停止 Nginx sudo killall nginx
添加 Nginx 至启动项:创建文件/etc/init.d/nginx:
#! /bin/sh
### BEGIN INIT INFO
# Provides: nginx
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts the nginx web server
# Description: starts nginx using start-stop-daemon
### END INIT INFO
PATH=/opt/bin:/opt/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/opt/nginx-1.7.8/sbin/nginx
NAME=nginx
DESC=nginx
test -x $DAEMON || exit 0
# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
. /etc/default/nginx
fi
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --pidfile /var/run/nginx.pid \
--exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
killall nginx
start-stop-daemon --stop --quiet --pidfile /var/run/nginx.pid \
--exec $DAEMON
echo "$NAME."
;;
restart|force-reload)
echo -n "Restarting $DESC: "
killall nginx
sleep 1
start-stop-daemon --start --quiet --pidfile \
/var/run/nginx.pid --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
;;
reload)
echo -n "Reloading $DESC configuration: "
start-stop-daemon --stop --signal HUP --quiet --pidfile /var/run/nginx.pid \
--exec $DAEMON
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
添加执行权限并设置为自动启动:
sudo chmod +x /etc/init.d/nginx sudo update-rc.d /etc/init.d/nginx defaults
修改 Nginx 配置:/opt/nginx-1.7.8/conf/nginx.conf:
http {
...
#gzip on;
upstream www.google.com {
server 74.125.224.80:443 max_fails=3;
server 74.125.224.81:443 max_fails=3;
server 74.125.224.82:443 max_fails=3;
server 74.125.224.83:443 max_fails=3;
server 74.125.224.84:443 max_fails=3;
}
server {
listen 80;
listen 443 ssl;
server_name mstar.top;
resolver 8.8.8.8;
#charset koi8-r;
#ssl on;
ssl_certificate /etc/nginx/mstar.top.crt;
ssl_certificate_key /etc/nginx/mstar.top.key;
#rewrite to SSL
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
#access_log logs/host.access.log main;
location / {
google on;
#root html;
#index index.html index.htm;
}
...
设置 upstream 的目的是避免 Google 提示输入验证码,我想大概是因为不同地区得到的 Google IP 段不一样,如果你一会使用 Nginx 反代,一会儿使用原 Google.com,会导致 Google 猜测你的网络环境异常,强制要求你输入验证码。
为了强制 HTTPS 所以改用了 443 端口,此时需要导入 SSL 证书。如果没有 HTTPS,可以参考文献 1 中的做法。
最后重启 Nginx 即可。