2022年6月5日星期日

Nginx 443端口复用分流

因为我们转发的是TCP流,因此nginx需要安装ngx_stream_core_module模块(以下简称stream模块);我们还需要做一个SSL证书前置,需要ngx_stream_ssl_preread_module 模块。要查看这些模块是否被编译进了Nginx,可以使用Nginx -V命令进行查看。

如果返回的结果中含有 --with-stream和--with-stream_ssl_preread_module,就说明这两个模块已经被编译进了Nginx;否则则需要自己重新编译Nginx。

  1. 修改 Ngnix 默认配置

vi /etc/nginx/nginx.conf
  1. 加入转发模块

在配置文件底部加上如下转发模块(他人的):

# stream模块设置
stream {
   # SNI识别,将一个个域名映射成一个配置名
  map $ssl_preread_server_name $stream_map {
      website.example.com web;
      xtls.example.com beforextls;# 注意这里修改了
  }

   # upstream,也就是流量上游的配置
  upstream beforextls {
      server 127.0.0.1:7999;
  }
  upstream xtls {
      server 127.0.0.1:9000;
  }
  upstream web {
      server 127.0.0.1:443;
  }
   # stream模块监听服务器公网IP443端口,并进行端口复用
  server {
      listen [服务器公网IP]:443 reuseport;
      proxy_pass $stream_map;
      ssl_preread on;
      proxy_protocol on; # 开启Proxy protocol
  }
  server {
      listen 127.0.0.1:7999 proxy_protocol;# 开启Proxy protocol
      proxy_pass xtls; # 以真实的XTLS作为上游,这一层是与XTLS交互的“媒人”
  }
}

自定义:

stream {
  map $ssl_preread_server_name $stream_map {
      bore.vip web;
      www.bore.vip web1;
      p.bore.vip beforextls;
  }

  upstream beforextls {
      server 127.0.0.1:7999;
  }
  upstream xtls {
      server 127.0.0.1:9000;
  }
  upstream web {
      server 127.0.0.1:443;
  }
  upstream web1 {
      server 127.0.0.1:443;
  }
  server {
      listen [服务器公网IP]:443 reuseport;
      proxy_pass $stream_map;
      ssl_preread on;
      proxy_protocol on;
  }
  server {
      listen 127.0.0.1:7999 proxy_protocol;
      proxy_pass xtls;
  }
}
  1. 修改xr端口为9000

  2. 修改web服务器配置:

vi /etc/nginx/conf.d/halo.conf

他人的:

# Web服务器的配置
server {
  listen 80;# 我们只对443端口进行SNI分流,80端口依旧做Web服务;SNI分流也只能在443端口上跑TLS流量才能分流
  listen 127.0.0.1:443 ssl http2 proxy_protocol;# 监听本地443端口,要和上面的stream模块配置中的upstream配置对的上,开启Proxy protocol
  ......
   if ($ssl_protocol = "") {
      return 301 https://$host$request_uri;
  }
  index index.html index.htm index.php;
  try_files $uri $uri/ /index.php?$args;

  set_real_ip_from 127.0.0.1;# 从Proxy protocol获取真实IP
  real_ip_header proxy_protocol;
  ......
}

自定义:


upstream halo {
server 127.0.0.1:8090;
}
server {
listen 80;
listen [::]:80;
listen 127.0.0.1:443 ssl http2 proxy_protocol;
listen [::]:443 ssl http2;
server_name bore.vip www.bore.vip;
 if ($host != 'bore.vip' ) {
    rewrite ^/(.*)$ https://bore.vip/$1 permanent;
}
client_max_body_size 1024m;
ssl_certificate /etc/nginx/cert/bore.vip.pem;
ssl_certificate_key /etc/nginx/cert/bore.vip.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
access_log /data/wwwlogs/bore.vip_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/bore.vip;
 if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
 #error_page 404 /404.html;
 #error_page 502 /502.html;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
  proxy_pass http://halo;
  expires 30d;
  access_log off;
}
location ~ .*\.(js|css)?$ {
  proxy_pass http://halo;
  expires 7d;
  access_log off;
}
location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
  deny all;
}
location / {
  proxy_set_header HOST $host;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_pass http://halo;
}
location ^~ /.well-known/acme-challenge/ {
  default_type "text/plain";
  allow all;
  root /data/wwwroot/bore.vip/;
}
}
  1. 重启nginx、xr

systemctl restart nginx

重启xr省略

参考链接

没有评论:

发表评论