一、背景
客户现场内网服务器不提供外网环境,仅在另一台服务器上提供外网访问权限,所以需要通过网络代理的方式,将内网服务器需要访问的外网请求代理到外网服务器去受理。
二、解决
如此流程需要用到两台服务器,所以对应的也需要两套Nginx配置。
1、内网服务器配置
内网Nginx,它的作用是拦截需要访问的外网请求,然后转发到外网服务器。为了方便拦截,还需要将目标外网地址的域名解析在本机hosts文件单独配置会本机IP。
本机hosts文件路径:C:\Windows\System32\drivers\etc
本机hosts文件配置如下:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost127.0.0.1 ocr.tencentcloudapi.com
127.0.0.1 aip.baidubce.com
笔者要访问腾讯云和百度云的接口,所以将两个域名进行了回环解析配置,这样在访问这两个域名时,实际请求的地址为本机ip。
接下来进行内网nginx配置,文件路径:nginx-1.19.7\conf\nginx.conf
worker_processes 1;
events {worker_connections 1024;
}
http {include mime.types;default_type application/octet-stream;sendfile on;keepalive_timeout 65;#请求体缓存大小 client_body_buffer_size 100m;#上传文件的大小限制 默认1mclient_max_body_size 100m;# HTTPS serverserver {listen 443 ssl;server_name ocr.tencentcloudapi.com aip.baidubce.com;ssl_certificate cert/https.crt;ssl_certificate_key cert/https.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {proxy_pass http://192.168.5.147:8039;proxy_redirect off;proxy_set_header Host $host;proxy_connect_timeout 60;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwared-Proto $scheme; } }
}
核心配置只有 server 节点中,监听 https 请求 443 端口,识别到访问的是两个域名则转发到下面 location 配置的 ip 中。
2、外网服务器配置
外网Nginx主要作用就是将收集到的请求进行真实访问即可,配置如下
worker_processes 1;
events {worker_connections 1024;
}
http {resolver 8.8.8.8;include mime.types;default_type application/octet-stream;sendfile on;#tcp_nopush on;#keepalive_timeout 0;keepalive_timeout 65;#请求体缓存大小 client_body_buffer_size 100m;#上传文件的大小限制 默认1mclient_max_body_size 100m;#gzip on;server {# 配置防火墙开启的端口号listen 8039;server_name ocr.tencentcloudapi.com aip.baidubce.com;access_log logs/host.access.log;location / {proxy_pass https://$host$request_uri;proxy_redirect off;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwared-Proto $scheme; } }
}
拦截8039收集到的请求,然后识别是目标两个域名则进行域名拼接直接访问
三、总结
至此,整个内网服务器转发访问外网请求配置结束,实际测试通过访问内网服务器的软件成功实现对应功能即为访问通过。需要额外注意的是关于Nginx中SSL证书的配置,使用Open SSL或者付费网站生成证书即可。