两台虚拟机配置nginx反向代理和squid正向代理

爱迪生

 由于工作需要搭建一个前端代理服务器（外网）一台，后端web服务器（内网）两台。说话要配个图才能更好的理解：

 看第一张图就行了，我的代理是用nginx做反向代理，其实nginx也可以做正向代理，本来打算只用nginx的，但是因为nginx不支持https的正向代理，在网上查了好多资料，虽然有办法解决，但是看nginx官网说作者不打算在后续的版本增加nginx的https正向代理功能，又从网上查了好多都说nginx是为反向代理而生的，正向代理并不是它的特长，看有人推荐用squid做正向代理，并且支持多种连接协议。多提一句，做正向代理squid的效率比nginx要差很多，这个是从网上查的，没有具体实验。所以最终就采用nginx做反向代理，采用squid做正向代理，同时部署在有外网的服务器上监听不同的端口就可以了。下面是具体的配置文件信息：

 

先看下外网服务器的网卡配置信息：

 

eth0网卡配置：

 eth1网卡配置：

 网关配置：

 下面是nginx配置文件信息：

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    upstream mysvr {
      server 192.168.10.129:8080;
     # server 192.168.10.121:3333 backup;  #?.?
    }

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
            proxy_pass  http://mysvr;  #璇锋?杞..mysvr 瀹.??..?″.?.〃
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }


       error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}
}

 接着是squid配置文件信息：

acl manager proto cache_object
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.10.1/16        # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# 缓存目录
cache_dir ufs /usr/local/squid/var/spool/squid 100 16 256


# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

 其中要注意的就是记得把服务器的转发功能打开，具体配置修改上网查

1.修改/etc/sysctl.conf文件，让包转发功能在系统启动时自动生效:

# Controls IP packet forwarding

net.ipv4.ip_forward = 1

2.因为我们的数据库和redis都是1网段的，所以当时还遇到个问题，具体参考：

https://www.oschina.net/question/3335049_2240133

3.有正向代理的情况时，在java代码中也要开配置相关的代理请求：

	/**
	 * 代理服务器
	 */
	public static final String PROXY_HOST = "192.168.10.128";
	
	/**
	 * 代理服务器端口 
	 */
	public static final Integer PROXY_PORT = 3128;

static{
		System.setProperty("proxySet", "true");
		
		System.setProperty("http.proxyHost", Application.PROXY_HOST);

		System.setProperty("http.proxyPort", Application.PROXY_PORT+"");
		
		System.setProperty("https.proxyHost", Application.PROXY_HOST);
		
		System.setProperty("https.proxyPort", Application.PROXY_PORT+"");
	}

或者
 // 依次是目标请求地址，端口号,协议类型  
	        HttpHost proxy = new HttpHost(Application.PROXY_HOST, Application.PROXY_PORT);  
			requestConfig = RequestConfig.custom().setProxy(proxy).setSocketTimeout(socketTimeout).setConnectTimeout(connectTimeout).build();

 

外网的服务器配好了，下面就看下内网的服务器配置信息，工程照常发布就行，主要就是服务器的网络配置正确就没有问题了：

 

需要注意的就是测试时可以开启临时的代理：

export http_proxy=http://192.168.10.128:3128

export https_proxy=http://192.168.10.128:3128

 

这样就可以了。今天就写到这里，如果有什么遗漏的地方请评论指出。