nginx proxy_pass over https_proxy

标签 nginx http-proxy proxypass

我正在尝试使用此配置设置 nginx。要访问 backend.mygreat.server.com,我必须通过我的公司代理,即 myproxy.server.com:80。

因此,我在/etc/environment 中添加了它

https_proxy=myproxy.server.com:80

然而,nginx无法访问https://backend.mygreat.server.com:443 .我在 nginx 日志中看到 504 作为 HTTP 状态。

我可以使用 wget 或 curl 加载页面(通过公司代理)
  server {
        listen  443;
        server_name  mygreat.server.com;
        ssl  on;
        ssl_protocols  TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!SEED:!DSS:!CAMELLIA;

        ssl_certificate /etc/nginx/ssl/mygreat.server.com.pem;
        ssl_certificate_key /etc/nginx/ssl/mygreat.server.com.key;

        access_log  /var/log/nginx/access.ssl.log;

        location / {
          proxy_set_header X-Real-IP  $remote_addr;
          proxy_set_header Host-Real-IP  $http_host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Real-Pcol http;

          proxy_intercept_errors on;
          error_page 301 302 307 = @handle_redirects;      

          proxy_pass https://backend.mygreat.server.com:443;
        }

        location @handle_redirects {
            set $saved_redirect_location '$upstream_http_location';
            proxy_pass $saved_redirect_location;
        }    
    }

任何帮助是极大的赞赏。

谢谢

更新:

这是来自 nginx 的示例错误日志
2017/10/18 06:55:51 [warn] 34604#34604: *1 upstream server temporarily disabled while connecting to upstream, client: <ip-address>, server: mygreat.server.com, request: "GET / HTTP/1.1", upstream: "https://<ip-of-backend>:443/", host: "mygreat.server.com"

如果我运行 curl -v https://backend.mygreat.server.com/以下是回复
* About to connect() to proxy corp-proxy.server.com port 80 (#0)
*   Trying <some-ip-address>...
* Connected to corp-proxy.server.com (<ip-of-proxy>) port 80 (#0)
* Establish HTTP proxy tunnel to backend.mygreat.server.com:443
> CONNECT backend.mygreat.server.com:443 HTTP/1.1
> Host: backend.mygreat.server.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=backend.mygreat.server.com,OU=Technology Operations,O=MyCompany.,L=San Diego,ST=California,C=US
*   start date: Mar 15 00:00:00 2017 GMT
*   expire date: Mar 15 23:59:59 2020 GMT
*   common name: backend.mygreat.server.com
*   issuer: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: backend.mygreat.server.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: openresty/1.11.2.5
< Date: Wed, 18 Oct 2017 14:03:10 GMT
< Content-Type: text/html;charset=UTF-8
< Content-Length: 5642
< Connection: keep-alive
< X-XSS-Protection: 1; mode=block
< Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
< Expires: 0
< P3P: policyref="http://backend.mygreat.server.com/w3c/p3p.xml" CP="CURa OUR STP UNI INT"
< Content-Language: en
< Set-Cookie: qboeuid=127.0.0.1.1508335390550307; path=/; expires=Thu, 18-Oct-18 14:03:10 GMT; domain=.server.com
< Set-Cookie: JSESSIONID=784529AA39C10C3DB4B0ED0D61CC8F31.c23-pe2ec23uw2apu012031; Path=/; Secure; HttpOnly
< Set-Cookie: something.blah_blah=testme; Domain=.server.com; Path=/; Secure
< Vary: Accept-Encoding
<
<!DOCTYPE html>
<html>
....
</html>

最佳答案

所以首先我不确定 Nginx 是否应该尊重 http_proxyhttps_proxy变量。我没有找到任何相同的文档。所以我认为您的问题与 nginx 根本不使用代理有关

所以现在你可以选择使用实际使用代理的东西。这就是socat来救援。

运行 socat 转发器

如果您有透明代理,则运行

socat TCP4-LISTEN:8443,reuseaddr,fork TCP:<proxysever>:<proxyport>

如果您有 CONNECT 代理,请在下面使用
socat TCP4-LISTEN:8443,reuseaddr,fork PROXY:yourproxy:backendserver:443,proxyport=<yourproxyport>

然后在你的 nginx 配置中使用
    location / {
      proxy_set_header X-Real-IP  $remote_addr;
      proxy_set_header Host-Real-IP  $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Real-Pcol http;

      proxy_intercept_errors on;
      proxy_set_header Host backend.mygreat.server.com;
      proxy_pass https://127.0.0.1:8443;
      proxy_redirect https://backend.mygreat.server.com https://mygreat.server.com;
    }

您可能想使用 Systemd 服务来启动 socat,因此它在启动时运行并作为服务处理

关于nginx proxy_pass over https_proxy,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46803431/

上一篇:neural-network - tensorflow 中 LSTM 的正则化

下一篇:maven - 添加 xuggler 依赖项会出错

相关文章:

python - 创建一个可以在将 http 响应发送到客户端之前修改它的 http 代理

php - 默认 SSL 和 ProxyPass 使用它自己的 SSL 重定向到另一个域(在另一台计算机上)

使用带插值的可变 URL 的 Apache proxypass

Apache2 代理传递包括 URL 上的所有参数

docker - 在 AWS ECS 中使用卷参数运行 docker 容器作为任务定义或服务

django - 使用 supervisord 运行 nginx/postgres - 需要吗?

nginx - 502 Bad Gateway - NGINX 没有定义解析器来解析

command-line - 找不到 NGINX brew install 命令

node.js - express-http-proxy代理来响应js应用,但没有任何内容

http-proxy - AWS api网关-HTTP代理应从来源获取状态代码

©2024 IT工具网  联系我们