Youtube视频
相关链接
查看nginx版本信息
# 查看nginx版本信息,以及包含的模块信息
nginx -V
# 请确保nginx包含stream模块
# --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module如果stream是动态编译,需要先加载模块
# 在nginx.conf配置文件添加,加载模块指令。在events{}之上引入,请根据自己实际路径填写,避免出错请填绝对路径
load_module modules/ngx_stream_module.so;stream配置
基础配置
在nginx.conf配置文件增加以下配置,注意stream是独立于http模块的单独配置stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/stream.log proxy;
include /etc/nginx/conf.d/*.stream;
}在/etc/nginx/conf.d/目录,增加http2https.conf配置文件,用于配置80重定向到443
server {
listen 80;
return 301 https://$host$request_uri;
}分流配置
在/etc/nginx/conf.d/目录,增加default.stream配置文件带注释
# map映射表,获取sni服务器名称,也就是请求SSL证书的域名。映射出一个自定义的$sni_name参数
# 下面配置的意思是,当sni为hk.trip.com 或者 trip.com(此处用reality演示,这里的sni就是reality配置的目标网站),映射为"reality"的自定义负载均衡名称
# 当sni为naive.latata.me时,映射为"naive"的自定义负载均衡名称
# 当sni为blog.latata.me时以及默认,映射为"blog"的自定义负载均衡名称
map $ssl_preread_server_name $sni_name {
hk.trip.com reality;
trip.com reality;
naive.latata.me naive;
blog.latata.me blog;
default blog;
}
# reality的负载均衡,这里需要指定本地的xray reality服务inbound监听的端口
upstream reality {
server 127.0.0.1:8443;
}
# naive的负载均衡,这里需要指定本地的naive proxy服务(也就是caddy)监听的端口
upstream naive {
server 127.0.0.1:7443;
}
# 这里是博客或者是其他自己的网站的负载均衡,需要指定当前运行的web服务的端口。视频是运行了一个wordpress演示
upstream blog {
server 127.0.0.1:1443;
}
server {
# 复用443端口配置
listen 443 reuseport;
# 根据sni分流到不同的负载均衡处理器
proxy_pass $sni_name;
# 用于获取TLS握手信息,也就是可以获取SNI的信息用于分流
ssl_preread on;
# 开启代理协议,获取客户端的真实信息
proxy_protocol on;
}
# udp转发到443
server {
listen 443 udp;
proxy_pass 127.0.0.1:443;
}无注释
map $ssl_preread_server_name $sni_name {
hk.trip.com reality;
trip.com reality;
naive.latata.me naive;
blog.latata.me blog;
default blog;
}
upstream reality {
server 127.0.0.1:8443;
}
upstream naive {
server 127.0.0.1:7443;
}
upstream blog {
server 127.0.0.1:1443;
}
server {
listen 443 reuseport;
proxy_pass $sni_name;
ssl_preread on;
proxy_protocol on;
}
server {
listen 443 udp;
proxy_pass 127.0.0.1:443;
}WordPress配置
只提供参考
server {
# 必须添加proxy_protocol标识
listen 1443 proxy_protocol ssl http2;
server_name 你的域名;
access_log /var/log/nginx/blog.log;
client_max_body_size 50M;
client_body_buffer_size 30M;
ssl_certificate 你的域名证书文件;
ssl_certificate_key 你的域名证书秘钥文件;
ssl_protocols TlSv1.2 TlSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:AES256+EECDH:AES256+EDH:!aNULL;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_session_timeout 30m;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
# 修改为自己实际的web服务地址和端口
proxy_pass http://127.0.0.1:8000/;
}
}NaiveProxy(Caddy)
编译安装带有proxy-protocol模块的caddy
请将xcaddy添加到PATH,或者在xcaddy二进制文件目录下执行。小白请参考相关链接看之前的文章或视频
xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive --with github.com/mastercactapus/caddy2-proxyprotocol配置文件参考
只提供参考
{
http_port 780
https_port 7443
order forward_proxy before reverse_proxy
servers {
log_credentials
listener_wrappers {
proxy_protocol {
timeout 5s
allow 0.0.0.0/0
}
tls
}
}
}
:7443, blog.example.com {
tls 10086@qq.com
import LOG
forward_proxy {
basic_auth test test
hide_ip
hide_via
probe_resistance
}
reverse_proxy https://blog.example.com {
header_up Host {upstream_hostport}
}
}Xray配置
需要增加以下配置
inbounds[0].streamSettings.tcpSettings.acceptProxyProtocol=true配置,或者inbounds[0].streamSettings.sockopt.acceptProxyProtocol=true,以支持proxy_protocol。如果你是使用
tcp,那么可以增加.tcpSettings.就可以;如果你是使用h2,那么需要增加.sockopt.。
{
"inbounds": [
{
"streamSettings": {
"network": "tcp",
"security": "reality",
"tcpSettings": {
"acceptProxyProtocol": true
},
"sockopt": {
"acceptProxyProtocol": true
}
}
}
]
}