Spring Gateway/Nginx/HTTPS forward proxy

preface

• Two machines 192.168.1.121 192.168.1.122
• Keepalived (VIP 192.168.12.19)
• Goal:
  • Gateway Nginx Keepalived is installed on both hosts
  • 192.168.12.19:8280 is used as the reverse proxy path between nginx and gateway
  • 192.168.12.19:8290 serves as the nGINX external forward proxy

involving

• dnsmasq
• keepalived
• nginx

The basic concept

Forward proxy: If a client on a LAN cannot access the Internet directly, it needs to access the Internet through a proxy server. This proxy service is called forward proxy. Nginx itself only supports HTTP forward proxies and supports HTTP and HTTPS forward proxies through the ngx_HTTP_proxy_CONNECt_module module.

Reverse proxy: If the LAN provides resource services for the Internet and allows other clients on the Internet to access Intranet resources through a proxy server, this service is called reverse proxy. Nginx implements the reverse proxy function through the proxy module.

Forward proxy Configuration

Nginx can handle SSL as a web_server, but not as a proxy. Because nginx does not support CONNECT, a message containing “Client sent invalid request while reading client request line” will be sent after receiving “CONNECT /:443 HTTP/1.1”. Because CONNECT is a forward proxy feature.

How to make nginx forward proxy support both HTTP and HTTPS proxy access?

Ngx_http_proxy_connect_module needs to be installed

/usr/soft/nginx = /usr/soft/nginx
> cd nginx
# 2. Configure the module path
> ./configure --add-module=/path/to/ngx_http_proxy_connect_module
# 3. Specify the patch version> patch-p1 < / module path /ngx_http_proxy_connect_module/patch/proxy_connectCopy the code

Configuring forward Proxy

server {
     listen                         3128;

     # dns resolver used by forward proxying
     Domain name resolution server, must have, because all certificates are issued by domain nameResolver 8.8.8.8;# forward proxy for CONNECT request
     proxy_connect;
     Allow all ports
     proxy_connect_allow            443 563;
     proxy_connect_connect_timeout  10s;
     proxy_connect_read_timeout     10s;
     proxy_connect_send_timeout     10s;

     # forward proxy for non-CONNECT request
     location / {
         proxy_pass http://$host;
         proxy_set_header Host $host; }}Copy the code

Since we cannot access external domain name resolution in the LAN environment, we must set up our internal domain name resolution server, which can be configured to point to our port.

If 504 is reported after the preceding information is configured, ipv6 resolution may need to be performed. Disable this function, for example, resolver local DNS service IP address ipv6=off.

reference

Github.com/chobits/ngx…