nginx正向代理解決統一管理訪問互聯網的出口

事情起因背景

一套Saas系統私有化部署，採用客戶的openshift環境，對應的一些應用需要訪問互聯網，由於客戶屬於銀行那種，對網絡管控比較嚴格，網絡只能開通點點對模式，爲了解決統一開通網絡以及管理網絡，採用了正向代理模式解決讓容器內應用訪問互聯網

大概思路是 容器內部 配置hostnames解析域名，ip指向代理服務器

在代理服務器上統一開通訪問互聯網的端口策略

1、下載nginx

yum install -y wget
wget http://nginx.org/download/nginx-1.21.0.tar.gz

2、安裝nginx需要編譯的工具

yum install gcc gcc-c++ make auotmake autoconf libtool pcre pcre-devel zlib zlib-devel openssl openssl-devel --setopt=protected_multilib=false

3、手動創建用戶和用戶組

$ groupadd nginx
$ useradd nginx -g nginx -s /sbin/nologin -M

4、創建安裝目錄以及解壓壓縮包

mkdir -p /home/nginx
tar -xf nginx-1.21.0.tar.gz -C /home/nginx
cd /home/nginx
mv nginx-1.21.0/ nginx-server
mkdir -p /home/nginx/nginx-server/logs

5、編譯安裝

cd nginx-server

./configure --prefix=/home/nginx/nginx-server --with-http_stub_status_module --with-http_ssl_module --user=nginx --group=nginx --with-stream --with-stream_ssl_preread_module --with-stream_ssl_module

make & make install

6、修改配置文件

user  nginx;
worker_processes 1;

events {
    worker_connections 2048;
}
http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile    on;
    keepalive_timeout  300;
    # 七層代理
    server {

        listen 80;
		# 此處四dns服務器ip
        resolver 10.96.26.28;
        access_log   /home/nginx/nginx-server/logs/http_proxy.log;
        location / {
                proxy_pass $scheme://$http_host$request_uri;

                proxy_set_header Host $host;
                proxy_connect_timeout 60;
       }
    }
    include    /home/nginx/nginx-server/conf.d/*.conf;
}
# 四層代理
stream {
    log_format  basic  '$remote_addr [$time_local] '
                      '$protocol $status $bytes_sent $bytes_received '
                      '$session_time';
    log_format  test  '--$remote_addr [$time_local] '
                      '--$ssl_preread_server_name $server_port --serveraddr:$server_addr --hostname:$hostname'
                      '--$ssl_server_name $ssl_server_name';

    access_log /home/nginx/nginx-server/logs/stream-access.log basic;
    access_log /home/nginx/nginx-server/logs/stream-test.log test;
	# 此處四dns服務器ip
    resolver 10.96.26.28;
    server{
       listen  443;
       ssl_preread on;
       proxy_connect_timeout 60;
       proxy_pass $ssl_preread_server_name:$server_port;
    }
}

7 、創建軟連接

ln -s /home/nginx/nginx-server/sbin/nginx /usr/sbin/

8、測試配置文件

nginx -t

9、啓動nginx

nginx

10、停止nginx

nginx -s stop

11、熱加載配置文件

nginx -s reload

12、配置服務自啓

crontab -e

添加下面兩行內容

# autostart nginx
@reboot /home/nginx/nginx-server/sbin/nginx -t && /home/nginx/nginx-server/sbin/nginx

13、檢查定時任務自啓

crontab -l

14、驗證服務是否啓動

ps -ef |grep nginx