在Nginx中通过正/反向代理Https请求、实现通过http访问代理后的https请求、通过https访问代理请求【测试成功】

艺帆风顺 发布于 2025-04-03 20 次阅读

一、需求背景

    需要在nginx中实现代理https请求,默认情况下,直接代理https请求会出现400报错,无论是正向代理还是反向代理,需要对nginx重新编译配置。

    分别有四个接口地址,如下

    http://vop.baidu.com/server_apihttp://tsn.baidu.com/text2audiohttps://aip.baidubce.com/oauth/2.0/tokenhttps://aip.baidubce.com/rpc/2.0/feedback/v1/report

    原反向代理配置文件如下:

      server { listen 99; server_name localhost;
       location /sa { proxy_pass http://vop.baidu.com/server_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
       location /ta { proxy_pass http://tsn.baidu.com/text2audio; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
       location /tk { proxy_pass https://aip.baidubce.com/oauth/2.0/token; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
       location /rp { proxy_pass https://aip.baidubce.com/rpc/2.0/feedback/v1/report; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }

      }

      二、安装ngx_http_proxy_connect_module模块

      1、下载解压并重新Patch

        wget http://nginx.org/download/nginx-1.18.0.tar.gztar -xzvf nginx-1.18.0.tar.gzcd nginx-1.18.0patch -p1 /root/nginx-1.18.0/ngx_http_proxy_connect_module-master/patch/proxy_connect_rewrite_1018.patch

        2、重新编译替换安装

          ./configure --prefix=/usr/local/Yinling/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_random_index_module --with-http_gzip_static_module --add-module=/usr/local/nginx-upstream-fair-master --add-module=/root/nginx-1.18.0/ngx_http_proxy_connect_module-mastercd objscp nginx /usr/local/nginx/sbin

          命令:

          --add-module=/root/nginx-1.18.0/ngx_http_proxy_connect_module-master

          3、查看版本信息

            [root@DB-Master objs]# ./nginx -Vnginx version: nginx/1.18.0built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/usr/local/Yinling/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_random_index_module --with-http_gzip_static_module --add-module=/usr/local/nginx-upstream-fair-master --add-module=/root/nginx-1.18.0/ngx_http_proxy_connect_module-master

            三、正向代理配置

              server{ resolver 114.114.114.114; resolver_timeout 30s; listen 8888; proxy_connect;  proxy_connect_allow 443 80;  proxy_connect_connect_timeout 20s;  proxy_connect_read_timeout 20s;  proxy_connect_send_timeout 20s; 
               location /sa { proxy_pass http://vop.baidu.com/server_api; }
               location /ta {
               proxy_pass http://tsn.baidu.com/text2audio; }

               location /tk {
               proxy_pass https://aip.baidubce.com/oauth/2.0/token;
               }
               location /rp {  proxy_pass https://aip.baidubce.com/rpc/2.0/feedback/v1/report;  } }

              原来无法访问的地址:http://192.168.1.137:8888/tk

              已可以正常访问。

              经测试:

                  通过正向代理,上述4个接口地址均可以正常访问

                  实现了通过http访问到https代理的数据

              四、反向代理配置

              反向代理配置示例:

                server { listen 99; server_name localhost;
                 location /sa { proxy_pass http://vop.baidu.com/server_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
                 location /ta { proxy_pass http://tsn.baidu.com/text2audio; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
                 location /tk { proxy_pass https://aip.baidubce.com/oauth/2.0/token; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }
                 location /rp { proxy_pass https://aip.baidubce.com/rpc/2.0/feedback/v1/report; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }

                }

                经测试:

                    反向代理后,https://aip.baidubce.com/oauth/2.0/token地址无法访问,其余地址访问正常。

                    反向代理也可实现http方式访问代理后的https数据。

                五、https方式:代理http/https请求

                1、反向代理http/https请求

                  server { listen 443 ssl;  ssl_certificate /data/nginx/ssl/zhdj.crt; ssl_certificate_key /data/nginx/ssl/zhdj.key;


                      location / { set $backend_url "https://aip.baidubce.com/rpc/2.0/feedback/v1/report"; 
                   proxy_pass $backend_url;  proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }}

                  测试正常访问。

                  2、正向代理http/https请求

                  配置示例文件如下:

                    server{ resolver 114.114.114.114; resolver_timeout 30s; listen 443 ssl; ssl_certificate /data/nginx/ssl/zhdj.crt; ssl_certificate_key /data/nginx/ssl/zhdj.key;
                     proxy_connect;  proxy_connect_allow 443 80;  proxy_connect_connect_timeout 20s;  proxy_connect_read_timeout 20s;  proxy_connect_send_timeout 20s; 
                     location /sa { proxy_pass http://vop.baidu.com/server_api; }
                     location /ta {
                     proxy_pass http://tsn.baidu.com/text2audio; }

                     location /tk {
                     proxy_pass https://aip.baidubce.com/oauth/2.0/token;
                     }
                     location /rp {  proxy_pass https://aip.baidubce.com/rpc/2.0/feedback/v1/report;  } }

                    六、小结

                        在nginx中,如果需要代理https请求,通常需要使用到ngx_http_proxy_connect_module模块,默认该模块没有安装,需要重新编译,并且和nginx版本存在关系,否则会产生报错。

                        在正向代理、与反向代理中,正向代理通常不会产生问题,而反向代理可能目标站点400报错。