Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

二级代理下的配置文件

服务器架构

  • 用户端

  • 一级代理服务器 两台

    • 公网ip12.12.12.12 域名为www.fastcats.top
    • 公网ip23.23.23.23

  • 二级代理服务器 一台

    • 公网ip34.34.34.34 域名为www.slowanimal.bottom
    • 内网ip192.168.1.5

  • 服务端 三台

    • 内网ip192.168.1.11:8888
    • 内网ip192.168.1.22:8888
    • 内网ip192.168.1.33:8888

一级代理

12.12.12.12机器为例,需要为www.fastcats.top生成证书

map $http_x_forwarded_for $clientRealIp {  
    "" $remote_addr;
    ~^(?P<firstAddr>[0-9\.]+),?.*$$firstAddr;
}

limit_req_zone $clientRealIp zone=limiter_one:20m rate=20r/s;

server {
    listen       80;
    server_name  www.fastcats.top;
    return 301 https://$server_name$request_uri;
}

server{
    listen 443;
    server_name fastcats.top;
    return 301 https://www.fastcats.top$request_uri;
}

server {
    listen 443 ssl http2;
    server_name  www.fastcats.top;
    root         /opt/www;

    ssl on;
    ssl_certificate "/etc/letsencrypt/live/www.fastcats.top/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/www.fastcats.top/privkey.pem";
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $clientRealIp;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Connection "Keep-Alive";
    proxy_read_timeout 90;
    proxy_http_version 1.1;
    
    location / {
        limit_req zone=limiter_one burst=30;

        proxy_pass https://www.slowanimal.bottom;
    }
}
  • 接受用户访问www.fastcats.top的流量
    • 和用户用fastcats的证书进行https加密传输
  • 然后转发给后面的二级代理www.slowanimal.bottom
    • 二级代理用slowanimal的证书进行https加密传输

二级代理

这台机器与服务器,同在一个内网中,负载均衡直接转发

map $http_x_forwarded_for $clientRealIp {  
    "" $remote_addr;
    ~^(?P<firstAddr>[0-9\.]+),?.*$$firstAddr;
}

limit_req_zone $clientRealIp zone=limiter_one:20m rate=20r/s;

upstream backend_hosts {
    hash $clientRealIp;
    
    server 192.168.1.11:8888 weight=1;
    server 192.168.1.22:8888 weight=2;
    server 192.168.1.33:8888 weight=3;
    
    keepalive 1000;
}

server {
    listen 443 ssl http2;
    server_name  www.slowanimal.bottom;
    root         /opt/www;

    ssl on;
    ssl_certificate "/etc/letsencrypt/live/www.slowanimal.bottom/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/www.slowanimal.bottom/privkey.pem";
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    
    set_real_ip_from 23.23.23.23;
    set_real_ip_from 12.12.12.12;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $clientRealIp;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Connection "Keep-Alive";
    proxy_read_timeout 90;
    proxy_http_version 1.1;

    
    location / {
        limit_req zone=limiter_one burst=30;
        
        if ($http_x_forwarded_for ~ "特定ip来源") {
            proxy_pass http://导向特定服务器:8888;
            break;
        }

        proxy_pass http://backend_hosts;
    }
}