前言:
一次偶发的运营商故障,导致部分区域访问BGP站点不可达,为了避免问题再次发生,准备了一套正向代理环境, 当出现类似问题时,可以通过修改DNS实现流量转移。
其核心原理为代理转发,缺点是正向代理后端接收的源IP为正向代理的IP,对WAF、日志统计等产生干扰,所以不建议长时间使用。
由于是单站点的正向解析,且站点拥有站点的证书文件,可以将HTTP及HTTPS搭建起来。
刚开始实现正向代理时,没有考虑互联网上大量的爬虫,导致服务器被用作在线代理,为了避免爬虫利用正向代理,在DNS解析中,关闭递归解析,实现指定的域名才能解析的效果。
allow-recursion { none; };
工作原理:
1. 客户机通过域名解析,访问正向代理
2. 正向代理接收请求后, 根据请求头部的Host 信息,寻找配置中的DNS私服进行DNS解析IP地址,本文使用IP为 127.0.0.1 的DNS服务器
3. 正向代理向后端代理请求,并在头部带上客户机的头部信息及定制信息
4. 正向代理接收数据后,将数据返回给客户端
实现方式:
nginx + bind 实现。
使用组件如下:
nginx version: nginx/1.8.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11) (GCC) built with OpenSSL 1.0.2h 3 May 2016TLS SNI support enabledconfigure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx-1.8.1 --with-http_ssl_module --with-openssl=/usr/local/src/openssl-1.0.2h --with-pcre=/usr/local/src/pcre-8.35 --add-module=/usr/local/src/ngx_devel_kit-master/ --add-module=/usr/local/src/lua-nginx-module-master/ --add-module=/usr/local/src/nginx-http-concat-master/ --add-module=/usr/local/src/nginx_upstream_check_module-master/ --add-module=/usr/local/src/nginx_tcp_proxy_module-master/ --with-http_sub_module注:为了统一版本,部分插件未在本文使用
BIND 9.11.0-P5 <id:ad4fb79>
running on Linux x86_64 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014built by make with '--prefix=/usr/local/bind' '--enable-threads' '--enable-largefile' '--disable-ipv6'compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-17)compiled with OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013compiled with zlib version: 1.2.3linked to zlib version: 1.2.3threads support is enabled
nginx 的配置信息:
user nobody nobody;worker_processes 2;events { worker_connections 65535;}http { server_tokens off ; include mime.types; include ./blockip.conf; default_type application/octet-stream; client_body_temp_path /usr/local/nginx/tmpdir/client_body_temp 1 2; proxy_temp_path /usr/local/nginx/tmpdir/proxy_temp 1 2; fastcgi_temp_path /usr/local/nginx/tmpdir/fastcgi_temp 1 2; uwsgi_temp_path /usr/local/nginx/tmpdir/uwsgi_temp 1 2; scgi_temp_path /usr/local/nginx/tmpdir/scgi_temp 1 2; # gzip gzip on; gzip_http_version 1.1; gzip_vary on; gzip_proxied any; gzip_min_length 1024; gzip_comp_level 6; gzip_buffers 16 8k; gzip_proxied expired no-cache no-store private auth no_last_modified no_etag; gzip_types text/plain application/x-javascript text/css application/xml application/json; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; reset_timedout_connection on; keepalive_timeout 10 5; keepalive_requests 100; ignore_invalid_headers off; server_names_hash_max_size 256; server_names_hash_bucket_size 6400; client_header_buffer_size 8k; #large_client_header_buffers 4 32k; connection_pool_size 256; request_pool_size 64k; output_buffers 2 128k; postpone_output 1460; client_header_timeout 1m; client_body_timeout 3m; send_timeout 3m; proxy_intercept_errors on; fastcgi_intercept_errors on; # log log_format main '$remote_addr - $remote_user [$time_iso8601] "$host" "$upstream_addr" "$request" ' '$status $request_time $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$http_cookie"'; access_log /home/logs/nginx/access.log main; #log_format compression '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log /home/logs/nginx/awstate.log compression; error_log /home/logs/nginx/error.log notice; log_not_found on; sendfile on; tcp_nodelay on; tcp_nopush off; error_page 500 502 503 504 /errorPage/50x.html; error_page 404 /errorPage/404.html; # proxy configuration proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_404; #proxy_redirect off; client_max_body_size 20m; client_body_buffer_size 1024k; proxy_connect_timeout 360; proxy_send_timeout 360; proxy_read_timeout 260; proxy_buffer_size 128k; proxy_buffers 4 64k; proxy_busy_buffers_size 128k; proxy_temp_file_write_size 128k; proxy_headers_hash_max_size 51200;server { listen 80; location / { resolver 127.0.0.1; resolver_timeout 30s; proxy_pass http://$host$request_uri; }}server { listen 443; ssl on ; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_certificate /usr/local/nginx/conf/ssl/123321.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/123321.com.key; ssl_trusted_certificate /usr/local/nginx/conf/ssl/gd_bundle-g2-g1.crt; ssl_stapling on; ssl_stapling_verify on; location / { resolver 127.0.0.1; resolver_timeout 30s; proxy_pass https://$host$request_uri; }}}
Bind的配置信息:
key "rndc-key" { algorithm hmac-md5; secret "**********";};controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};options { listen-on port 53 { any; };// listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; #forward only; #forwarders { 114.114.114.114; }; forwarders { 0.0.0.0; }; allow-recursion { none; }; /* Path to ISC DLV key */ //bindkeys-file "/etc/named.iscdlv.key"; //managed-keys-directory "/var/named/dynamic";};acl general { 0.0.0.0/0; };acl localNetWork { 127.0.0.1;47.89.48.10/32; };view qipeipu.com { #match-clients { localNetWork; }; #allow-query { localNetWork; }; zone "qipeipu.com" IN { type master; file "qipeipu.com.zone.local"; #notify yes; #also-notify { 192.168.0.254; }; #allow-transfer { 192.168.0.254; }; forwarders {}; }; #include "/etc/named.rfc1912.zones"; # include "/etc/named.root.key";}; $TTL 86400@ IN SOA localhost. @ ( 1 ;serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ IN NS localhost.www IN A 121.201.16.120