代理服务器配置
概述
Squid、Nginx 代理、正向/反向代理配置技能。
Squid 正向代理
安装与管理
# 安装
apt install squid # Debian/Ubuntu
yum install squid # CentOS/RHEL
# 服务管理
systemctl start squid
systemctl enable squid
systemctl reload squid
# 检查配置
squid -k parse
squid -k check
基础配置
# /etc/squid/squid.conf
# 端口配置
http_port 3128
# ACL 定义
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 21 443 70 210 280 488 591 777 1025-65535
# 访问控制
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
# 缓存配置
cache_dir ufs /var/spool/squid 100 16 256
maximum_object_size 100 MB
cache_mem 256 MB
# 日志
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
认证配置
# 基础认证
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy
auth_param basic credentialsttl 2 hours
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
# 创建用户
htpasswd -c /etc/squid/passwd user1
htpasswd /etc/squid/passwd user2
透明代理
# Squid 配置
http_port 3128 transparent
# iptables 重定向
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3128
访问控制
# 时间控制
acl work_hours time MTWHF 09:00-18:00
http_access allow localnet work_hours
# 域名黑名单
acl blocked_sites dstdomain .facebook.com .youtube.com
http_access deny blocked_sites
# URL 正则
acl blocked_urls url_regex -i porn adult gambling
http_access deny blocked_urls
# 带宽限制
delay_pools 1
delay_class 1 2
delay_parameters 1 1000000/1000000 100000/100000
delay_access 1 allow localnet
Nginx 反向代理
基础反向代理
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
HTTPS 反向代理
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
location / {
proxy_pass http://backend:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
WebSocket 代理
location /ws {
proxy_pass http://websocket_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400;
}
缓存配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g inactive=60m;
server {
location / {
proxy_pass http://backend;
proxy_cache my_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating;
add_header X-Cache-Status $upstream_cache_status;
}
}
Nginx 正向代理
HTTP 正向代理
server {
listen 8080;
resolver 8.8.8.8;
location / {
proxy_pass http://$http_host$request_uri;
proxy_set_header Host $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0;
proxy_connect_timeout 30;
}
}
HTTPS 正向代理(ngx_http_proxy_connect_module)
server {
listen 8080;
resolver 8.8.8.8;
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
HAProxy 代理
TCP 代理
frontend tcp_front
bind *:3306
mode tcp
default_backend mysql_back
backend mysql_back
mode tcp
balance roundrobin
server mysql1 192.168.1.10:3306 check
server mysql2 192.168.1.11:3306 check
HTTP 代理
frontend http_front
bind *:80
mode http
default_backend web_back
backend web_back
mode http
balance roundrobin
option httpchk GET /health
server web1 192.168.1.10:8080 check
server web2 192.168.1.11:8080 check
SOCKS 代理
SSH SOCKS 代理
# 创建 SOCKS5 代理
ssh -D 1080 -f -C -q -N user@remote_server
# 后台运行
ssh -D 1080 -fNq user@remote_server
# 指定绑定地址
ssh -D 0.0.0.0:1080 -fNq user@remote_server
Dante SOCKS 服务器
# 安装
apt install dante-server
# /etc/danted.conf
logoutput: syslog
internal: eth0 port = 1080
external: eth0
socksmethod: username
user.privileged: root
user.unprivileged: nobody
client pass {
from: 192.168.0.0/16 to: 0.0.0.0/0
log: connect disconnect error
}
socks pass {
from: 192.168.0.0/16 to: 0.0.0.0/0
log: connect disconnect error
}
常见场景
场景 1:企业上网代理
# Squid 配置
http_port 3128
acl company_network src 10.0.0.0/8
acl blocked dstdomain "/etc/squid/blocked_sites.txt"
acl work_hours time MTWHF 09:00-18:00
http_access deny blocked
http_access allow company_network work_hours
http_access deny all
# 日志分析
cat /var/log/squid/access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
场景 2:API 网关
upstream api_v1 {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}
upstream api_v2 {
server 192.168.1.20:8080;
server 192.168.1.21:8080;
}
server {
listen 80;
location /api/v1 {
proxy_pass http://api_v1;
proxy_set_header X-API-Version "v1";
}
location /api/v2 {
proxy_pass http://api_v2;
proxy_set_header X-API-Version "v2";
}
}
场景 3:跨域代理
server {
listen 80;
location /api/ {
proxy_pass http://api.external.com/;
# CORS 头
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
if ($request_method = OPTIONS) {
return 204;
}
}
}
场景 4:代理链
# 使用 proxychains
# /etc/proxychains.conf
strict_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 1080
http 192.168.1.100 8080
# 使用
proxychains curl http://example.com
故障排查
| 问题 | 排查方法 |
|---|---|
| 连接超时 | 检查后端服务、超时配置 |
| 502 错误 | 检查后端健康、代理配置 |
| 缓存不生效 | 检查缓存头、缓存配置 |
| 认证失败 | 检查认证配置、用户密码 |
# Squid 调试
squid -k parse
tail -f /var/log/squid/access.log
tail -f /var/log/squid/cache.log
# Nginx 调试
nginx -t
tail -f /var/log/nginx/error.log
# 测试代理
curl -x http://proxy:3128 http://example.com
curl -x socks5://127.0.0.1:1080 http://example.com
# 查看代理连接
ss -tnp | grep squid
netstat -tnp | grep nginx