nginx - 反向代理背后的客户端,如 nginx
问题描述
因为我的 tcpclient 在 nginx 后面。我的想法是拥有后端 tcpclient,对外部服务器进行身份验证。
最后,我有这个配置:
#secured TCP part
stream {
log_format main '$remote_addr - - [$time_local] protocol $status $bytes_sent $bytes_received $session_time "$upstream_addr"';
server {
listen 127.0.0.1:10515 ;
proxy_pass REALIP:REALPORT;
proxy_ssl on;
#server side authentication (client verifying server's certificate)
proxy_ssl_protocols TLSv1.2;
proxy_ssl_certificate /f0/client.crt;
proxy_ssl_certificate_key /f0/client.key;
access_log /var/log/nginx.tcp1.access.log main;
error_log /var/log/nginx.tcp1.error.log debug;
#The trusted CA certificates in the file named by the proxy_ssl_trusted_certificate directive are used to verify the certificate on the ups
tream
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /f0/client_ca.crt;
proxy_ssl_verify_depth 1;
proxy_ssl_session_reuse on;
proxy_ssl_name localhost;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
ssl_prefer_server_ciphers on;
#proxy_ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-A
ES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
proxy_ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:EECDH+AESGCM:EDH
+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-R
SA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:D
HE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA";
#ssl_ecdh_curve prime256v1:secp384r1;
#ssl_session_tickets off;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
}
您能否验证上述配置,如果我以正确的方式验证对等方,请告诉我。如果是,我的另一个问题:有没有办法,我们可以给对等证书(公钥)而不是它的 CA 并验证。请澄清
谢谢,
解决方案
这个问题看起来很明显,因为它没有提到任何特定方面(除了 TLS)。
请访问以下内容以获得良好的开始:
https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/ https://www.nginx.com/blog/tcp-load-balancing-udp-load-平衡-nginx-tips-tricks/
引用上述来源的简单示例配置:
stream {
server {
listen 12345;
#TCP traffic will be forwarded to the "stream_backend" upstream group
proxy_pass stream_backend;
}
server {
listen 12346;
#TCP traffic will be forwarded to the specified server
proxy_pass backend.example.com:12346;
}
}
推荐阅读
- javascript - 使用 jQuery .detach() 通过解析从 DOM 中删除和重做 div
- python - 如何使用循环和索引从两个现有向量创建第三个向量?
- pandas - 按年龄组对 Pandas 数据框年龄列进行分组
- javascript - 协助 javascript 算法
- c - Dijkstra 在 C 中的最短路径算法 - 更改参数问题
- javascript - 在 Angular(9) 中使用前 Angular、DOM 操作 Javascript 的正确方法是什么?
- arrays - 如何在数组中设置特定对象的状态
- laravel - Passport 认证成功后 Auth::user() 为空
- c# - 如何使用 roslyn 获得表达式中的预期类型?
- mysql - 如何将元素存储在 Laravel 中数组的变量中?