使用 Nginx 做翻墙代理

配置

/etc/nginx/nginx.conf 配置,可以采用自签名证书,客户端连的时候不 verify 证书即可。

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 10240;
}

http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" '
    '"upstream=$upstream_addr" "scheme=$scheme"     "X-Remote-App=$http_x_remote_app" "reqtime=$request_time"     "upstream_resptime=$upstream_response_time"     "$upstream_cache_status" "host=$host"';
    ssl_certificate /etc/nginx/ssl/52.77.252.184.crt;
    ssl_certificate_key /etc/nginx/ssl/52.77.252.184.key;
    ssl_session_cache shared:SSL:100m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SH    A256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AE    S128-SHA:DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Load modular configuration files from the     /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

/etc/nginx/conf.d/server.conf 配置。

#
# A virtual host using mix of IP-, name-, and port-based configuration
#

server {
    listen 443 ssl;
    server_name _;

    access_log /var/log/nginx/443_access.log main;
    resolver 8.8.8.8;

    set $upstream_endpoint $host;

    location / {
        proxy_pass https://$upstream_endpoint;
    }
}

server {
    listen 80;
    server_name _;

    access_log /var/log/nginx/80_access.log main;
    resolver 8.8.8.8;

    set $upstream_endpoint $host;

    location / {
        proxy_pass http://$upstream_endpoint;
    }
}

测试

要修改 header,而且 curl 要加 -k 不 verify 证书。

$ curl -k -I -H "Host:play.google.com" "https://52.77.252.184/store/apps/details?hl=en&id=tr.com.fugo.kelimeavi2.en"
HTTP/1.1 200 OK

$ curl -k -I -H "Host:www.baidu.com" http://52.77.252.184
HTTP/1.1 200 OK

这样翻墙的好处是可以有多台 Nginx,程序能够控制访问哪台 Nginx。

搭建 sniproxy

sniproxy 源码在 https://github.com/dlundquist/sniproxy,它的作用是:

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.

 

安装:

rpm -ivh http://mirror.zhoufengjie.cn/centos/el6/x86_64/RPMS/tyumenmirror-1.0-1.el6.noarch.rpm

yum -y install sniproxy

如果使用源码编译,最要把 udns 编译进去,否则如果配置 .* *:443 类似规则的时候会报:Only socket address backends are permitted when compiled without libudns

 

修改配置文件 /usr/local/sniproxy/etc/sniproxy.conf:

user daemon
pidfile /var/run/sniproxy.pid

error_log {
  syslog daemon
  priority notice
}

listen 443 {
  protocol tls
  table https_hosts

  access_log {
    filename /var/log/sniproxy.log
  }
}

table https_hosts {
  .* *:443
}

listen 80 {
  protocol http
  table http_hosts

  access_log {
    filename /var/log/sniproxy.log
  }
}

table http_hosts {
  .* *:80
}

table {
  .* 127.0.0.1
}

启动:

/usr/local/sniproxy/sbin/sniproxy -c /usr/local/sniproxy/etc/sniproxy.conf

 

然后修改 /etc/hosts 测试:

52.221.229.x play.google.com
52.221.229.x www.baidu.com

# curl -I “https://play.google.com/store/apps/details?hl=en&id=tr.com.fugo.kelimeavi2.en”
HTTP/1.1 200 OK

# curl -I http://www.baidu.com
HTTP/1.1 200 OK

都是 OK 的。

 

修改 hosts 很麻烦,可以使用  dnsmasq 来管理你的解析,在 dnsmasq 上把你需要的域名修改成你的 sniproxy,配合 dnscrypt,防止 DNS 被污染。详情请看:

https://www.logcg.com/archives/981.html

https://gist.github.com/tawateer/fff8798407693d74b80d44e46806cc82