使用 Nginx 做翻墙代理

配置

/etc/nginx/nginx.conf 配置,可以采用自签名证书,客户端连的时候不 verify 证书即可。

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

events {
    worker_connections 10240;
}

http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" '
    '"upstream=$upstream_addr" "scheme=$scheme"     "X-Remote-App=$http_x_remote_app" "reqtime=$request_time"     "upstream_resptime=$upstream_response_time"     "$upstream_cache_status" "host=$host"';
    ssl_certificate /etc/nginx/ssl/52.77.252.184.crt;
    ssl_certificate_key /etc/nginx/ssl/52.77.252.184.key;
    ssl_session_cache shared:SSL:100m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SH    A256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AE    S128-SHA:DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Load modular configuration files from the     /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

/etc/nginx/conf.d/server.conf 配置。

#
# A virtual host using mix of IP-, name-, and port-based configuration
#

server {
    listen 443 ssl;
    server_name _;

    access_log /var/log/nginx/443_access.log main;
    resolver 8.8.8.8;

    set $upstream_endpoint $host;

    location / {
        proxy_pass https://$upstream_endpoint;
    }
}

server {
    listen 80;
    server_name _;

    access_log /var/log/nginx/80_access.log main;
    resolver 8.8.8.8;

    set $upstream_endpoint $host;

    location / {
        proxy_pass http://$upstream_endpoint;
    }
}

测试

要修改 header,而且 curl 要加 -k 不 verify 证书。

$ curl -k -I -H "Host:play.google.com" "https://52.77.252.184/store/apps/details?hl=en&id=tr.com.fugo.kelimeavi2.en"
HTTP/1.1 200 OK

$ curl -k -I -H "Host:www.baidu.com" http://52.77.252.184
HTTP/1.1 200 OK

这样翻墙的好处是可以有多台 Nginx,程序能够控制访问哪台 Nginx。