我有下面显示的 nginx.conf 文件。
我想在端口 443/SSL 上运行 ssh 和 Web 服务器。
也称为 SSL 端口多路复用。
同时,我想将 ssl-passthrough 与 SNI 结合使用。
对于 ssh-multiplexing,我使用 $ssl_preread_protocol。
对于 SSL-SNI-passthrough,我使用 $ssl_preread_server_name
如果我设置了proxy_pass $upstream;
,那么 ssh 可以正常工作,但网页无法正常工作。
如果我设置了proxy_pass $name;
,那么 SSL-SNI-passthrough 可以正常工作,但 ssh 无法访问。
我怎样才能将这两个地图指令结合起来?例如
if $upstream = ssh
then proxy_pass $upstream
else proxy_pass $name;
endif
问题是我需要一种方法来将协议选择与服务器名称选择结合起来。
if(ssh) => forward to port 22
else => forward to port xy depending on server_name
这是我的配置文件:
stream{
upstream ssh
{
server 127.0.0.1:22;
}
upstream https_default_backend
{
server 127.0.0.1:443;
}
upstream daniel_backend
{
server 127.0.0.1:5005;
}
map $ssl_preread_protocol $upstream
{
default ssh;
"TLSv1.3" https_default_backend;
"TLSv1.2" https_default_backend;
"TLSv1.1" https_default_backend;
"TLSv1" https_default_backend;
}
map $ssl_preread_server_name $name
{
localhost daniel_backend;
prodesk daniel_backend;
daniel-steiger.ch daniel_backend;
www.daniel-steiger.ch daniel_backend;
default https_default_backend;
}
# SSH and SSL on the same port
server {
listen 443;
ssl_preread on;
#proxy_protocol on;
# proxy_pass $upstream;
proxy_pass $name;
}
}
答案1
已经找到解决方案了吗?
我也遇到这个问题了,我试了一下,好像没问题。
stream {
upstream ssh {
server 127.0.0.1:22;
}
upstream https_default_backend {
server 127.0.0.1:443;
}
upstream daniel_backend {
server 127.0.0.1:5005;
}
map $ssl_preread_protocol $upstream {
"" ssh;
default $name;
"TLSv1.3" $name;
"TLSv1.2" $name;
"TLSv1.1" $name;
"TLSv1" $name;
}
map $ssl_preread_server_name $name {
localhost daniel_backend;
prodesk daniel_backend;
daniel-steiger.ch daniel_backend;
www.daniel-steiger.ch daniel_backend;
default https_default_backend;
}
server {
listen 443;
ssl_preread on;
proxy_pass $upstream;
}
}
答案2
亡灵法术。
为了他人的利益,我回答了自己的问题。
据我所知,nginx 无法做到这一点。
但是,您可以使用 HAproxy 实现此目标。
配置并不那么简单,因此请参阅下面对我有用的技巧。
请注意,我已使用记事本中的搜索和替换功能更改了所有值(可能有错误)。
此配置假定以下内容:
公网 IP 为 44.33.22.11 的服务器
在端口上运行的本地 http 服务器(与 HAproxy 运行的同一台服务器上的 8000+x,因此为 127.0.0.1)
sshd 在 127.0.0.1:22 上运行(与 HAproxy 在同一台机器的 22 端口)
两个域名,每个都是 http 和 https:
http://firstname-lastname.com/
https://firstname-lastname.com/
http://forename-familyname.com/
https://forename-familyname.com/
所有这些域名的 DNS 解析为 44.33.22.11
如果您想使用代理协议(代理 v2 是最新的),请取消注释,# send-proxy-v2
例如行
server web0 127.0.0.1:8005 # send-proxy-v2
变成
server web0 127.0.0.1:8005 send-proxy-v2
请注意,sni-passthrough 会反转代理顺序。
在 nginx 中,顺序为
-> request -> decrypt -> proxy headering decrypted request -> re-encrypt request -> forward
在 haproxy SNI-passthough 中,顺序变为
-> request -> proxy headering encrypted request -> forward
因此,使用 nginx的 http 服务器(在端口 8000+x 上)中的中间件处理顺序是-> SSL-decrypt -> unheader -> process
,而使用 HAproxy 时,-> unheader -> SSL-decrypt -> process
这是因为在 HAproxy 上使用 sni-passthrough,而在 nginx 中使用 SSL 密钥(无 passthrough)。这个小问题让我很头疼。
另请注意,出于测试目的,我在 hosts 文件中设置了 example.int、foo.int 和 bar.int,解析为本地网络中的 10.0.0.2(安装 HAproxy 的机器的内部网络 IP 地址)。您仍可在此 haproxy.cfg 文件中看到这些条目
# /etc/haproxy/haproxy.cfg
# Validate:
# haproxy -c -V -f /etc/haproxy/haproxy.cfg
# Another way is to
# sudo service haproxy configtest
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_comACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
mode http
option forwardfor
# option httpchk /check.cfm
# use-server server1 if { hdr(host) -i server1.domain.net }
# use-server server2 if { hdr(host) -i server2.domain.net }
# server server1 localhost:22201 check
# server server2 localhost:22202 check
# default_backend nodes
# redirect scheme https code 301 if !{ ssl_fc }
# http://10.0.0.2/.well-known/acme-challenge/token.txt
# http://44.33.22.11/.well-known/acme-challenge/token.txt
# http://firstname-lastname.com/.well-known/acme-challenge/token.txt
# http://forename-familyname.com/.well-known/acme-challenge/token.txt
# https://www.haproxy.com/documentation/aloha/12-5/traffic-management/lb-layer7/acls/
# For ACLs sharing the same name, the following rules apply:
# It is possible to use the same <aclname> for many ACLs, even if they do not have the same matching criterion
# A logical OR applies between all of them
# acl firstname_lastname_com dst 10.0.0.2
# acl firstname_lastname_com dst 44.33.22.11
acl firstname_lastname_com hdr(host) -i 44.33.22.11
acl firstname_lastname_com hdr(host) -i 10.0.0.2
acl firstname_lastname_com hdr(host) -i firstname-lastname.com
acl firstname_lastname_com hdr(host) -m end .firstname-lastname.com
acl forename_familyname_com hdr(host) -i forename-familyname.com
acl forename_familyname_com hdr(host) -m end .forename-familyname.com
#use_backend http_firstname_lastname_com if { hdr(host) -i firstname-lastname.com }
#use_backend http_firstname_lastname_com if { hdr(host) -m end .firstname-lastname.com }
use_backend http_firstname_lastname_com if firstname_lastname_com
use_backend http_forename_familyname_com if forename_familyname_com
backend http_firstname_lastname_com
mode http
balance roundrobin
server web0 127.0.0.1:8006
backend http_forename_familyname_com
mode http
balance roundrobin
server web0 127.0.0.1:8008
#backend nodes
# mode http
# balance roundrobin
# option forwardfor
# reqirep ^Host: Host:\ node1.myapp.mycompany.com
# server web01 node1.myapp.mycompany.com:80
# sudo systemctl stop nginx
# sudo systemctl disable nginx
# sudo systemctl enable haproxy
# service haproxy start
# sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg
# service haproxy restart
frontend https
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
#tcp-request content accept if { req_ssl_hello_type 1 }
# https://datamakes.com/2018/02/17/high-intensity-port-sharing-with-haproxy/
# systemctl restart sshd
# systemctl disable sshd
# systemctl enable sshd
# sudo apt-get install openssh-server
# sudo systemctl status ssh
# sudo ufw allow ssh
# sudo ufw enable
# sudo ufw status
# ufw allow 443/tcp
# ufw allow 8443/tcp
# /etc/ssh/sshd_config ==> PermitRootLogin yes + PasswordAuthentication no + ChallengeResponseAuthentication no ~/.ssh/id_rsa.pub ==> ~/.ssh/authorized_keys
acl ssh_payload payload(0,7) -m bin 5353482d322e30
# /mnt/sshfs/var/www/.dotnet/corefx/cryptography/crls/
# sudo apt-get install exfat-utils exfat-fuse
# https://10.0.0.2/.well-known/acme-challenge/token.txt
# https://44.33.22.11/.well-known/acme-challenge/token.txt
# http://firstname-lastname.com/.well-known/acme-challenge/token.txt
# http://forename-familyname.com/.well-known/acme-challenge/token.txt
# https://www.haproxy.com/documentation/aloha/12-5/traffic-management/lb-layer7/acls/
# For ACLs sharing the same name, the following rules apply:
# It is possible to use the same <aclname> for many ACLs, even if they do not have the same matching criterion
# A logical OR applies between all of them
# sequence matters !
use_backend openssh if ssh_payload
use_backend openssh if !{ req.ssl_hello_type 1 } { req.len 0 }
# having these two lines here blocks ssh if use_backend openssh comes afterwards ...
# also, this fucks up SNI ...
# acl firstname_lastname_com dst 10.0.0.2
# acl firstname_lastname_com dst 44.33.22.11
acl firstname_lastname_com req_ssl_sni -i firstname-lastname.com
acl firstname_lastname_com req.ssl_sni -m end .firstname-lastname.com
acl forename_familyname_com req_ssl_sni -i forename-familyname.com
acl forename_familyname_com req.ssl_sni -m end .forename-familyname.com
# wildcard
use_backend https_firstname_lastname_com if firstname_lastname_com
use_backend https_forename_familyname_com if forename_familyname_com
# use_backend example_int if { req_ssl_sni -i example.int }
# use_backend example_int if { req_ssl_sni -m end .example.int }
# use_backend example_int if { req_ssl_sni -i example.int }
# use_backend foo_int if { req_ssl_sni -i foo.int }
# use_backend bar_int if { req_ssl_sni -i bar.int }
# sudo haproxy -c -V -f /etc/haproxy/haproxy.cfg
backend https_firstname_lastname_com
mode tcp
balance roundrobin
server web0 127.0.0.1:8005 # send-proxy-v2
backend https_forename_familyname_com
mode tcp
balance roundrobin
server web0 127.0.0.1:8007 # send-proxy-v2
backend foo_int
balance roundrobin
server web1 127.0.0.1:8005 send-proxy
backend bar_int
balance roundrobin
server web2 127.0.0.1:8005 ##send-proxy
backend openssh
mode tcp
# option tcplog
# option tcp-check
# tcp-check expect string SSH-2.0-
timeout server 3h
# server openssh 127.0.0.1:22 check
server openssh 127.0.0.1:22
此配置将所有请求转发给
ssh [email protected] -p 443
到127.0.0.1:22
以及所有请求
http://firstname-lastname.com到 127.0.0.1:800X,其中 X = 2n(偶数)
https://firstname-lastname.com到 127.0.0.1:800X,其中 X = 2n+1(奇数)
(更好的想法是使用 800X 表示 http,使用 900X 表示 https)