校园教务反代记录
校园教务反代实现不在学校访问内网
起因
大四了,由于大部分同学已经离校并且实习了,偶尔学校有通知报名积欠考或者是信息核查的时候,我这个在校的就会被大肆骚扰,可是本人是个夜猫子,醒来一堆消息没及时回复不说,一个一个查也忒麻烦了,正好想起来树莓派这个东西,赶紧闲鱼下单了一个2b版的,拿回来装了centos,配上lnmp。
编译nginx并添加替换模块
1.下载ngx_http_substitutions_filter_module
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module
2.省略树莓派去安装系统的步骤
首先要要做的是安装nginx,我这里省事直接使用lnmp.org的一键安装包,由于需要tls1.3故而采用1.6beta版
安装代码如下:
wget http://soft.vpser.net/lnmp/lnmp1.6beta.tar.gz -cO lnmp1.6beta.tar.gz && tar zxf lnmp1.6beta.tar.gz && cd lnmp1.6
此时还不着急安装,先要安装反向代理所必须的nginx模块
[root@localhost lnmp1.6]# vi lnmp.conf
默认配置如下:
Download_Mirror='https://soft.vpser.net'
Nginx_Modules_Options=''
PHP_Modules_Options=''
##MySQL/MariaDB database directory##
MySQL_Data_Dir='/usr/local/mysql/var'
MariaDB_Data_Dir='/usr/local/mariadb/var'
##Default website home directory##
Default_Website_Dir='/home/wwwroot/default'
Enable_Nginx_Openssl='y'
Enable_PHP_Fileinfo='n'
Enable_Nginx_Lua='n'
Enable_Swap='y'我们要将Nginx_Modules_Options=''更改为
Nginx_Modules_Options='--add-module=/root/ngx_http_substitutions_filter_module'之后 Esc : wq 回车 保存即可
3.正式编译
[root@localhost lnmp1.6]# ./install.sh nginx
之后输入nginx版本,我这里用的是1.14.2
等待编译完成即可
创建网站配置文件
1.手动
[root@localhost /]# cd /usr/local/nginx/conf/vhost
[root@localhost /]# vi proxy.example.com.conf2.或者使用lnmp命令
[root@localhost lnmp1.6]# lnmp vhost add
3.配置文件详解
首先要在nginx的nginx.conf里增加静态文件缓存,以达到尽量少请求源服务器,减少带宽压力
1.创建/home/cache/temp目录
mkdir /home/cache/temp
2.在nginx.conf的http标签里添加如下代码
proxy_connect_timeout 5;
proxy_read_timeout 60;
proxy_send_timeout 5;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path /home/cache/temp;
#临时文件目录
proxy_cache_path /home/cache/path levels=1:2 keys_zone=cache_one:10m inactive=10d max_size=1g;
#10m为内存占用,1g为最大硬盘占用,cache_one为缓存区名字,如果修改则下文的配置亦要相应修改。之后添加网站,过程略去,lnmp的网站介绍里有方法
在反代网站conf里添加如下代码
1.缓存静态文件
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://example.com;
proxy_redirect off;
proxy_set_header Host example.com;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求2.反代
location / {
subs_filter_types text/css text/xml;
subs_filter http://a.example.com http://b.example.com ig;
subs_filter http://a.example.com http://b.example.com ig;
subs_filter http://a.example.com http://b.example.com ig;
#subs_filter a.example.com b.example.com ig;
#subs_filter a.example.com b.example.com ig;
#subs_filter a.example.com b.example.com ig;
#可添加多个subs_filter
#替换模块
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://a.example.com/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host a.example.com;
#定义主机头
proxy_pass http://a.example.com;
#指定后端ip
proxy_redirect http://a.example.com/ http://b.example.com/;
proxy_redirect http://a.example.com http://b.example.com;
proxy_redirect http://a.example.com http://b.example.com:6666;
proxy_redirect http://a.example.com http://b.example.com:6666;
#重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
实例分析
学校的教务是智慧XX 主站用的是金智慧,但是教务和学生管理系统又用的是正方,图书管理又用的是金盘
根据登录分析可得如下结论:
主页网址为:http://isportal.xuexiao.edu.cn/login.portal
点击立即登录跳转到url:http://ids.xuexiao.edu.cn/authserver/login?service=http://isportal.xuexiao.edu.cn/index.portal
输入学号密码后跳转回 http://isportal.xuexiao.edu.cn/
但后缀由 login.portal 变成了 index.portal
内网教务网址如下
正方教务:http://192.168.200.40
完满学工:http://192.168.200.45
图书管理系统:http://192.168.200.133:8090
在 http://isportal.xuexiao.edu.cn/index.portal 中
以上三个内网系统的地址分别为
http://192.168.200.40/
http://192.168.200.45:81/
http://192.168.200.133:8090
下面一个一个分析
正方教务:http://192.168.200.40/login_cas.aspx
点击会隐式跳转到 http://192.168.200.40/cas_verify.aspx?i=[学号]&k=[MD5] 随即进入教务系统 http://192.168.200.40/xs_main.aspx?xh=[学号]
链接是没有[]的 同时也不清楚第一个链接中k的含义,猜测是验证用的
完满学工:http://192.168.200.45:81/ssoserver/login?ywxt=xg&url=stuPage.jsp 而实际上我们知道完满学工的网址是没有81端口的,故而该81端口和ids.xuexiao.edu.cn 一样是用来进行跨平台验证的,之后会跳转到http://192.168.200.45/xgxt/stuPage.jsp
图书管理系统:http://ids.xuexiao.edu.cn/authserver/login?service=http://192.168.200.133:8021/default.aspx
先是跳转到 http://192.168.200.133:8021/Tick.aspx 进行验证
之后再跳转到http://192.168.200.133:8090/ReaderTable.aspx
由此我们可以得出,我们一共要反代五个站点,但是一共要开5个端口
包括:80、81、443、8021、8090
由于学校电信的公网IP属于家宽范围,80和443都是被封禁的,因此80和443需要替换成其它非常用端口
这里我们给五个网站分别分配以下端口
| 原网址 | 原端口 | 新网址 | 新端口 | 主机 |
|---|---|---|---|---|
| isprotal.xuexiao.edu.cn | 80 | isprotal.prxoy.com | 80、443 | Cloudflare |
| ids.xuexiao.edu.cn | 80 | ids.proxy.com | 80、443 | Cloudflare |
| 192.168.200.40 | 80 | jiaowu.proxy.com | 8661 | 校园电信 |
| 192.168.200.45 | 80、81 | tuanwei.proxy.com | 8991、8971 | 校园电信 |
| 192.168.200.133 | 8021、8090 | tushu.proxy.com | 8751 8864 | 校园电信 |
同时,内网三个站点似乎都需要和主站ids.xuexiao.edu.cn进行跨站验证通信,我们需要在所有网站中配置好替换模块,将所有xuexiao.edu.cn全部替换成我们自己的域名
并且,isportal和ids两个站点是对公网开放的,我们可以将这两个站点部署到cloudflare上并配合CDN防止被D,同时也是为了隐藏内网三个站点
配置文件
以下是我的nginx conf配置文件
isportal.xuexiao.edu.cn
对应https://proxy.com
server
{
listen 80;
server_name proxy.com;
#强制http跳转到https
return 301 https://$host$request_uri;
index index.portal;
root /var/www/proxy.com;
if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
return 403;
}
#禁止搜索引擎爬虫
access_log /var/log/proxy.com.log;
}
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name proxy.com;
index index.portal;
root /var/www/proxy.com;
#默认首页
if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
return 403;
}
#禁止搜索引擎爬虫
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://isportal.xuexiao.edu.cn;
proxy_redirect off;
proxy_set_header Host isportal.xuexiao.edu.cn;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
subs_filter http://192.168.200.40 https://jiaowu.proxy.com:8661 ig;
subs_filter http://192.168.200.45:81 https://tuanwei.proxy.com:8971 ig;
subs_filter http://192.168.200.133 https://tushu.proxy.com ig;
subs_filter isportal.xuexiao.edu.cn proxy.com ig;
subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
subs_filter 192.168.200.40 jiaowu.proxy.com:8661 ig;
subs_filter 192.168.200.45 tuanwei.proxy.com ig;
subs_filter 192.168.200.133 tushu.proxy.com ig;
subs_filter service=https://proxy.com/index.portal service=http://isportal.xuexiao.edu.cn/index.portal;
subs_filter service=https://tushu.proxy.com:8751/default.aspx service=http://192.168.200.133:8021/default.aspx
#替换模块
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
#CloudFlare访客IP传递
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://isportal.xuexiao.edu.cn;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host isportal.xuexiao.edu.cn;
#定义主机头
proxy_pass http://isportal.xuexiao.edu.cn;
#指定后端ip
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.40/ https://jiaowu.proxy.com:8661/;
proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8991/;
proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
#302重定向重写
}
access_log /var/log/proxy.com.log;
}
ids.xuexiao.edu.cn
对应https://ids.proxy.com
server
{
listen 80;
server_name ids.proxy.com;
#强制http跳转到https
return 301 https://$host$request_uri;
index index.portal;
root /var/www/ids.proxy.com;
if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
return 403;
}
#禁止搜索引擎爬虫
#include enable-php.conf;
access_log /var/log/ids.proxy.com.log;
}
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name ids.proxy.com;
index index.html;
root /var/www/ids.proxy.com;
#默认首页
if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
return 403;
}
#禁止搜索引擎爬虫
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://ids.xuexiao.edu.cn;
proxy_redirect off;
proxy_set_header Host ids.xuexiao.edu.cn;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
subs_filter isportal.xuexiao.edu.cn proxy.com ig;
subs_filter service=https://proxy.com/index.portal service=http://isportal.xuexiao.edu.cn/index.portal;
#替换模块
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
#CloudFlare访客IP传递
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://ids.xuexiao.edu.cn/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host ids.xuexiao.edu.cn;
#定义主机头
proxy_pass http://ids.xuexiao.edu.cn;
#指定后端ip
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.40/ https://jiaowu.proxy.com:8661/;
proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8991/;
proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
#302重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
access_log /var/log/ids.proxy.com.log;
}
192.168.200.40
对应https://jiaowu.proxy.com
server {
listen 2052 ssl http2;
server_name jiaowu.proxy.com;
index index.html;
root /home/wwwroot/jiaowu.proxy.com;
#默认首页
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://192.168.200.40;
proxy_redirect off;
proxy_set_header Host 192.168.200.40;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://192.168.200.40 https://jiaowu.proxy.com:8661 ig;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
#subs_filter 192.168.200.40 jiaowu.proxy.com ig;
#subs_filter isportal.xuexiao.edu.cn proxy.com ig;
#subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
#替换模块
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://192.168.200.40/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host 192.168.200.40;
#定义主机头
proxy_pass http://192.168.200.40;
#指定后端ip
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.40/ https://jiaowu.proxy.com:8661/;
proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8991/;
proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
#302重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
access_log /home/wwwlogs/jiaowu.proxy.com.log;
}
192.168.200.45
对应https://tuanewei.proxy.com
server {
listen 8991 ssl http2;
server_name tushu.proxy.com;
index default2.aspx;
root /home/wwwroot/tushu.proxy.com;
#默认首页
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://192.168.200.45;
proxy_redirect off;
proxy_set_header Host 192.168.200.45;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://192.168.200.45 https://tuanwei.proxy.com:8971 ig;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter http://ids.xuexiao.e du.cn https://ids.proxy.com ig;
#subs_filter 192.168.200.45 tushu.proxy.com ig;
#subs_filter isportal.xuexiao.edu.cn proxy.com ig;
#subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
#替换模块
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://192.168.200.45/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host 192.168.200.45;
#定义主机头
proxy_pass http://192.168.200.45;
#指定后端ip
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.40/ https://tuanwei.proxy.com:8661/;
proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8971/;
proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
#302重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
access_log /home/wwwlogs/tushu.proxy.com.log;
}
server {
listen 8971 ssl http2;
server_name tushu.proxy.com;
index default2.aspx;
root /home/wwwroot/tushu.proxy.com;
#默认首页
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_pass http://192.168.200.45:81;
proxy_redirect off;
proxy_set_header Host 192.168.200.45:81;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://192.168.200.45 https://tushu.proxy.com ig;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
#subs_filter 192.168.200.45 tushu.proxy.com ig;
#subs_filter isportal.xuexiao.edu.cn proxy.com ig;
#subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
#替换模块
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://192.168.200.45:81/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host 192.168.200.45:81;
#定义主机头
proxy_pass http://192.168.200.45:81;
#指定后端ip
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.40/ https://tuanwei.proxy.com:8661/;
proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8971/;
proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
#302重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
access_log /home/wwwlogs/tushu.proxy.com.log;
}192.168.200.133
对应https://tushu.proxy.com
server {
listen 8864 ssl http2;
server_name tushu.proxy.com;
index index.html;
root /home/wwwroot/tushu.proxy.com;
#默认首页
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://192.168.200.133:8090;
proxy_redirect off;
proxy_set_header Host 192.168.200.133:8090;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://192.168.200.133 https://tushu.proxy.com ig;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
#subs_filter 192.168.200.133 tushu.proxy.com ig;
#subs_filter isportal.xuexiao.edu.cn proxy.com ig;
#subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
#替换模块
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://192.168.200.133:8090/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host 192.168.200.133:8090;
#定义主机头
proxy_pass http://192.168.200.133:8090;
#指定后端ip
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
#302重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
access_log /home/wwwlogs/tushu.proxy.com.log;
}
server {
listen 8751 ssl http2;
server_name tushu.proxy.com;
index index.html;
root /home/wwwroot/tushu.proxy.com;
#默认首页
ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
location ~ .*\.(gif|jpg|png|css|js)(.*) {
proxy_pass http://192.168.200.133:8021;
proxy_redirect off;
proxy_set_header Host 192.168.200.133:8021;
proxy_cache cache_one;
proxy_cache_valid 200 302 24h;
proxy_cache_valid 301 30d;
proxy_cache_valid any 5m;
proxy_ignore_headers Set-Cookie Cache-Control;
expires 90d;
add_header wall "cache hit ok!.";
}
#缓存静态文件,减少源站请求
location / {
subs_filter_types text/css text/xml;
subs_filter http://192.168.200.133:8090 https://tushu.proxy.com:8864 ig;
subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
#subs_filter 192.168.200.133 tushu.proxy.com ig;
#subs_filter isportal.xuexiao.edu.cn proxy.com ig;
#subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
#替换模块
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#向后端传递访客ip
proxy_set_header Referer http://192.168.200.133:8021/;
#强制定义Referer,程序验证判断会用到
proxy_set_header Host 192.168.200.133:8021;
#定义主机头
proxy_pass http://192.168.200.133:8021;
#指定后端ip
proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
#302重定向重写
proxy_set_header Accept-Encoding "";
#清除编码
proxy_cache_use_stale invalid_header error timeout http_502;
#当后端出现错误、超时、502状态时启用过期缓存
}
access_log /home/wwwlogs/tushu.proxy.com.log;
}
