校园教务反代记录

校园教务反代实现不在学校访问内网

起因

大四了,由于大部分同学已经离校并且实习了,偶尔学校有通知报名积欠考或者是信息核查的时候,我这个在校的就会被大肆骚扰,可是本人是个夜猫子,醒来一堆消息没及时回复不说,一个一个查也忒麻烦了,正好想起来树莓派这个东西,赶紧闲鱼下单了一个2b版的,拿回来装了centos,配上lnmp。

编译nginx并添加替换模块

1.下载ngx_http_substitutions_filter_module
git clone https://github.com/yaoweibin/ngx_http_substitutions_filter_module

2.省略树莓派去安装系统的步骤
首先要要做的是安装nginx,我这里省事直接使用lnmp.org的一键安装包,由于需要tls1.3故而采用1.6beta版

安装代码如下:
wget http://soft.vpser.net/lnmp/lnmp1.6beta.tar.gz -cO lnmp1.6beta.tar.gz && tar zxf lnmp1.6beta.tar.gz && cd lnmp1.6
此时还不着急安装,先要安装反向代理所必须的nginx模块
[root@localhost lnmp1.6]# vi lnmp.conf
默认配置如下:

Download_Mirror='https://soft.vpser.net'

Nginx_Modules_Options=''
PHP_Modules_Options=''

##MySQL/MariaDB database directory##
MySQL_Data_Dir='/usr/local/mysql/var'
MariaDB_Data_Dir='/usr/local/mariadb/var'
##Default website home directory##
Default_Website_Dir='/home/wwwroot/default'

Enable_Nginx_Openssl='y'
Enable_PHP_Fileinfo='n'
Enable_Nginx_Lua='n'
Enable_Swap='y'

我们要将Nginx_Modules_Options=''更改为

Nginx_Modules_Options='--add-module=/root/ngx_http_substitutions_filter_module'

之后 Esc : wq 回车 保存即可

3.正式编译
[root@localhost lnmp1.6]# ./install.sh nginx
之后输入nginx版本,我这里用的是1.14.2

等待编译完成即可

创建网站配置文件

1.手动

[root@localhost /]# cd /usr/local/nginx/conf/vhost
[root@localhost /]# vi proxy.example.com.conf

2.或者使用lnmp命令

[root@localhost lnmp1.6]# lnmp vhost add

3.配置文件详解

首先要在nginx的nginx.conf里增加静态文件缓存,以达到尽量少请求源服务器,减少带宽压力
1.创建/home/cache/temp目录
mkdir /home/cache/temp
2.在nginx.conf的http标签里添加如下代码

        proxy_connect_timeout    5;
        proxy_read_timeout       60;
        proxy_send_timeout       5;
        proxy_buffer_size        16k;
        proxy_buffers            4 64k;
        proxy_busy_buffers_size 128k;
        proxy_temp_file_write_size 128k;
        proxy_temp_path   /home/cache/temp;
        #临时文件目录
        proxy_cache_path  /home/cache/path levels=1:2 keys_zone=cache_one:10m inactive=10d max_size=1g;
        #10m为内存占用,1g为最大硬盘占用,cache_one为缓存区名字,如果修改则下文的配置亦要相应修改。

之后添加网站,过程略去,lnmp的网站介绍里有方法
在反代网站conf里添加如下代码
1.缓存静态文件

location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://example.com;
                proxy_redirect off;
                proxy_set_header Host example.com;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

2.反代

location / {
        subs_filter_types text/css text/xml;
        subs_filter http://a.example.com http://b.example.com ig;
        subs_filter http://a.example.com http://b.example.com ig;
        subs_filter http://a.example.com http://b.example.com ig;
        #subs_filter a.example.com b.example.com ig;
        #subs_filter a.example.com b.example.com ig;
        #subs_filter a.example.com b.example.com ig;
        #可添加多个subs_filter
        #替换模块

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://a.example.com/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host a.example.com;
        #定义主机头

        proxy_pass http://a.example.com;
        #指定后端ip

        proxy_redirect http://a.example.com/ http://b.example.com/;
        proxy_redirect http://a.example.com http://b.example.com;
        proxy_redirect http://a.example.com http://b.example.com:6666;
        proxy_redirect http://a.example.com http://b.example.com:6666;
        #重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

实例分析

学校的教务是智慧XX 主站用的是金智慧,但是教务和学生管理系统又用的是正方,图书管理又用的是金盘
根据登录分析可得如下结论:

主页网址为:http://isportal.xuexiao.edu.cn/login.portal  
点击立即登录跳转到url:http://ids.xuexiao.edu.cn/authserver/login?service=http://isportal.xuexiao.edu.cn/index.portal  
输入学号密码后跳转回 http://isportal.xuexiao.edu.cn/ 
但后缀由 login.portal 变成了 index.portal 

内网教务网址如下  
正方教务:http://192.168.200.40  
完满学工:http://192.168.200.45  
图书管理系统:http://192.168.200.133:8090  

在 http://isportal.xuexiao.edu.cn/index.portal 中  
以上三个内网系统的地址分别为  
http://192.168.200.40/  
http://192.168.200.45:81/  
http://192.168.200.133:8090  

下面一个一个分析  
正方教务:http://192.168.200.40/login_cas.aspx 
点击会隐式跳转到 http://192.168.200.40/cas_verify.aspx?i=[学号]&k=[MD5]  随即进入教务系统 http://192.168.200.40/xs_main.aspx?xh=[学号]
链接是没有[]的 同时也不清楚第一个链接中k的含义,猜测是验证用的  

完满学工:http://192.168.200.45:81/ssoserver/login?ywxt=xg&url=stuPage.jsp 而实际上我们知道完满学工的网址是没有81端口的,故而该81端口和ids.xuexiao.edu.cn 一样是用来进行跨平台验证的,之后会跳转到http://192.168.200.45/xgxt/stuPage.jsp

图书管理系统:http://ids.xuexiao.edu.cn/authserver/login?service=http://192.168.200.133:8021/default.aspx  
先是跳转到 http://192.168.200.133:8021/Tick.aspx 进行验证
之后再跳转到http://192.168.200.133:8090/ReaderTable.aspx

由此我们可以得出,我们一共要反代五个站点,但是一共要开5个端口
包括:80、81、443、8021、8090
由于学校电信的公网IP属于家宽范围,80和443都是被封禁的,因此80和443需要替换成其它非常用端口
这里我们给五个网站分别分配以下端口

原网址 原端口 新网址 新端口 主机
isprotal.xuexiao.edu.cn 80 isprotal.prxoy.com 80、443 Cloudflare
ids.xuexiao.edu.cn 80 ids.proxy.com 80、443 Cloudflare
192.168.200.40 80 jiaowu.proxy.com 8661 校园电信
192.168.200.45 80、81 tuanwei.proxy.com 8991、8971 校园电信
192.168.200.133 8021、8090 tushu.proxy.com 8751 8864 校园电信

同时,内网三个站点似乎都需要和主站ids.xuexiao.edu.cn进行跨站验证通信,我们需要在所有网站中配置好替换模块,将所有xuexiao.edu.cn全部替换成我们自己的域名

并且,isportal和ids两个站点是对公网开放的,我们可以将这两个站点部署到cloudflare上并配合CDN防止被D,同时也是为了隐藏内网三个站点

配置文件

以下是我的nginx conf配置文件

isportal.xuexiao.edu.cn

对应https://proxy.com

server
    {
        listen 80;
        server_name proxy.com;
        #强制http跳转到https
        return 301 https://$host$request_uri;
        index index.portal;
        root  /var/www/proxy.com;

        if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
        return 403;
        }
        #禁止搜索引擎爬虫

        access_log  /var/log/proxy.com.log;
    }

server {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name  proxy.com;
        index index.portal;
        root  /var/www/proxy.com;       
        #默认首页

        if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
        return 403;
        }
        #禁止搜索引擎爬虫

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://isportal.xuexiao.edu.cn; 
                proxy_redirect off;
                proxy_set_header Host isportal.xuexiao.edu.cn;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
        subs_filter http://192.168.200.40 https://jiaowu.proxy.com:8661 ig;
        subs_filter http://192.168.200.45:81 https://tuanwei.proxy.com:8971 ig;
        subs_filter http://192.168.200.133 https://tushu.proxy.com ig;
        subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        subs_filter 192.168.200.40 jiaowu.proxy.com:8661 ig;
        subs_filter 192.168.200.45 tuanwei.proxy.com ig;
        subs_filter 192.168.200.133 tushu.proxy.com ig;
        subs_filter service=https://proxy.com/index.portal service=http://isportal.xuexiao.edu.cn/index.portal;
        subs_filter service=https://tushu.proxy.com:8751/default.aspx service=http://192.168.200.133:8021/default.aspx
        #替换模块

        set_real_ip_from 173.245.48.0/20;
        set_real_ip_from 103.21.244.0/22;
        set_real_ip_from 103.22.200.0/22;
        set_real_ip_from 103.31.4.0/22;
        set_real_ip_from 141.101.64.0/18;
        set_real_ip_from 108.162.192.0/18;
        set_real_ip_from 190.93.240.0/20;
        set_real_ip_from 188.114.96.0/20;
        set_real_ip_from 197.234.240.0/22;
        set_real_ip_from 198.41.128.0/17;
        set_real_ip_from 162.158.0.0/15;
        set_real_ip_from 172.64.0.0/13;
        set_real_ip_from 104.16.0.0/12;
        set_real_ip_from 131.0.72.0/22;
        set_real_ip_from 2400:cb00::/32;
        set_real_ip_from 2606:4700::/32;
        set_real_ip_from 2803:f800::/32;
        set_real_ip_from 2405:b500::/32;
        set_real_ip_from 2405:8100::/32;
        set_real_ip_from 2a06:98c0::/29;
        set_real_ip_from 2c0f:f248::/32;
        # use any of the following two
        real_ip_header CF-Connecting-IP;
        #real_ip_header X-Forwarded-For;
        #CloudFlare访客IP传递

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://isportal.xuexiao.edu.cn;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host isportal.xuexiao.edu.cn;
        #定义主机头

        proxy_pass http://isportal.xuexiao.edu.cn;    
        #指定后端ip

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.40/ https://jiaowu.proxy.com:8661/;
        proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8991/;
        proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
        proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
        proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
        #302重定向重写

      }

        access_log  /var/log/proxy.com.log;
}

ids.xuexiao.edu.cn

对应https://ids.proxy.com

server
    {
        listen 80;
        server_name ids.proxy.com;
        #强制http跳转到https
        return 301 https://$host$request_uri;
        index index.portal;
        root  /var/www/ids.proxy.com;

        if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
        return 403;
        }
        #禁止搜索引擎爬虫

        #include enable-php.conf;

        access_log  /var/log/ids.proxy.com.log;
    }

server {
        listen 443 ssl http2;
        #listen [::]:443 ssl http2;
        server_name  ids.proxy.com;
        index index.html;
        root  /var/www/ids.proxy.com;       
        #默认首页

        if ($http_user_agent ~* (baiduspider|360spider|haosouspider|googlebot|soso|bing|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler)) {
        return 403;
        }
        #禁止搜索引擎爬虫

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://ids.xuexiao.edu.cn;
                proxy_redirect off;
                proxy_set_header Host ids.xuexiao.edu.cn;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        subs_filter service=https://proxy.com/index.portal service=http://isportal.xuexiao.edu.cn/index.portal;
        #替换模块

        set_real_ip_from 173.245.48.0/20;
        set_real_ip_from 103.21.244.0/22;
        set_real_ip_from 103.22.200.0/22;
        set_real_ip_from 103.31.4.0/22;
        set_real_ip_from 141.101.64.0/18;
        set_real_ip_from 108.162.192.0/18;
        set_real_ip_from 190.93.240.0/20;
        set_real_ip_from 188.114.96.0/20;
        set_real_ip_from 197.234.240.0/22;
        set_real_ip_from 198.41.128.0/17;
        set_real_ip_from 162.158.0.0/15;
        set_real_ip_from 172.64.0.0/13;
        set_real_ip_from 104.16.0.0/12;
        set_real_ip_from 131.0.72.0/22;
        set_real_ip_from 2400:cb00::/32;
        set_real_ip_from 2606:4700::/32;
        set_real_ip_from 2803:f800::/32;
        set_real_ip_from 2405:b500::/32;
        set_real_ip_from 2405:8100::/32;
        set_real_ip_from 2a06:98c0::/29;
        set_real_ip_from 2c0f:f248::/32;
        # use any of the following two
        real_ip_header CF-Connecting-IP;
        #real_ip_header X-Forwarded-For;
        #CloudFlare访客IP传递

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://ids.xuexiao.edu.cn/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host ids.xuexiao.edu.cn;
        #定义主机头

        proxy_pass http://ids.xuexiao.edu.cn;
        #指定后端ip

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.40/ https://jiaowu.proxy.com:8661/;
        proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8991/;
        proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
        proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
        proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
        #302重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

        access_log  /var/log/ids.proxy.com.log;

}

192.168.200.40

对应https://jiaowu.proxy.com

server {
        listen 2052 ssl http2;
        server_name  jiaowu.proxy.com;
        index index.html;
        root  /home/wwwroot/jiaowu.proxy.com;       
        #默认首页

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://192.168.200.40;
                proxy_redirect off;
                proxy_set_header Host 192.168.200.40;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://192.168.200.40 https://jiaowu.proxy.com:8661 ig;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
        #subs_filter 192.168.200.40 jiaowu.proxy.com ig;
        #subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        #subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        #替换模块

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://192.168.200.40/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host 192.168.200.40;
        #定义主机头

        proxy_pass http://192.168.200.40;
        #指定后端ip

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.40/ https://jiaowu.proxy.com:8661/;
        proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8991/;
        proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
        proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
        proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
        #302重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

        access_log  /home/wwwlogs/jiaowu.proxy.com.log;

}

192.168.200.45

对应https://tuanewei.proxy.com

server {
        listen 8991 ssl http2;
        server_name  tushu.proxy.com;
        index default2.aspx;
        root  /home/wwwroot/tushu.proxy.com;        
        #默认首页

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://192.168.200.45;
                proxy_redirect off;
                proxy_set_header Host 192.168.200.45;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://192.168.200.45 https://tuanwei.proxy.com:8971 ig;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter http://ids.xuexiao.e du.cn https://ids.proxy.com ig;
        #subs_filter 192.168.200.45 tushu.proxy.com ig;
        #subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        #subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        #替换模块

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://192.168.200.45/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host 192.168.200.45;
        #定义主机头

        proxy_pass http://192.168.200.45;
        #指定后端ip

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.40/ https://tuanwei.proxy.com:8661/;
        proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8971/;
        proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
        proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
        proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
        #302重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

        access_log  /home/wwwlogs/tushu.proxy.com.log;

}
server {
        listen       8971 ssl http2;
        server_name  tushu.proxy.com;
        index default2.aspx;
        root  /home/wwwroot/tushu.proxy.com;        
        #默认首页

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_pass http://192.168.200.45:81;
                proxy_redirect off;
                proxy_set_header Host 192.168.200.45:81;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://192.168.200.45 https://tushu.proxy.com ig;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
        #subs_filter 192.168.200.45 tushu.proxy.com ig;
        #subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        #subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        #替换模块

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://192.168.200.45:81/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host 192.168.200.45:81;
        #定义主机头

        proxy_pass http://192.168.200.45:81;
        #指定后端ip

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.40/ https://tuanwei.proxy.com:8661/;
        proxy_redirect http://192.168.200.45/ https://tuanwei.proxy.com:8971/;
        proxy_redirect http://192.168.200.45:81/ https://tuanwei.proxy.com:8971/;
        #302重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

        access_log  /home/wwwlogs/tushu.proxy.com.log;

}

192.168.200.133

对应https://tushu.proxy.com

server {
        listen       8864 ssl http2;
        server_name  tushu.proxy.com;
        index index.html;
        root  /home/wwwroot/tushu.proxy.com;        
        #默认首页

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_set_header X-Real-IP $remote_addr;
                proxy_pass http://192.168.200.133:8090;
                proxy_redirect off;
                proxy_set_header Host 192.168.200.133:8090;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://192.168.200.133 https://tushu.proxy.com ig;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
        #subs_filter 192.168.200.133 tushu.proxy.com ig;
        #subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        #subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        #替换模块

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://192.168.200.133:8090/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host 192.168.200.133:8090;
        #定义主机头

        proxy_pass http://192.168.200.133:8090;
        #指定后端ip

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
        proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
        #302重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

        access_log  /home/wwwlogs/tushu.proxy.com.log;

}

server {
        listen       8751 ssl http2;
        server_name  tushu.proxy.com;
        index index.html;
        root  /home/wwwroot/tushu.proxy.com;        
        #默认首页

        ssl_certificate /usr/local/nginx/conf/ssl/proxy.com/fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/proxy.com/*.proxy.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        location ~ .*\.(gif|jpg|png|css|js)(.*) {

                proxy_pass http://192.168.200.133:8021;
                proxy_redirect off;
                proxy_set_header Host 192.168.200.133:8021;
                proxy_cache cache_one;
                proxy_cache_valid 200 302 24h;
                proxy_cache_valid 301 30d;
                proxy_cache_valid any 5m;
                proxy_ignore_headers Set-Cookie Cache-Control;
                expires 90d;
                add_header wall  "cache hit ok!.";
        }
        #缓存静态文件,减少源站请求

        location / {
        subs_filter_types text/css text/xml;
        subs_filter http://192.168.200.133:8090 https://tushu.proxy.com:8864 ig;
        subs_filter http://isportal.xuexiao.edu.cn https://proxy.com ig;
        subs_filter http://ids.xuexiao.edu.cn https://ids.proxy.com ig;
        #subs_filter 192.168.200.133 tushu.proxy.com ig;
        #subs_filter isportal.xuexiao.edu.cn proxy.com ig;
        #subs_filter ids.xuexiao.edu.cn ids.proxy.com ig;
        #替换模块

        proxy_set_header   X-Real-IP  $remote_addr;
        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        #向后端传递访客ip

        proxy_set_header   Referer http://192.168.200.133:8021/;    
        #强制定义Referer,程序验证判断会用到

        proxy_set_header   Host 192.168.200.133:8021;
        #定义主机头

        proxy_pass http://192.168.200.133:8021;
        #指定后端ip

        proxy_redirect http://isportal.xuexiao.edu.cn/ https://proxy.com/;
        proxy_redirect http://ids.xuexiao.edu.cn/ https://ids.proxy.com/;
        proxy_redirect http://192.168.200.133:8090/ https://tushu.proxy.com:8864/;
        proxy_redirect http://192.168.200.133:8021/ https://tushu.proxy.com:8751/;
        #302重定向重写

        proxy_set_header Accept-Encoding "";    
        #清除编码

        proxy_cache_use_stale invalid_header error timeout http_502;
        #当后端出现错误、超时、502状态时启用过期缓存

      }

        access_log  /home/wwwlogs/tushu.proxy.com.log;

}


上一篇
下一篇