Linux

使用 tinyproxy 設置從正向代理到反向代理的通信

  • December 15, 2017

我在連接正向代理和反向代理時遇到問題,兩者都受 tinyproxy(1.8.3 版)支持。不知道是不是配置的問題。

我正在使用 4 個執行 Debian GNU/Linux 8.9 (jessie) 的虛擬機測試這些代理。這些機器代表客戶端、正向代理、反向代理和伺服器。我正在設置正向和反向代理之間的通信。

伺服器正在執行 Apache 伺服器,它返回預設的 HTML 頁面,顯示“它可以工作”。

所需的行為是客戶端通過上游到與伺服器互動的反向代理的正向代理與伺服器通信:客戶端 (10.0.2.33) -> 正向代理 (10.0.2.35) -> 反向代理 (10.0. 2.36) -> 伺服器 (10.0.2.34)

為了測試系統,我在客戶端機器上使用了這個 curl 命令:

curl -v --proxy http://10.0.2.35:8888 http://10.0.2.34:80/

轉發代理配置文件:

## tinyproxy.conf -- tinyproxy daemon configuration file

User nobody
Group nogroup

Port 8888
Listen 10.0.2.35
BindSame yes
Timeout 600

DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
#Syslog On
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"

#Upstream 10.0.2.36:8888 "10.0.2.0/24"
Upstream 10.0.2.36:8888

MaxClients 100
MinSpareServers 2
MaxSpareServers 5
StartServers 2
MaxRequestsPerChild 0

Allow 127.0.0.1
Allow 10.0.2.0/24

ViaProxyName "tinyproxy1"

ConnectPort 8888
ConnectPort 80

# The following two ports are used by SSL.
ConnectPort 443
ConnectPort 563

反向代理配置文件:

## tinyproxy.conf -- tinyproxy daemon configuration file

User nobody
Group nogroup

Port 8888
Listen 10.0.2.36

BindSame yes
Timeout 600

StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
#Syslog On
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"

no upstream "10.0.2.34:80"
#no upstream "."

MaxClients 5
MinSpareServers 2
MaxSpareServers 5
StartServers 2

MaxRequestsPerChild 0

Allow 127.0.0.1
Allow 10.0.2.0/24
Allow 10.0.2.35

ViaProxyName "tinyproxy2"

ConnectPort 8888
ConnectPort 80

# The following two ports are used by SSL.
ConnectPort 443
ConnectPort 563

ReversePath "/" "http://10.0.2.34:80/"
ReversePath "/wired/" "http://www.wired.com/"

ReverseOnly Yes
ReverseMagic Yes
ReverseBaseURL "http://10.0.2.34:80/"

這些是 Wireshark 擷取的 TCP 流:

流動

$$ client <-> forward proxy $$

GET http://10.0.2.34:80/ HTTP/1.1
User-Agent: curl/7.38.0
Host: 10.0.2.34
Accept: */*
Proxy-Connection: Keep-Alive

HTTP/1.0 400 Bad Request
Via: 1.1 tinyproxy1 (tinyproxy/1.8.3)
Server: tinyproxy/1.8.3
Content-Type: text/html

&lt;?xml version="1.0" encoding="UTF-8" ?&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"&gt;
&lt;html&gt;
&lt;head&gt;&lt;title&gt;400 Bad Request&lt;/title&gt;&lt;/head&gt;
&lt;body&gt;
&lt;h1&gt;Bad Request&lt;/h1&gt;
&lt;p&gt;Request has an invalid URL&lt;/p&gt;
&lt;hr /&gt;
&lt;p&gt;&lt;em&gt;Generated by tinyproxy version 1.8.3.&lt;/em&gt;&lt;/p&gt;
&lt;/body&gt;
&lt;/html&gt;

流動

$$ forward proxy <-> reverse proxy $$

GET http://10.0.2.34:80/ HTTP/1.0
Host: 10.0.2.34
Connection: close
Via: 1.1 tinyproxy1 (tinyproxy/1.8.3)
User-Agent: curl/7.38.0
Accept: */*

HTTP/1.0 400 Bad Request
Server: tinyproxy/1.8.3
Content-Type: text/html
Connection: close

&lt;?xml version="1.0" encoding="UTF-8" ?&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"&gt;
&lt;html&gt;
&lt;head&gt;&lt;title&gt;400 Bad Request&lt;/title&gt;&lt;/head&gt;
&lt;body&gt;
&lt;h1&gt;Bad Request&lt;/h1&gt;
&lt;p&gt;Request has an invalid URL&lt;/p&gt;
&lt;hr /&gt;
&lt;p&gt;&lt;em&gt;Generated by tinyproxy version 1.8.3.&lt;/em&gt;&lt;/p&gt;
&lt;/body&gt;
&lt;/html&gt;

這些是 tinyproxy 日誌文件的輸出:

轉發代理

CONNECT   Dec 10 22:05:08 [2788]: Connect (file descriptor 6): 10.0.2.33 [10.0.2.33] at [10.0.2.35]
CONNECT   Dec 10 22:05:08 [2788]: Request (file descriptor 6): GET http://10.0.2.34:80/ HTTP/1.1
INFO      Dec 10 22:05:08 [2788]: Found upstream proxy 10.0.2.36:8888 for 10.0.2.34
CONNECT   Dec 10 22:05:08 [2788]: Established connection to upstream proxy "10.0.2.36" using file descriptor 7.
INFO      Dec 10 22:05:08 [2788]: Closed connection between local client (fd:6) and remote client (fd:7)

反向代理

CONNECT   Dec 10 22:05:08 [4487]: Connect (file descriptor 6): 10.0.2.35 [10.0.2.35] at [10.0.2.36]
CONNECT   Dec 10 22:05:08 [4487]: Request (file descriptor 6): GET http://10.0.2.34:80/ HTTP/1.0
ERROR     Dec 10 22:05:08 [4487]: Bad request
INFO      Dec 10 22:05:08 [4487]: no entity

目前,由於我的反向代理配置(ReversePath),我可以訪問反向代理機器內的伺服器頁面,“捲曲” http://10.0.2.34:80/http://10.0.2.36:8888/ 。下圖顯示了反向代理機器中的 Wireshark 擷取。

來自反向代理訪問伺服器擷取的圖像

通過所有這些配置,我在客戶端機器上得到的只是來自反向代理的 400 bad request 錯誤消息。

這個問題解決了。測試這一點的方法不是直接向伺服器請求頁面,而是向反向代理機器請求。另外,正向代理不應將流量上游到反向代理。

反向代理無法理解發送到主機/伺服器的請求,如果正向代理將流量上游,因為它們的工作方式不同。

轉發代理的正確配置必須排除以下行:

upstream 10.0.2.36:8888

因為反向代理有以下規則:

ReversePath “/” “http://10.0.2.34:80/”

當請求伺服器資源時(來自 Apache 的“It works”頁面),一旦我們請求“ http://10.0.2.36:8888/ ” ,反向代理(10.0.2.36)將請求伺服器(10.0.2.34)

我們應該執行 curl 到反向代理:

curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888/

然後我們可以看到配置有效,輸出如下:

root@debian:/home/debian# curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888
* Rebuilt URL to: http://10.0.2.36:8888/
* Hostname was NOT found in DNS cache
*   Trying 10.0.2.35...
* Connected to 10.0.2.35 (10.0.2.35) port 8888 (#0)
> GET http://10.0.2.36:8888/ HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 10.0.2.36:8888
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
&lt; HTTP/1.1 200 OK
&lt; Via: 1.0 tinyproxy2 (tinyproxy/1.8.3), 1.1 tinyproxy1 (tinyproxy/1.8.3)
&lt; Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
&lt; Date: Tue, 12 Dec 2017 23:01:37 GMT
&lt; Content-Type: text/html
&lt; ETag: "2d-432a5e4a73a80"
&lt; Set-Cookie: yummy_magical_cookie=/; path=/
* Server Apache/2.4.29 (Unix) is not blacklisted
&lt; Server: Apache/2.4.29 (Unix)
&lt; Content-Length: 45
&lt; Accept-Ranges: bytes
&lt; 
&lt;html&gt;&lt;body&gt;&lt;h1&gt;It works!&lt;/h1&gt;&lt;/body&gt;&lt;/html&gt;
* Connection #0 to host 10.0.2.35 left intact

引用自:https://serverfault.com/questions/887453