使用 tinyproxy 設置從正向代理到反向代理的通信
我在連接正向代理和反向代理時遇到問題,兩者都受 tinyproxy(1.8.3 版)支持。不知道是不是配置的問題。
我正在使用 4 個執行 Debian GNU/Linux 8.9 (jessie) 的虛擬機測試這些代理。這些機器代表客戶端、正向代理、反向代理和伺服器。我正在設置正向和反向代理之間的通信。
伺服器正在執行 Apache 伺服器,它返回預設的 HTML 頁面,顯示“它可以工作”。
所需的行為是客戶端通過上游到與伺服器互動的反向代理的正向代理與伺服器通信:客戶端 (10.0.2.33) -> 正向代理 (10.0.2.35) -> 反向代理 (10.0. 2.36) -> 伺服器 (10.0.2.34)
為了測試系統,我在客戶端機器上使用了這個 curl 命令:
curl -v --proxy http://10.0.2.35:8888 http://10.0.2.34:80/
轉發代理配置文件:
## tinyproxy.conf -- tinyproxy daemon configuration file User nobody Group nogroup Port 8888 Listen 10.0.2.35 BindSame yes Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Logfile "/var/log/tinyproxy/tinyproxy.log" #Syslog On LogLevel Info PidFile "/var/run/tinyproxy/tinyproxy.pid" #Upstream 10.0.2.36:8888 "10.0.2.0/24" Upstream 10.0.2.36:8888 MaxClients 100 MinSpareServers 2 MaxSpareServers 5 StartServers 2 MaxRequestsPerChild 0 Allow 127.0.0.1 Allow 10.0.2.0/24 ViaProxyName "tinyproxy1" ConnectPort 8888 ConnectPort 80 # The following two ports are used by SSL. ConnectPort 443 ConnectPort 563
反向代理配置文件:
## tinyproxy.conf -- tinyproxy daemon configuration file User nobody Group nogroup Port 8888 Listen 10.0.2.36 BindSame yes Timeout 600 StatFile "/usr/share/tinyproxy/stats.html" Logfile "/var/log/tinyproxy/tinyproxy.log" #Syslog On LogLevel Info PidFile "/var/run/tinyproxy/tinyproxy.pid" no upstream "10.0.2.34:80" #no upstream "." MaxClients 5 MinSpareServers 2 MaxSpareServers 5 StartServers 2 MaxRequestsPerChild 0 Allow 127.0.0.1 Allow 10.0.2.0/24 Allow 10.0.2.35 ViaProxyName "tinyproxy2" ConnectPort 8888 ConnectPort 80 # The following two ports are used by SSL. ConnectPort 443 ConnectPort 563 ReversePath "/" "http://10.0.2.34:80/" ReversePath "/wired/" "http://www.wired.com/" ReverseOnly Yes ReverseMagic Yes ReverseBaseURL "http://10.0.2.34:80/"
這些是 Wireshark 擷取的 TCP 流:
流動
$$ client <-> forward proxy $$
GET http://10.0.2.34:80/ HTTP/1.1 User-Agent: curl/7.38.0 Host: 10.0.2.34 Accept: */* Proxy-Connection: Keep-Alive HTTP/1.0 400 Bad Request Via: 1.1 tinyproxy1 (tinyproxy/1.8.3) Server: tinyproxy/1.8.3 Content-Type: text/html <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head><title>400 Bad Request</title></head> <body> <h1>Bad Request</h1> <p>Request has an invalid URL</p> <hr /> <p><em>Generated by tinyproxy version 1.8.3.</em></p> </body> </html>
流動
$$ forward proxy <-> reverse proxy $$
GET http://10.0.2.34:80/ HTTP/1.0 Host: 10.0.2.34 Connection: close Via: 1.1 tinyproxy1 (tinyproxy/1.8.3) User-Agent: curl/7.38.0 Accept: */* HTTP/1.0 400 Bad Request Server: tinyproxy/1.8.3 Content-Type: text/html Connection: close <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head><title>400 Bad Request</title></head> <body> <h1>Bad Request</h1> <p>Request has an invalid URL</p> <hr /> <p><em>Generated by tinyproxy version 1.8.3.</em></p> </body> </html>
這些是 tinyproxy 日誌文件的輸出:
轉發代理
CONNECT Dec 10 22:05:08 [2788]: Connect (file descriptor 6): 10.0.2.33 [10.0.2.33] at [10.0.2.35] CONNECT Dec 10 22:05:08 [2788]: Request (file descriptor 6): GET http://10.0.2.34:80/ HTTP/1.1 INFO Dec 10 22:05:08 [2788]: Found upstream proxy 10.0.2.36:8888 for 10.0.2.34 CONNECT Dec 10 22:05:08 [2788]: Established connection to upstream proxy "10.0.2.36" using file descriptor 7. INFO Dec 10 22:05:08 [2788]: Closed connection between local client (fd:6) and remote client (fd:7)
反向代理
CONNECT Dec 10 22:05:08 [4487]: Connect (file descriptor 6): 10.0.2.35 [10.0.2.35] at [10.0.2.36] CONNECT Dec 10 22:05:08 [4487]: Request (file descriptor 6): GET http://10.0.2.34:80/ HTTP/1.0 ERROR Dec 10 22:05:08 [4487]: Bad request INFO Dec 10 22:05:08 [4487]: no entity
目前,由於我的反向代理配置(ReversePath),我可以訪問反向代理機器內的伺服器頁面,“捲曲” http://10.0.2.34:80/和http://10.0.2.36:8888/ 。下圖顯示了反向代理機器中的 Wireshark 擷取。
通過所有這些配置,我在客戶端機器上得到的只是來自反向代理的 400 bad request 錯誤消息。
這個問題解決了。測試這一點的方法不是直接向伺服器請求頁面,而是向反向代理機器請求。另外,正向代理不應將流量上游到反向代理。
反向代理無法理解發送到主機/伺服器的請求,如果正向代理將流量上游,因為它們的工作方式不同。
轉發代理的正確配置必須排除以下行:
upstream 10.0.2.36:8888
因為反向代理有以下規則:
ReversePath “/” “http://10.0.2.34:80/”
當請求伺服器資源時(來自 Apache 的“It works”頁面),一旦我們請求“ http://10.0.2.36:8888/ ” ,反向代理(10.0.2.36)將請求伺服器(10.0.2.34)
我們應該執行 curl 到反向代理:
curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888/
然後我們可以看到配置有效,輸出如下:
root@debian:/home/debian# curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888 * Rebuilt URL to: http://10.0.2.36:8888/ * Hostname was NOT found in DNS cache * Trying 10.0.2.35... * Connected to 10.0.2.35 (10.0.2.35) port 8888 (#0) > GET http://10.0.2.36:8888/ HTTP/1.1 > User-Agent: curl/7.38.0 > Host: 10.0.2.36:8888 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Via: 1.0 tinyproxy2 (tinyproxy/1.8.3), 1.1 tinyproxy1 (tinyproxy/1.8.3) < Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT < Date: Tue, 12 Dec 2017 23:01:37 GMT < Content-Type: text/html < ETag: "2d-432a5e4a73a80" < Set-Cookie: yummy_magical_cookie=/; path=/ * Server Apache/2.4.29 (Unix) is not blacklisted < Server: Apache/2.4.29 (Unix) < Content-Length: 45 < Accept-Ranges: bytes < <html><body><h1>It works!</h1></body></html> * Connection #0 to host 10.0.2.35 left intact