Trojan 和 Nginx 共用 443 端口 #11
armingli
announced in
Programming
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Trojan默认工作在服务器443端口,直接对接入口流量。如果要与Nginx共用443端口,需要设计为统一流量入口,根据域名服务进行二次转发。如下图所示:
利用TLS握手阶段的SNI信息将流量在4层进行转发。Nginx支持基于SNI的4层转发,也就是识别SNI信息,然后直接转发TCP/UDP数据流。该功能由
ngx_stream_ssl_preread_module
模块提供,Nginx默认不启用该模块,该模块使用stream
,不是http
。➜ ~ nginx -V nginx version: nginx/1.20.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
确认Nginx是支持的,下面直接进行配置。
trojan 服务配置为监听 10241端口即可。
在后端服务为了拿请求的
real client ip
使用Proxy Protocol
协议进行通信,Nginx支持该协议,只需要在转发端和接收端配置上代理协议即可。所以在上述的转发层增加了proxy_protocol
配置。由于Trojan不支持该协议,所以增加了一个中间层帮Trojan把协议去掉,从而保证其他服务能获取用户真实IP,又保证Trojan流量正常处理。参考:
Beta Was this translation helpful? Give feedback.
All reactions