如何使用NGINX解析和代理所有HTTPS流量,而无需SSL终止?
我正在创建一个简单的DNS服务器,该服务器只能解析白名为域名的记录,并使用8.8.8.8(Google DNS)来解决非白轮列出的域。
白色域域被解析到xxxx的自定义代理服务器中。 在xxxx上有一个Nginx服务器,该服务器基于client> client hello消息中提供的主机名重定向所有流量。
整个流程:
1- DNS服务器收到的记录example.com
2- example.com已列入白色,因此DNS服务器发送xxxx作为答案。
3-客户端将client hello发送到xxxx,因为它认为它是example.com
4- nginx服务器从<<<<<代码>客户端hello 并使用8.8.8.8来解析域本身,然后将请求传递给example.com的原始IP地址
在使用此设置并代理每个域(所以每个请求的域,无论其白名单是否被列出到位于xxxx上的Nginx服务器的IP地址),某些请求面临麻烦。
由于某些连接正面临问题,而有些连接则不得不存在TLS握手(客户发送DNS查询的客户端不受控制)的问题,
但客户端或最终服务器如何阻止这一点?它与SSL固定有关吗?
谢谢
Nginx配置:
worker_processes auto;
events {
worker_connections 1024;
}
error_log /dev/stdout debug;
http {
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
}
stream {
server {
resolver 8.8.8.8 ipv6=off;
listen 443;
ssl_preread on;
proxy_pass $ssl_preread_server_name:443;
}
}
来自error_log的某些日志,在nginx中的调试级别:
2022/05/21 15:25:36 [error] 6#6: *398 recv() failed (104: Connection reset by peer) while proxying and reading from upstream, client: x, server: 0.0.0.0:443, upstream: "x:443", bytes from/to client:696/6998, bytes from/to upstream:6998/917
2022/05/21 15:25:33 [error] 6#6: *476 connect() failed (111: Connection refused) while connecting to upstream, client: x, server: 0.0.0.0:443, upstream: "x:443", bytes from/to client:0/0, bytes from/to upstream:0/0
I am creating a simple DNS server which will only resolve A records for whitelisted domain names and uses 8.8.8.8 (Google DNS) to resolve un-whitelisted domains.
Whitelisted domains are resolved into a custom proxy server at x.x.x.x.
There is a nginx server at x.x.x.x that redirects all of the traffic based on the hostname provided in Client Hello message.
The entire flow:
1- DNS Server received query for A record example.com
2- example.com is whitelisted, so the DNS Server sends x.x.x.x as the Answer.
3- Client sends Client Hello to x.x.x.x as it believes it is the ip address of example.com
4- Nginx server extract the hostname from Client Hello and uses 8.8.8.8 to resolve the domain itself and then, passes the request to the original ip address of example.com
When using this setup and proxying every domain (so every requested domain no matter whether its whitelisted or not resolves to the ip address of nginx server located at x.x.x.x) some requests face trouble.
Since some connections are facing problem and some not then there has to be a problem with the TLS handshake (clients sending DNS queries are not controlled)
How the clients or the final servers are preventing this? is it related to SSL pinning?
Thanks in advance
Nginx config:
worker_processes auto;
events {
worker_connections 1024;
}
error_log /dev/stdout debug;
http {
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
}
stream {
server {
resolver 8.8.8.8 ipv6=off;
listen 443;
ssl_preread on;
proxy_pass $ssl_preread_server_name:443;
}
}
some logs from error_log with level of debug in nginx:
2022/05/21 15:25:36 [error] 6#6: *398 recv() failed (104: Connection reset by peer) while proxying and reading from upstream, client: x, server: 0.0.0.0:443, upstream: "x:443", bytes from/to client:696/6998, bytes from/to upstream:6998/917
2022/05/21 15:25:33 [error] 6#6: *476 connect() failed (111: Connection refused) while connecting to upstream, client: x, server: 0.0.0.0:443, upstream: "x:443", bytes from/to client:0/0, bytes from/to upstream:0/0
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论