1. 访问外网方案
1. GoProxy方案
部署
-
直接从goproxy下载安装包
-
也可选用fatedier/frp等其他类似的内网穿透软件
启动
直接代理
不加密,可直接通过设置proxy实现正向代理
./proxy http -t tcp -p 主机IP:端口 --forever --log log/proxy.端口.log --daemon
透明代理(可不借助iptbales)
一级加密代理:
加密,无法直接作为正向代理使用
./proxy http -t tls -p 一级代理主机IP:端口 -z "passwd4#me" -C cert/proxy.crt -K cert/proxy.key --daemon --forever --log log/proxy.端口.log
二级代理(透明代理80&443):
不加密,可直接作为正向代理使用
./proxy http -t tcp -p 二级代理主机IP:80 -T tls -P 一级代理主机IP:端口 -Z "passwd4#me" -C cert/proxy.crt -K cert/proxy.key --daemon --forever --log log/proxy.80.log
./proxy http -t tcp -p 二级代理主机IP:443 -T tls -P 一级代理主机IP:端口 -Z "passwd4#me" -C cert/proxy.crt -K cert/proxy.key --daemon --forever --log log/proxy.443.log
透明代理使用方(内网服务器)配置:
-
hostAlias:k8s环境下配置hostAlias直接修改对应域名的IP为二级代理服务器IP,也可直接配置hosts文件,需要确切知道域名。
-
coreDNS:k8s环境下通过
kubectl添加集群内DNS解析,这会影响到整个集群,好处是可以使用二级域名通配符:kubectl edit cm coredns -n kube-system然后在.:53.hosts块添加自定义解析记录即可。 -
iptables DNAT:添加防火墙nat规则,将外网IP替换为二级代理IP适用于无法确切知道域名的情况。iptables方案详解:
- 容器环境需要基础镜像包含iptables并启用
- 添加iptables出站nat规则将非内网目标IP替换为二级代理地址
# iptables DNAT:
# ipv4地址转换
iptables -t nat -A PREROUTING -p tcp \
-d 1.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/3,96.0.0.0/6,100.0.0.0/10,100.128.0.0/9,101.0.0.0/8,102.0.0.0/7,104.0.0.0/5,112.0.0.0/5,120.0.0.0/6,124.0.0.0/7,126.0.0.0/8,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.1.0/24,192.0.3.0/24,192.0.4.0/22,192.0.8.0/21,192.0.16.0/20,192.0.32.0/19,192.0.64.0/18,192.0.128.0/17,192.1.0.0/16,192.2.0.0/15,192.4.0.0/14,192.8.0.0/13,192.16.0.0/12,192.32.0.0/11,192.64.0.0/12,192.80.0.0/13,192.88.0.0/18,192.88.64.0/19,192.88.96.0/23,192.88.98.0/24,192.88.100.0/22,192.88.104.0/21,192.88.112.0/20,192.88.128.0/17,192.89.0.0/16,192.90.0.0/15,192.92.0.0/14,192.96.0.0/11,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/7,198.0.0.0/12,198.16.0.0/15,198.20.0.0/14,198.24.0.0/13,198.32.0.0/12,198.48.0.0/15,198.50.0.0/16,198.51.0.0/18,198.51.64.0/19,198.51.96.0/22,198.51.101.0/24,198.51.102.0/23,198.51.104.0/21,198.51.112.0/20,198.51.128.0/17,198.52.0.0/14,198.56.0.0/13,198.64.0.0/10,198.128.0.0/9,199.0.0.0/8,200.0.0.0/7,202.0.0.0/8,203.0.0.0/18,203.0.64.0/19,203.0.96.0/20,203.0.112.0/24,203.0.114.0/23,203.0.116.0/22,203.0.120.0/21,203.0.128.0/17,203.1.0.0/16,203.2.0.0/15,203.4.0.0/14,203.8.0.0/13,203.16.0.0/12,203.32.0.0/11,203.64.0.0/10,203.128.0.0/9,204.0.0.0/6,208.0.0.0/4 \
--dport 80 -j DNAT --to 10.207.219.3:80
iptables -t nat -A PREROUTING -p tcp \
-d 1.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/3,96.0.0.0/6,100.0.0.0/10,100.128.0.0/9,101.0.0.0/8,102.0.0.0/7,104.0.0.0/5,112.0.0.0/5,120.0.0.0/6,124.0.0.0/7,126.0.0.0/8,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.1.0/24,192.0.3.0/24,192.0.4.0/22,192.0.8.0/21,192.0.16.0/20,192.0.32.0/19,192.0.64.0/18,192.0.128.0/17,192.1.0.0/16,192.2.0.0/15,192.4.0.0/14,192.8.0.0/13,192.16.0.0/12,192.32.0.0/11,192.64.0.0/12,192.80.0.0/13,192.88.0.0/18,192.88.64.0/19,192.88.96.0/23,192.88.98.0/24,192.88.100.0/22,192.88.104.0/21,192.88.112.0/20,192.88.128.0/17,192.89.0.0/16,192.90.0.0/15,192.92.0.0/14,192.96.0.0/11,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/7,198.0.0.0/12,198.16.0.0/15,198.20.0.0/14,198.24.0.0/13,198.32.0.0/12,198.48.0.0/15,198.50.0.0/16,198.51.0.0/18,198.51.64.0/19,198.51.96.0/22,198.51.101.0/24,198.51.102.0/23,198.51.104.0/21,198.51.112.0/20,198.51.128.0/17,198.52.0.0/14,198.56.0.0/13,198.64.0.0/10,198.128.0.0/9,199.0.0.0/8,200.0.0.0/7,202.0.0.0/8,203.0.0.0/18,203.0.64.0/19,203.0.96.0/20,203.0.112.0/24,203.0.114.0/23,203.0.116.0/22,203.0.120.0/21,203.0.128.0/17,203.1.0.0/16,203.2.0.0/15,203.4.0.0/14,203.8.0.0/13,203.16.0.0/12,203.32.0.0/11,203.64.0.0/10,203.128.0.0/9,204.0.0.0/6,208.0.0.0/4 \
--dport 443 -j DNAT --to 10.207.219.3:443
iptables -t nat -A PREROUTING -p udp \
-d 1.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/3,96.0.0.0/6,100.0.0.0/10,100.128.0.0/9,101.0.0.0/8,102.0.0.0/7,104.0.0.0/5,112.0.0.0/5,120.0.0.0/6,124.0.0.0/7,126.0.0.0/8,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.1.0/24,192.0.3.0/24,192.0.4.0/22,192.0.8.0/21,192.0.16.0/20,192.0.32.0/19,192.0.64.0/18,192.0.128.0/17,192.1.0.0/16,192.2.0.0/15,192.4.0.0/14,192.8.0.0/13,192.16.0.0/12,192.32.0.0/11,192.64.0.0/12,192.80.0.0/13,192.88.0.0/18,192.88.64.0/19,192.88.96.0/23,192.88.98.0/24,192.88.100.0/22,192.88.104.0/21,192.88.112.0/20,192.88.128.0/17,192.89.0.0/16,192.90.0.0/15,192.92.0.0/14,192.96.0.0/11,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/7,198.0.0.0/12,198.16.0.0/15,198.20.0.0/14,198.24.0.0/13,198.32.0.0/12,198.48.0.0/15,198.50.0.0/16,198.51.0.0/18,198.51.64.0/19,198.51.96.0/22,198.51.101.0/24,198.51.102.0/23,198.51.104.0/21,198.51.112.0/20,198.51.128.0/17,198.52.0.0/14,198.56.0.0/13,198.64.0.0/10,198.128.0.0/9,199.0.0.0/8,200.0.0.0/7,202.0.0.0/8,203.0.0.0/18,203.0.64.0/19,203.0.96.0/20,203.0.112.0/24,203.0.114.0/23,203.0.116.0/22,203.0.120.0/21,203.0.128.0/17,203.1.0.0/16,203.2.0.0/15,203.4.0.0/14,203.8.0.0/13,203.16.0.0/12,203.32.0.0/11,203.64.0.0/10,203.128.0.0/9,204.0.0.0/6,208.0.0.0/4 \
--dport 80 -j DNAT --to 10.207.219.3:80
iptables -t nat -A PREROUTING -p udp \
-d 1.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/3,96.0.0.0/6,100.0.0.0/10,100.128.0.0/9,101.0.0.0/8,102.0.0.0/7,104.0.0.0/5,112.0.0.0/5,120.0.0.0/6,124.0.0.0/7,126.0.0.0/8,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.1.0/24,192.0.3.0/24,192.0.4.0/22,192.0.8.0/21,192.0.16.0/20,192.0.32.0/19,192.0.64.0/18,192.0.128.0/17,192.1.0.0/16,192.2.0.0/15,192.4.0.0/14,192.8.0.0/13,192.16.0.0/12,192.32.0.0/11,192.64.0.0/12,192.80.0.0/13,192.88.0.0/18,192.88.64.0/19,192.88.96.0/23,192.88.98.0/24,192.88.100.0/22,192.88.104.0/21,192.88.112.0/20,192.88.128.0/17,192.89.0.0/16,192.90.0.0/15,192.92.0.0/14,192.96.0.0/11,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/7,198.0.0.0/12,198.16.0.0/15,198.20.0.0/14,198.24.0.0/13,198.32.0.0/12,198.48.0.0/15,198.50.0.0/16,198.51.0.0/18,198.51.64.0/19,198.51.96.0/22,198.51.101.0/24,198.51.102.0/23,198.51.104.0/21,198.51.112.0/20,198.51.128.0/17,198.52.0.0/14,198.56.0.0/13,198.64.0.0/10,198.128.0.0/9,199.0.0.0/8,200.0.0.0/7,202.0.0.0/8,203.0.0.0/18,203.0.64.0/19,203.0.96.0/20,203.0.112.0/24,203.0.114.0/23,203.0.116.0/22,203.0.120.0/21,203.0.128.0/17,203.1.0.0/16,203.2.0.0/15,203.4.0.0/14,203.8.0.0/13,203.16.0.0/12,203.32.0.0/11,203.64.0.0/10,203.128.0.0/9,204.0.0.0/6,208.0.0.0/4 \
--dport 443 -j DNAT --to 10.207.219.3:443
# ipv6
iptables –t nat -p tcp –A POSTROUTING \
–d 2001::/16 –j DNAT --to IPV6地址:443
# 保存防火墙规则配置
service iptables save
Socket5代理
./proxy socks -t tcp -p 主机IP:端口 --daemon --forever --log log/proxy.端口.log
优缺点
优点
- 可直接实现透明代理https,并且在一级代理处加密
- 支持http\socket basic认证(需要换frp,goproxy这个功能收费)
- 可代理SOCKET5协议
- 直接支持UDP协议
缺点
- 开源版本没有黑白名单,拦截完全依赖于防火墙
- 日志格式无法调整
2. 专用子网方案
新建一个专用子网,并将虚拟路由链路出口放在DMZ区,在DMZ区设置iptables SNAT并开启ip_forward,容云内将通过该网关访问外网IP,或者将其作为默认网关,或者该内网服务器内内可以直连DMZ网关
#DMZ区:iptabes规则
iptables -t nat -A POSTROUTING -o 专用子网网卡 -s 子网IP网段 -j SNAT --to 外网网卡IP
#容器内设置路由
#1.默认路由走专用子网网关
route add default gw 专用子网网关
#2.挨个添加内网路由下一跳到正常内网网关
route -p add x.x.x.x mask x.x.x.x 专用子网网关
优缺点
优点
- 不依赖正向代理
缺点
- 直接破坏隔离性
- 控制完全依赖于iptabes
-
Nginx方案
部署
依赖ngx_http_proxy_connect_module
# 1. configure
./configure \
--prefix=/app/nginx_forward_proxy \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_realip_module \
--with-http_ssl_module \
--with-http_v2_module \
--add-module=/app/nginx-1.24.0/ngx_http_proxy_connect_module-0.0.5
# 2. patch
patch -p1 < \
/app/nginx-1.24.0/ngx_http_proxy_connect_module-0.0.5/patch/proxy_connect_rewrite_102101.patch
# 3. make
make && make install
配置
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 8080;
#http2 on;
# 设置外网dns,避免内网网址被解析
resolver 114.114.114.114;
proxy_connect; # ngx_http_proxy_connect_module
# 允许的端口
proxy_connect_allow 443 80;
#proxy_connect_connect_timeout 10s;
#proxy_connect_read_timeout 10s;
#proxy_connect_send_timeout 10s;
location / {
if ($host ~ "^(?=127.0.0.1)|(?=localhost)|(?=10.\d{1,3}.\d{1,3}.\d{1,3})|(?=100.100.\d{1,3}.\d{1,3})|(?=172.(?=1[6789])|(?=2[0-9])|(?=3[01]).\d{1,3}.\d{1,3})") {
#不允许代理环回和内网IP(127.0.0.1 localhost 10.0.0.0/8 100.100.0.0/16 172.16.0.0/11)
return 403;
}
proxy_pass $scheme://$host$request_uri;
}
}
}
优缺点
优点
- 可以直接通过配置阻止访问内网地址
- 日志格式可调整
缺点
- 由于证书和域名无法匹配,因此无法直接做到透明代理https,需要在一台安全的服务器上部署GOPROXY二级代理以实现透明代理https
- 做正向代理时,base认证无法正常工作,因此无法设置代理服务器账号密码
2. 用户防火墙
可以给代理应用指定用户,并配置该用户防火墙,以禁止该用户访问内网地址
如指定用户为myproxy,出站TCP、UDP防火墙配置如下
内外网IP地址说明:
# 启用IP转发
# vim /etc/sysctl.conf
# net.ipv4.ip_forward = 1
#目标为内网IPV4的阻止访问
iptables -A OUTPUT \
-d 127.0.0.0/8,10.0.0.0/8,192.168.0.0/16,100.100.0.0/16,169.254.0.0/16,172.16.0.0/12 \
-m owner --uid-owner myproxy -j DROP
#目标为内网IPV6的阻止访问
ip6tables -A OUTPUT \
-d fe80::/64,2406:440:400:878A::/96 \
-m owner --uid-owner myproxy -j DROP
#来源为非内网IPV4的阻止访问(可选)
iptables -A OUTPUT \
-d 1.0.0.0/8,2.0.0.0/7,4.0.0.0/6,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/3,96.0.0.0/6,100.0.0.0/10,100.128.0.0/9,101.0.0.0/8,102.0.0.0/7,104.0.0.0/5,112.0.0.0/5,120.0.0.0/6,124.0.0.0/7,126.0.0.0/8,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.1.0/24,192.0.3.0/24,192.0.4.0/22,192.0.8.0/21,192.0.16.0/20,192.0.32.0/19,192.0.64.0/18,192.0.128.0/17,192.1.0.0/16,192.2.0.0/15,192.4.0.0/14,192.8.0.0/13,192.16.0.0/12,192.32.0.0/11,192.64.0.0/12,192.80.0.0/13,192.88.0.0/18,192.88.64.0/19,192.88.96.0/23,192.88.98.0/24,192.88.100.0/22,192.88.104.0/21,192.88.112.0/20,192.88.128.0/17,192.89.0.0/16,192.90.0.0/15,192.92.0.0/14,192.96.0.0/11,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/7,198.0.0.0/12,198.16.0.0/15,198.20.0.0/14,198.24.0.0/13,198.32.0.0/12,198.48.0.0/15,198.50.0.0/16,198.51.0.0/18,198.51.64.0/19,198.51.96.0/22,198.51.101.0/24,198.51.102.0/23,198.51.104.0/21,198.51.112.0/20,198.51.128.0/17,198.52.0.0/14,198.56.0.0/13,198.64.0.0/10,198.128.0.0/9,199.0.0.0/8,200.0.0.0/7,202.0.0.0/8,203.0.0.0/18,203.0.64.0/19,203.0.96.0/20,203.0.112.0/24,203.0.114.0/23,203.0.116.0/22,203.0.120.0/21,203.0.128.0/17,203.1.0.0/16,203.2.0.0/15,203.4.0.0/14,203.8.0.0/13,203.16.0.0/12,203.32.0.0/11,203.64.0.0/10,203.128.0.0/9,204.0.0.0/6,208.0.0.0/4 \
-m owner --uid-owner myproxy -j DROP
#来源为非内网IPV6的阻止访问(可选)
ip6tables -A OUTPUT \
-d 2001::/16 \
-m owner --uid-owner myproxy -j DROP
# 保存防火墙规则配置
service iptables save
