场景:通过跨境专线实现海外访问国内资源,基本SNI反代实现,支持IPv6
HK VM: 150.1.1.1
GZ VM: 103.1.1.1
基础网络环境配置
香港VM,启用IPv6和转发
[root@hk-reverse sh]# cat /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv4.conf.all.forwarding = 1
[root@hk-reverse sh]# more set-up-tunnel-reverse.sh
#!/usr/bin/env bash
modprobe ipip
ip tunnel add hk-reverse mode ipip remote 103.1.1.1 local 150.1.1.1 ttl 255
ip addr add 100.64.100.4 peer 100.64.100.3 dev hk-reverse
ip link set hk-reverse up
广州VM
# more set-up-tunnel-reverse.sh
#!/usr/bin/env bash
modprobe ipip
ip tunnel add hk-reverse mode ipip local 103.1.1.1 remote 150.1.1.1 ttl 255
ip addr add 100.64.100.3 peer 100.64.100.4 dev hk-reverse
ip link set hk-reverse up
防火墙开启NAT
#!/bin/sh
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -A POSTROUTING -s 100.64.100.0/24 -j SNAT --to-source 103.1.1.1
iptables -A INPUT -p 47 -j ACCEPT
iptables -A OUTOUT -p 47 -j ACCEPT
iptables -A FORWARD -p 47 -j ACCEPT
iptables-save
香港VM,转发国内路由,走隧道
chnroutes路由表:https://github.com/misakaio/chnroutes2
[root@hk-reverse sh]# wget https://raw.githubusercontent.com/misakaio/chnroutes2/master/chnroutes.txt
[root@hk-reverse sh]# more add-chnroute.sh
#!/usr/bin/env bash
ip route add 103.100.0/26 via 150.1.1.254 dev eth0
for line in `cat chnroutes.txt`; do
echo "Adding ${line} to default"
/usr/sbin/ip route add $line via 100.64.100.3 dev hk-reverse
done
ip route add 103.100.0.0/26 via 150.1.1.254 dev eth0
避免执行完把自己锁外面
已打通IPv4,下一步打通IPv6到国内
[root@hk-reverse sh]# more set-up-tunnel-ipv6.sh
#!/usr/bin/env bash
ip tunnel add hk-reverse-v6 mode sit remote 103.1.1.1 local 150.1.1.1
ip addr add 240E:x:x:x:1::2/80 peer 240E:x:x:x:1::1/80 dev hk-reverse-v6
ip link set hk-reverse-v6 up
ip -6 route add 2001:da8:3000::1 via 240E:x:x:x:1::1 dev hk-reverse-v6
ip -6 route add 2408:8610:3b10:3002:8000::3 via 240E:x:x:x:1::1 dev hk-reverse-v6
加2个测试IPv6地址
广州交换机上配置
[SZ_S6800]dis current-configuration interface Tunnel 0
#
interface Tunnel0 mode ipv6-ipv4
source 103.1.1.1
destination 150.1.1.1
ipv6 address 240E:x.x.x:1::1/80
安装Openresty + SNI Lua实现反代
[root@hk-reverse sh]# yum install -y yum-utils
[root@hk-reverse sh]# yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
[root@hk-reverse sh]# yum install openresty
cp sniproxy.lua /usr/local/openresty/lualib/resty/
参考文档:
https://github.com/fffonion/lua-resty-sniproxy
[root@hk-reverse sh]# more /usr/local/openresty/nginx/conf/nginx.conf
[root@hk-niaoyun-roche-reverse sh]# cat /usr/local/openresty/nginx/conf/nginx.conf
worker_processes auto;
events {
worker_connections 102400;
}
http {
server {
listen 150.1.1.1:80 default_server;
listen [2a10:x:x:x::3]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
}
stream {
log_format proxy '$remote_addr [$time_local] $sniproxy_upstream '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
init_by_lua_block {
local sni = require("resty.sniproxy")
sni.rules = {
{".+.blueduck.top"},
{"blueduck.top"},
{".", "unix:/var/run/nginx-default.sock"}
}
}
lua_add_variable $sniproxy_upstream;
server {
listen 150.1.1.1:443;
resolver 114.114.114.114 ipv6=off valid=60s;
resolver_timeout 5s;
preread_by_lua_block {
local sni = require("resty.sniproxy")
local sp = sni:new()
sp:preread_by()
}
proxy_pass $sniproxy_upstream;
access_log /export/Logs/nginx/sniproxy_access.log proxy buffer=32k flush=10s;
}
upstream test_server_ipv6 {
server [2404:x:x:x::20]:443 weight=1 max_fails=5 fail_timeout=3s;
}
server {
listen [2a10:x:x:x::3]:443;
proxy_connect_timeout 5s;
proxy_timeout 10m;
proxy_pass test_server_ipv6 ;
}
}
启动openresty
[root@hk-reverse sh]# systemctl enable openresty --now
