Proxy_ssl_alpn

1.功能说明

反向代理到后端server 时，某些应用需要在tls 握手阶段，设置tls 的alpn 字段，proxy_ssl_alpn功能，可以通过提前配置设置该字段。该功能http和stream模块均支持。查看stream配置请参考

2.指令说明

客户端配置，该配置在stream 和 https 模块生效。在发送Client Hello 时，携带。

	必填	配置说明
proxy_ssl_alpn	是

Syntax:	proxy_ssl_alpn protocol …;
Default:	—
Context:	stream,http, server, location

1.设置客户端发送的 alpn 类型。多个以空格分隔。例如：proxy_ssl_alpn h1 h2 h3 h4; 设置 4 个字段。

2.http，stream 用法一样。结合ssl_preread on 指令。

3.通过变量 $ssl_preread_alpn_protocols, 选择不同的proxy_pass 路径。

3.配置说明

njet.conf（数据面配置）

http {
    dyn_kv_conf conf/iot-work.conf;
    include       mime.types;
    default_type  application/octet-stream;

    access_log  logs/access.log;

    sendfile        on;
    keepalive_timeout  65;

     server {
        listen 5555;
        location = /test1 {
          proxy_ssl_certificate      certs/client.pem;
          proxy_ssl_certificate_key  certs/client.key;
          proxy_ssl_alpn  test1;
          keepalive_timeout 0;
          proxy_pass https://127.0.0.1:5443/;  
        }
        location = /test2 {
          proxy_ssl_certificate     certs/client.pem;
          proxy_ssl_certificate_key certs/client.key;
          proxy_ssl_alpn  test2;
          keepalive_timeout 0;
          proxy_pass https://127.0.0.1:5443/; 
        }
        location = /default {
          proxy_ssl_certificate     certs/client.pem;
          proxy_ssl_certificate_key certs/client.key;
          keepalive_timeout 0;
          proxy_pass https://127.0.0.1:5443/; 
        }


    }


}
stream {

      map $ssl_preread_alpn_protocols $ssl_server {
         default 127.0.0.1:5902;
         test1  127.0.0.1:5900;
         test2 127.0.0.1:5901;
    }


      server {
          listen  7777;
          proxy_ssl on;
          proxy_ssl_certificate     certs/client.pem;
          proxy_ssl_certificate_key certs/client.key;
          proxy_ssl_alpn  test1;  
          proxy_pass  127.0.0.1:5443;  
        }
      server {
          listen  8888;
          proxy_ssl on;
          proxy_ssl_certificate     certs/client.pem;
          proxy_ssl_certificate_key certs/client.key;
          proxy_ssl_alpn  test2;  
          proxy_pass  127.0.0.1:5443;
        }
      server {
          listen  9999;
          proxy_ssl on;
          proxy_ssl_certificate     certs/client.pem;
          proxy_ssl_certificate_key certs/client.key;
          proxy_pass  127.0.0.1:5443;
        }
      server {
          listen  5900 ssl;
          ssl_certificate     certs/server.pem;
          ssl_certificate_key certs/server.key;
          return  "5900 test1 ok";
        }
      server {
          listen  5901 ssl;
          ssl_certificate     certs/server.pem;
          ssl_certificate_key certs/server.key;
          return  "5901 njet ok";
        }
     server {
          listen  5902 ssl;
          ssl_certificate     certs/server.pem;
          ssl_certificate_key certs/server.key;
          return  "5902 default ok";
        }
     server {
         listen 5443;
         ssl_preread on;
         proxy_pass $ssl_server;
     }
}

4.调用样例

4.1 访问http模块下的uri

访问/test1

curl -v --http0.9  http://127.0.0.1:5555/test1
*   Trying 127.0.0.1:5555...
* Connected to 127.0.0.1 (127.0.0.1) port 5555 (#0)
> GET /test1 HTTP/1.1
> Host: 127.0.0.1:5555
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* Closing connection 0
5900 test1 ok

访问/test2

curl -v --http0.9  http://127.0.0.1:5555/test2
*   Trying 127.0.0.1:5555...
* Connected to 127.0.0.1 (127.0.0.1) port 5555 (#0)
> GET /test2 HTTP/1.1
> Host: 127.0.0.1:5555
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* Closing connection 0
5901 test2 ok

访问/default

curl -v --http0.9  http://127.0.0.1:5555/default
*   Trying 127.0.0.1:5555...
* Connected to 127.0.0.1 (127.0.0.1) port 5555 (#0)
> GET /default HTTP/1.1
> Host: 127.0.0.1:5555
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* Closing connection 0
5902 default ok

4.2 访问stream模块下的uri

访问7777

curl -v --http0.9 http://127.0.0.1:7777/
*   Trying 127.0.0.1:7777...
* Connected to 127.0.0.1 (127.0.0.1) port 7777 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:7777
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* Recv failure: Connection reset by peer
* Closing connection 0
5900 test1 ok

访问8888

curl -v --http0.9 http://127.0.0.1:8888/
*   Trying 127.0.0.1:8888...
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8888
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* Recv failure: Connection reset by peer
* Closing connection 0
5901 test2 ok

访问9999

curl -v --http0.9 http://127.0.0.1:9999/
*   Trying 127.0.0.1:9999...
* Connected to 127.0.0.1 (127.0.0.1) port 9999 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:9999
> User-Agent: curl/8.1.0-DEV
> Accept: */*
> 
* Recv failure: Connection reset by peer
* Closing connection 0
5902 default ok