用户工具

站点工具


freebsd:network:nghttpx_http2_tls_proxy

使用nghttpx搭建一个http2/tls的代理

背景介绍: nghttpx+3proxy做https(http/2) proxy, 其中3proxy的http proxy监听地址为127.0.0.1:60011.

本案例, 将nghttpx监听在所有地址的51001端口.

在 FreeBSD 中, nghttpx 位于 ports 的 www/nghttp2. 如果需要ocsp, 务必同时安装python2

配置文件如下

daemon=yes
user=www
frontend=*,51001
backend=127.0.0.1,60011
backend-connections-per-host=200
http2-proxy=yes
no-via=yes
ciphers=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK
dh-param-file=/usr/local/etc/ssl/dh.pem
certificate-file=/usr/local/etc/ssl/fullchain.pem
private-key-file=/usr/local/etc/ssl/privkey.pem
fetch-ocsp-response-file=/usr/local/etc/nghttpx/fetch-ocsp-response

FreeBSD中, 原来的/usr/local/share/nghttp2/fetch-ocsp-response里面无法正确调用python, 所以复制一份, 修改其头部为 #!/usr/local/bin/python2

附件为 FreeBSD 的启动脚本 nghttpx_multi

freebsd/network/nghttpx_http2_tls_proxy.txt · 最后更改: 2016/05/23 17:15 由 Hshh