How to reuse ports in nginx

nginx-1.15.2 version adds the $ssl_preread_protocol variable, through which you can pre-determine whether the connection is an SSL/TLS protocol or a non-SSL/TLS protocol when using the stream reverse proxy, thereby achieving the same Ports to forward different services.

The stream_ssl_preread module checks the initial ClientHello message in an SSL or TLS connection and extracts several values ​​which can be used to manage the connection. The $ssl_preread_protocol variable added in version 1.15.2 captures the latest SSL/TLS version number from the client_version field of the message ClientHello. If the supported_versions extension ClientHello exists in the message, the variable is set to TLSv1.2/TLSv1.3.

Example: Run Nginx on a reverse proxy server and listen to port 443. There are two sets of services on the backend, one is HTTPS (TLS1.2/1.3 enabled) website service, and the other is SSH service. , we need to realize that these two sets of services run on the same port (configured port 443) - the entry request is automatically distinguished by Nginx.

For simplicity, I use the docker environment directly at this time

nginx version

# docker exec -it nginx nginx -V
nginx version: nginx/1.15.10
built by gcc 8.2.0 (Alpine 8.2.0)
built with OpenSSL 1.1.1b  26 Feb 2019
......

Directory file

 # tree ./nginx-with-L4-reuse/./nginx-with-L4-reuse/
├── config│   └── nginx
│       ├── conf.d
│       │   └── default.conf
│       ├── fastcgi.conf
│       ├── fastcgi_params
│       ├── mime.types
│       └── nginx.conf
└── docker-compose.yaml

3 directories, 6 files

docker-compose.yaml

# docker-compose.yaml
version: "2.4"
services:
  nginx:
    container_name: nginx
    image: nginx:alpine
    network_mode: host
    volumes:
      - ./config/nginx:/etc/nginx/:ro
    ports:
      - "443:443"
    restart: always

nginx.conf

user  nginx;
worker_processes  2;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

stream {
    log_format stream '{"@access_time":"$time_iso8601",'
        '"clientip":"$remote_addr",'
        '"pid":$pid,'
        '"pro":"$protocol",'
        '"ssl_pro": "$ssl_preread_protocol"',
        '"pro":"$protocol",'
        '"stus":$status,'
        '"sent":$bytes_sent,'
        '"recv":$bytes_received,'
        '"sess_time":$session_time,'
        '"up_addr":"$upstream_addr",'
        '"up_sent":$upstream_bytes_sent,'
        '"up_recv":$upstream_bytes_received,'
        '"up_conn_time":$upstream_connect_time,'
        '"up_resp_time":"$upstream_first_byte_time",'
        '"up_sess_time":$upstream_session_time}';

    upstream ssh {
        server 192.168.50.212:22;
    }

    upstream web {
        server 192.168.50.215:443;
    }

    map $ssl_preread_protocol $upstream {
        default ssh;
        "TLSv1.2" web;
        "TLSv1.3" web;
    }

    # SSH and SSL on the same port
    server {
        listen 443;

        proxy_pass $upstream;
        ssl_preread on;
        access_log /var/log/nginx/stream_443.log stream;
    }
}

$ssl_preread_protocol implements different business configurations at the IP layer, which is very meaningful for certain needs - although there are functional limitations. However, Tengine-2.3.0 has implemented IP layer based on domain name forwarding. Perhaps this feature will be introduced to Nginx.

For more Nginx related technical articles, please visit the Nginx usage tutorial column to learn!

The above is the detailed content of How to reuse ports in nginx. For more information, please follow other related articles on the PHP Chinese website!