使用PAC file结合ATS控制访问

Posted zyxnhr

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用PAC file结合ATS控制访问相关的知识,希望对你有一定的参考价值。

介绍:前面已经介绍了ATS的安装和PAC文件的写法格式,现在把nginx端口转发,pac file访问控制和ATS代理结合起来分别控制不同的机器访问不同URL权限的目的

一、使用nginx端口转发

在机器192.168.43.85使用yum安装nginx

1.1 配置upstream

[[email protected] ~]# vim /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events 
    worker_connections 1024;


http 
    log_format  main  $remote_addr - $remote_user [$time_local] "$request" 
                      $status $body_bytes_sent "$http_referer" 
                      "$http_user_agent" "$http_x_forwarded_for";

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/ngx_http/http.conf.*;  


stream 
        # Module ngx_stream_core_module
        preread_buffer_size         128k;       # Keep default value.
        preread_timeout             180s;
        proxy_protocol_timeout      180s;
        tcp_nodelay                 on;         # Enables the use of the TCP_NODELAY option.
        variables_hash_bucket_size  128;        # Keep default value.
        variables_hash_max_size     1024;       # Keep default value.

        # Module ngx_stream_log_module
        log_format           stream [$time_iso8601] 
                                    $remote_addr 
                                    $protocol 
                                    "Status-Code: $status" 
                                    "Bytes-Sent: $bytes_sent" 
                                    "Bytes-Reveived: $bytes_received" 
                                    "Session-Time: $session_time" 
                                    "Upstream-Addr: $upstream_addr" 
                                    "Upstream-Bytes-Sent: $upstream_bytes_sent" 
                                    "Upstream-Bytes-Received: $upstream_bytes_received" 
                                    "Upstream-Connect-Time: $upstream_connect_time";
        access_log           /var/log/nginx/stream.acc stream;
error_log            /var/log/nginx/stream.err;
        open_log_file_cache  max=10240;

        # Module ngx_stream_proxy_module
        proxy_buffer_size            128k;      # Keep default value.
        proxy_connect_timeout        180s;
        proxy_download_rate          0;         # Keep default value.
        proxy_next_upstream          on;        # Keep default value.
        proxy_next_upstream_timeout  1;         # Keep default value.
        proxy_next_upstream_tries    2;         # Keep default value.
        proxy_protocol               off;       # Enables the PROXY protocol for connections to a proxied server.
        proxy_timeout                180s;
        proxy_upload_rate            0;         # Keep default value.

        # Module ngx_stream_upstream_module

        include  /etc/nginx/include/stream.upstream;        #配置upstrean的路径
        include  /etc/nginx/conf.d/ngx_stream/Proxy/stream.conf.*;     #限制访问upstream的路径

1.2 配置转发

[[email protected] ~]# vim /etc/nginx/conf.d/ngx_stream/Proxy/stream.conf.proxy10001

server 
#       include  conf.d/ngx_stream/Proxy/include/http.ipallow.10001;

        # Module ngx_stream_core_module
        listen      8000;       #监听80端口,

        # Module ngx_stream_log_module
        access_log  /var/log/nginx/stream.proxy.10001.acc stream;
        error_log   /var/log/nginx/stream.proxy.10001.err;

        # Module ngx_http_proxy_module
        proxy_pass  proxy10001;   #转发

1.3 配置upstream的文件

[[email protected] ~]# vim /etc/nginx/include/stream.upstream 

# Module ngx_stream_upstream_module
upstream proxy10001 
        server 45.77.246.61:10001;

1.4 重启nginx

[[email protected] ~]# nginx -s reload

[[email protected] ~]# netstat -ntlp |grep 8000

tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      1279/nginx: master 

关闭防火墙和selinx

1.5 客户端配置查看

技术图片

查看IP

技术图片

二 结合pacfile

写一个PAC file,可以使用http下载

2.1 把PAC file 放在nginx的一个访问目录下

[[email protected] html]# pwd

/usr/share/nginx/html

[[email protected] html]# ll

-rw-r--r--. 1 root root 8846 Jun  9 09:14 proxy10001.pac

2.2 配置文件

server 
        # Module ngx_http_core_module
        listen      80;
        # Module ngx_http_charset_module
        charset     utf-8;

        # Module ngx_http_log_module
        access_log  /var/log/nginx/ngx_http/http.pacfiles.acc main;
        error_log   /var/log/nginx/ngx_http/http.pacfiles.err;

        location / 
                expires 0;
                root  /usr/share/nginx/html;
        

 2.3 检测脚本

[[email protected] ~]# vim /etc/nginx/nginx.conf

 技术图片

查看

技术图片

使用nginx的访问控制,控制pac文件可以被那些IP访问

2.4 从80口控制

[[email protected] ~]# vim /etc/nginx/conf.d/ngx_http/http.conf.pacfiles

server 
        # Core functionality
       include     conf.d/ngx_http/include/http.ipallow.10001;   #添加此配置
        # Module ngx_http_core_module
        listen      80;
        # Module ngx_http_charset_module
        charset     utf-8;

        # Module ngx_http_log_module
        access_log  /var/log/nginx/ngx_http/http.pacfiles.acc main;
        error_log   /var/log/nginx/ngx_http/http.pacfiles.err;

        location / 
                expires 0;
                root  /usr/share/nginx/html;
        

 

[[email protected] ~]# vim /etc/nginx/conf.d/ngx_http/include/http.ipallow.10001 

#allow 192.168.43.0/24;   #禁止本地访问
deny all;

查看IP

pacfile没有生效

[[email protected] ~]# vim /etc/nginx/conf.d/ngx_http/include/http.ipallow.10001 

allow 192.168.43.0/24;   #允许本地访问
deny all;

 

但是,由于有缓存,导致每次在禁止访问后,但是依然可以访问到代理上

2.5 禁止浏览器缓存

配置

[[email protected] ~]# vim /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events 
    worker_connections 1024;


http 
    log_format  main  $remote_addr - $remote_user [$time_local] "$request" 
                      $status $body_bytes_sent "$http_referer" 
                      "$http_user_agent" "$http_x_forwarded_for";

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    add_header Cache-Control no-store;   #禁止缓存
    add_header Cache-Control no-cache;    #禁止缓存
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/ngx_http/http.conf.*;

 

则每次更改权限后,不会有缓存,可立即生效!

以上是关于使用PAC file结合ATS控制访问的主要内容,如果未能解决你的问题,请参考以下文章

怎么下载pac配置文件

如何在片段中访问 SQLite 数据到 ListView

使用 ActionBar 旋转 Android 的双片段

使用pac代理 访问国内网站听音乐下载音乐

ats缓存规则

ats 安全