VPC内私网ECS连接互联网方法小结
一般新用户在初次使用阿里云的VPC ECS时,因为EIP只会绑定在少数提供对外服务的ECS上,或者为了安全性不想所有的ECS都绑定EIP而存在被外部入侵的风险,所以就会遇到内网ECS如何在需要时、联通互联网的问题,而且这个问题通常都产生在运维和软件安装时。官网上有一些可行的方案,为了让用户更加清晰,这里简单小结了一下:
1、一般提出这种需求,都是要使用外部的yum源来安装软件。阿里云为ECS提供了内部的yum源,参考如下链接:
https://help.aliyun.com/knowledge_detail/5980325.html
常用的软件包这里都有,如何更新、导入外部源有详细的说明,强烈推荐优先使用阿里云的yum源
2、通过vRouter添加路由、由具备EIP的linux主机上网
因为在经典网络里,ECS是无法做网络层的路由的,这种方案无法实行;但是在VPC里,因为有vRouter这个路由服务,就可以实现了。简单说,内网ECS想要联通互联网、通过vRouter添加静态路由、由具备EIP的linux服务器转发即可,具体操作方式参考
https://help.aliyun.com/knowledge_detail/6704687.html
3、通过具有EIP的ECS做应用层代理(如nginx)、达到对指定协议或端口的流量转发,比如常用的对http和https转发。
这是典型的nginx的正向代理功能,实测
的方法
CentOS6.5 64位,
nginx-1.8.0、pcre-8.38,
其他nginx所需的包类似openssl等都用阿里云系统自带的
nginx编译
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-pcre=/tmp/pcre-8.38
编译安装成功后,配置的nginx.conf如下:
#user nobody;
worker_processes 4;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
#keepalive_timeout 0;
keepalive_timeout 65;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off;
log_format access '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass
http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
#######################反向代理访问内部http网站##################################################
upstream fit {
server 127.0.0.1:8888 max_fails=5;
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
server {
listen 8000;
# listen somename:8080;
server_name
www.sina.com.cn;
location / {
proxy_pass
http://fit;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_redirect
http://www.sina.com.cn/ /;
root html;
index index.html index.htm;
}
}
#######################反向代理访问内部https网站,此次未测试##################################################
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
#######################正向代理访问外部http网站##################################################
server {
listen 8080;
resolver 10.143.22.116;
# listen somename:8080;
# server_name
www.sina.com.cn;
location / {
root html;
index index.html index.htm;
proxy_pass $scheme://$host$request_uri;
proxy_set_header HOST $http_host;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#######################正向代理访问外部https网站##################################################
server{
resolver 10.143.22.116;
listen 8443;
location / {
root html;
index index.html index.htm;
proxy_pass
https://$host$request_uri;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_next_upstream error timeout invalid_header http_502;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
里面主要测试了反向代理访问云内http服务,正向代理访问外部Http服务和正向代理访问外部https服务。
正向代理测试方法:
curl --proxy proxy_server:8080 http://www.sina.com.cn/
curl --proxy proxy_server:8443 http://www.taobao.com/
4、vRouter后续考虑绑定EIP,则方案2直接可以进一步简化,不需要再部署一个ECS服务器做包转发了,期待中。。。。。。
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
