全部产品
存储与CDN 数据库 安全 应用服务 数加·人工智能 数加·大数据基础服务 互联网中间件 视频服务 开发者工具 解决方案 物联网

正向代理

更新时间:2017-06-07 13:26:11

阿里云GPU物理机本身不能访问外网,只能通过ECS正向代理访问。本文档将指导用户如何设置代理服务器。

1. 确定IP地址

用户应首先确认这几个IP地址: ECS外网IP(不便于透露,本文用XXX.XXX.XXX.XXX表示)和内网IP(实验用10.10.10.10); GPU物理机内网IP(实验用10.239.23.4);

2. 登录ECS跳板机

用户可以用PUTTY工具(Windows环境)或SSH命令(Linux环境)登录ECS,注意应使用ECS外网IP登入。

ssh -l login_name XXX.XXX.XXX.XXX(ECS外网IP)

登录成功后,可以在ECS跳板机上用SSH命令登录GPU物理机:

ssh -l root 10.239.23.4(GPU物理机内网IP)

3. ECS跳板机上部署代理服务器

这里选择Tengine,它是在NGINX的基础上由淘宝网发起的开源Web服务器项目。用户应注意,NGINX做正向代理服务器是不支持HTTPS连接的,所以客户端只能访问HTTP服务。如果用户需要在物理机上访问HTTPS服务可以选择其他Web服务器做代理。

3.1 安装Tengine

重新开一个终端,登录到ECS跳板机。 获取Tengine源码:

wget http://tengine.taobao.org/download/tengine-2.1.1.tar.gz

解压:

tar zxvf tengine-2.1.1.tar.gz
cd tengine-2.1.1/

配置和编译:

./configure
make
sudo make install

默认情况下安装位置在 /usr/local/nginx/

3.2 编辑Tengine配置文件

用root权限打开 /usr/local/nginx/conf/nginx.conf 文件,在http{}语句块内增加如下内容:("//”后面为注释,真正的conf文件中应删除)

server {
resolver 8.8.8.8; 
//  设置DNS的IP,可以根据实际情况修改
resolver_timeout 5s; 
//  DNS连接超时设置 
listen 0.0.0.0:8080; 
// 用于连接客户端的监听端口,也可改为其他端口 
access_log  /root/logs/proxy.access.log;       
//  连接日志,用于记录所有连接建立的情况
error_log   /root/logs/proxy.error.log;        
//  错误日志,用于记录所有错误情况

    location / {
        allow 10.239.23.4;
//  允许接入的物理机内网IP,根据需要设置
        deny all;         
//  拒绝为除了上一句指定物理机内网IP之外的所有主机服务
                                         //  以下不需要用户修改,保持默认即可
        proxy_pass $scheme://$host$request_uri;
        proxy_set_header Host $http_host;

        proxy_buffers 256 4k;
        proxy_max_temp_file_size 0;

        proxy_connect_timeout 30;

        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 301 1h;
        proxy_cache_valid any 1m;
    }
}

保存该文件。

3.3 启动Tengine

用root权限运行:sudo /usr/local/nginx/sbin/nginx 如果报错,请根据报错信息对3.2节中的nginx.conf配置文件做必要的修改。

3.4 设置ECS防火墙

出于节省流量和安全考虑,需要在ECS上设置防火墙规则,将除了GPU物理机之外的所有访问8080端口的请求都挡在防火墙外。步骤如下:

3.4.1 开启防火墙

CentOS6: service iptables start
CentOS7: systemctl start firewalld

3.4.2 添加防火墙规则

首先允许GPU物理机IP地址(本文用10.239.23.4,请根据实际情况修改)访问8080端口:

iptables -I INPUT -s 10.239.23.4  -p TCP --dport 8080 -j ACCEPT

端口8080要和3.2节Tengine配置文件中的端口设置相同。 然后禁止所有访问8080端口的tcp连接:

iptables -A INPUT -p TCP --dport 8080 -j DROP

查看规则是否生效:

iptables -L -n

可以看到新增了两条规则:

target     prot opt source               destination
ACCEPT     tcp  --  10.239.23.4          0.0.0.0/0           tcp dpt:8080
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080

4. 在GPU物理机上设置代理

回到GPU物理机终端,进行代理设置。 最简单的方式是使用环境变量,假设ECS内网IP为10.10.10.10(用户需要自行替换为真实ECS内网IP),则可以执行:

export http_proxy=http://10.10.10.10:8080

注意这里的代理服务器端口设置应该和ECS跳板机上nginx.conf中监听端口(listen 0.0.0.0:8080)相互对应。 也可以将上述语句放入/etc/profile或~/.bashrc实现登录GPU物理机时自动配置代理服务器。

5. 测试

在GPU物理机上使用不同的工具测试外网连接情况,结果如下:

5.1 wget和curl测试

$ wget http://tengine.taobao.org/download/tengine-2.1.1.tar.gz
--2015-09-21 16:15:50--  http://tengine.taobao.org/download/tengine-2.1.1.tar.gz
Connecting to 10.10.10.10:8080... connected.
Proxy request sent, awaiting response... 200 OK
Length: 2062650 (2.0M) [application/octet-stream]
Saving to: ‘tengine-2.1.1.tar.gz’

100%[======================================>] 2,062,650   1014KB/s   in 2.0s

2015-09-21 16:15:52 (1014 KB/s) - ‘tengine-2.1.1.tar.gz’ saved [2062650/2062650]

通过以上测试,验证了GPU物理机已经可以通过ECS正向代理访问外网。

5.2 测试yum

$ sudo yum install openssl
Loaded plugins: fastestmirror, langpacks
base                                                     | 3.6 kB     00:00
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyuncs.com
 * extras: mirrors.aliyuncs.com
 * updates: mirrors.aliyuncs.com
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-42.el7 will be updated
---> Package openssl.x86_64 1:1.0.1e-42.el7.9 will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-42.el7.9 for package: 1:openssl-1.0.1e-42.el7.9.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-42.el7 will be updated
---> Package openssl-libs.x86_64 1:1.0.1e-42.el7.9 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch         Version                    Repository     Size
================================================================================
Updating:
 openssl            x86_64       1:1.0.1e-42.el7.9          updates       711 k
Updating for dependencies:
 openssl-libs       x86_64       1:1.0.1e-42.el7.9          updates       949 k

Transaction Summary
================================================================================
Upgrade  1 Package (+1 Dependent package)

Total download size: 1.6 M
Is this ok [y/d/N]:y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/2): openssl-1.0.1e-42.el7.9.x86_64.rpm                  | 711 kB   00:00
(2/2): openssl-libs-1.0.1e-42.el7.9.x86_64.rpm             | 949 kB   00:00
--------------------------------------------------------------------------------
Total                                              5.7 MB/s | 1.6 MB  00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : 1:openssl-libs-1.0.1e-42.el7.9.x86_64                        1/4
  Updating   : 1:openssl-1.0.1e-42.el7.9.x86_64                             2/4
  Cleanup    : 1:openssl-1.0.1e-42.el7.x86_64                               3/4
  Cleanup    : 1:openssl-libs-1.0.1e-42.el7.x86_64                          4/4
  Verifying  : 1:openssl-libs-1.0.1e-42.el7.9.x86_64                        1/4
  Verifying  : 1:openssl-1.0.1e-42.el7.9.x86_64                             2/4
  Verifying  : 1:openssl-1.0.1e-42.el7.x86_64                               3/4
  Verifying  : 1:openssl-libs-1.0.1e-42.el7.x86_64                          4/4

Updated:
  openssl.x86_64 1:1.0.1e-42.el7.9

Dependency Updated:
  openssl-libs.x86_64 1:1.0.1e-42.el7.9

Complete!

在ECS跳板机上查看Tengine access log文件(/root/logs/proxy.access.log),找到上述与yum安装相关的log如图所示。

10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/libcom_err-devel-1.42.9-7.el7.x86_64.rpm HTTP/1.1" 502 690 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/updates/x86_64/Packages/krb5-libs-1.12.2-15.el7_1.x86_64.rpm HTTP/1.1" 502 691 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/updates/x86_64/Packages/krb5-devel-1.12.2-15.el7_1.x86_64.rpm HTTP/1.1" 502 692 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm HTTP/1.1" 502 692 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/libselinux-devel-2.2.2-6.el7.x86_64.rpm HTTP/1.1" 200 178532 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/libsepol-devel-2.1.9-3.el7.x86_64.rpm HTTP/1.1" 200 72300 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/libverto-devel-0.2.5-4.el7.x86_64.rpm HTTP/1.1" 200 11776 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/pcre-devel-8.32-14.el7.x86_64.rpm HTTP/1.1" 200 488780 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyuncs.com/centos/7/os/x86_64/Packages/zlib-devel-1.2.7-13.el7.x86_64.rpm HTTP/1.1" 200 50592 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm HTTP/1.1" 200 38232 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:11 +0800] "GET http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/libcom_err-devel-1.42.9-7.el7.x86_64.rpm HTTP/1.1" 200 30804 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:12 +0800] "GET http://mirrors.aliyuncs.com/centos/7/updates/x86_64/Packages/openssl-devel-1.0.1e-42.el7.9.x86_64.rpm HTTP/1.1" 200 1235792 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:12 +0800] "GET http://mirrors.aliyun.com/centos/7/updates/x86_64/Packages/krb5-devel-1.12.2-15.el7_1.x86_64.rpm HTTP/1.1" 200 655972 "-" "urlgrabber/3.10 yum/3.4.3"
10.239.23.4 - - [21/Sep/2015:17:26:12 +0800] "GET http://mirrors.aliyun.com/centos/7/updates/x86_64/Packages/krb5-libs-1.12.2-15.el7_1.x86_64.rpm HTTP/1.1" 200 845708 "-" "urlgrabber/3.10 yum/3.4.3"

上述安装包所在的yum源为阿里云内网,故ECS代理会通过内网流量获取,这样节省了用户流量费用。

本文导读目录