|
案例场景:
某服务器群组位于内网环境,不能访问互联网,因为我们在做Prometheus+grafana+钉钉告警的时候无法将告警消息发送到钉钉群,以便及时发现和处理故障问题。钉钉消息是需要发送消息给钉钉的机器人的接口的,没有互联网的条件使消息无法被接收。因此,针对此需求,我们应该如何解决该问题呢?
解决思路:
在此内网服务器集群外部放置一台既可以访问互联网,又可以和内网环境互通的机器,作为代理服务器,将钉钉机器人接口进行代理,提供给内网服务器群组来实现告警消息发送。
实际操作:
内网服务器:192.168.100.100(内网)
代理服务器:192.168.100.200(内网) 10.10.17.19 (互联网)
钉钉机器人地址:
https://oapi.dingtalk.com/robot/send?access_token=xxxxxx
代理服务器上安装nginx:
# 给代理服务器配置DNS
vim /etc/resolv.conf
nameserver 114.114.114.114
# 编译nginx 需要模块ngx_http_proxy_connect_module
git clone https://gitee.com/web_design_of_web_frontend/ngx_http_proxy_connect_module.git
# 打补丁 需要对应nginx 版本
patch -p1 < /app/pac/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_1018.patch
# 配置
/configure --prefix=/usr/local/nginx --with-http_ssl_module --with-zlib=/app/pac/zlib-1.2.7.1 --with-pcre=/app/pac/pcre-8.36 --add-module=/app/pac/ngx_http_proxy_connect_module
# 编译
make && make install
# 配置
配置nginx/conf/nginx.conf
#正向代理
server{
resolver 114.114.114.114;
resolver_timeout 30s;
listen 80;
proxy_connect; #启用 CONNECT HTTP方法
proxy_connect_allow 443 80; #指定代理CONNECT方法可以连接的端口号或范围的列表
proxy_connect_connect_timeout 20s; #定义客户端与代理服务器建立连接的超时时间
proxy_connect_read_timeout 20s; #定义客户端从代理服务器读取响应的超时时间
proxy_connect_send_timeout 20s; #设置客户端将请求传输到代理服务器的超时时间
location / {
proxy_pass $scheme://$http_host$request_uri;
}
}
# 代理钉钉接口:
location /robot/ {
proxy_pass https://oapi.dingtalk.com/robot/;
}
# 内网服务器上配置的钉钉机器人地址:
http://192.168.100.200/robot/send?access_token=xxxxxx
# 测试命令:
curl '这里替换成你刚刚得到的Webhook地址' \ -H 'Content-Type: application/json' \ -d '{"msgtype": "text","text": {"content":"这里替换成你要发送的消息"}}'
curl 'http://192.168.100.200/robot/send?access_token=xxxxxx' \ -H 'Content-Type: application/json' \ -d '{"msgtype": "text","text": {"content":"测试钉钉告警"}}'
其他形式的:
带link的:
curl '这里替换成你刚刚得到的Webhook地址' \ -H 'Content-Type: application/json' \ -d { "msgtype": "link", "link": { "text": "这里可以写一段对于链接的简介", "title": "链接标题,可自定义", "picUrl": "如果有链接截图或图标请在这里填写图片地址", "messageUrl": "链接地址写在这里" } }
markdown图文:
curl '这里替换成你刚刚得到的Webhook地址' \ -H 'Content-Type: application/json' \ -d { "msgtype": "markdown", "markdown": { "title":"杭州天气", "text": "#### 杭州天气 @150XXXXXXXX \n > 9度,西北风1级,空气良89,相对温度73%\n > \n > ###### 10点20分发布 [天气](https://www.dingtalk.com) \n" }, "at": { "atMobiles": [ "150XXXXXXXX" ], "atUserIds": [ "user123" ], "isAtAll": false } }
卡片:
curl '这里替换成你刚刚得到的Webhook地址' \ -H 'Content-Type: application/json' \ -d { "actionCard": { "title": "乔布斯 20 年前想打造一间苹果咖啡厅,而它正是 Apple Store 的前身", "text": " ### 乔布斯 20 年前想打造的苹果咖啡厅 Apple Store 的设计正从原来满满的科技感走向生活化,而其生活化的走向其实可以追溯到 20 年前苹果一个建立咖啡馆的计划", "btnOrientation": "0", "singleTitle" : "阅读全文", "singleURL" : "https://www.dingtalk.com/" }, "msgtype": "actionCard" }
参考资料:
centos7实现nginx部署支持http和https正向代理功能(安装ngx_http_proxy_connect_module模块)_cuikai314的博客-CSDN博客_centos https代理
https://www.jianshu.com/p/af2e41d9019b?u_atoken=fdd0c466-2c7a-45ea-b270-299dd72e31c5&u_asession=01LnNk3m9xe_8l59WiTJOMsF9JHj72HvnNKpU41CPwt7CRyom9f_XdkZt7Ui2TfRZlX0KNBwm7Lovlpxjd_P_q4JsKWYrT3W_NKPr8w6oU7K9bT-DQGwuQNWmsHblEsYC8MKWrbBzYAhXhkL4v5_cjQmBkFo3NEHBv0PZUm6pbxQU&u_asig=05_iqjE2ctFye6sIp-0lih0QGaQcz3yHVjU2cF3XcdzZ63LcwMfef9ovGLEH18ndUxWVUBoKciiTQCStUns3NAXsAw9kwBWKe-mkkVJi9hkDSWilxS6IxqX0PbWYNCDqcsJLWeqY9kbyfVwRNGSQumFWd3QhOAKz_ZcQV8AkR2GN79JS7q8ZD7Xtz2Ly-b0kmuyAKRFSVJkkdwVUnyHAIJzaBXPgX2jLteKVkJgwRpx_wVmVNYz2wO73GYs3dDKmrPdf9JIAkyKervFWgmMgV8j-3h9VXwMyh6PgyDIVSG1W9rAJHyQkDOKHQfaKbjfTb3LJ0CqtehMVLVIw0n4HVzWnadJ0xfmn5JK-2P3SMZ6ojd1-BTadcTwqbhIda8yFL4mWspDxyAEEo4kbsryBKb9Q&u_aref=y1PCcT3Lgk7eeZaURCYxbbJp46s%3D https://www.jianshu.com/p/af2e41d9019b?u_atoken=fdd0c466-2c7a-45ea-b270-299dd72e31c5&u_asession=01LnNk3m9xe_8l59WiTJOMsF9JHj72HvnNKpU41CPwt7CRyom9f_XdkZt7Ui2TfRZlX0KNBwm7Lovlpxjd_P_q4JsKWYrT3W_NKPr8w6oU7K9bT-DQGwuQNWmsHblEsYC8MKWrbBzYAhXhkL4v5_cjQmBkFo3NEHBv0PZUm6pbxQU&u_asig=05_iqjE2ctFye6sIp-0lih0QGaQcz3yHVjU2cF3XcdzZ63LcwMfef9ovGLEH18ndUxWVUBoKciiTQCStUns3NAXsAw9kwBWKe-mkkVJi9hkDSWilxS6IxqX0PbWYNCDqcsJLWeqY9kbyfVwRNGSQumFWd3QhOAKz_ZcQV8AkR2GN79JS7q8ZD7Xtz2Ly-b0kmuyAKRFSVJkkdwVUnyHAIJzaBXPgX2jLteKVkJgwRpx_wVmVNYz2wO73GYs3dDKmrPdf9JIAkyKervFWgmMgV8j-3h9VXwMyh6PgyDIVSG1W9rAJHyQkDOKHQfaKbjfTb3LJ0CqtehMVLVIw0n4HVzWnadJ0xfmn5JK-2P3SMZ6ojd1-BTadcTwqbhIda8yFL4mWspDxyAEEo4kbsryBKb9Q&u_aref=y1PCcT3Lgk7eeZaURCYxbbJp46s%3D
#安装依赖
yum -y install patch unzip gcc gcc-c++ autoconf automake zlib zlib-devel libtool
cd /data1/softwares
tar -zxf pcre-8.32.tar.gz
tar -zxf openssl-1.0.2h.tar.gz #该版本nginx不支持openssl 1.1.1ntar -zxf nginx-1.21.1.tar.gz
mkdir /usr/lib64/nginx/ngx_http_proxy_connect_module-master -p
unzip ngx_http_proxy_connect_module-master.zip #nginx https正向代理需要该module,安装方式参考:https://github.com/chobits/ngx_http_proxy_connect_module
cp -r /data1/softwares/ngx_http_proxy_connect_module-master /usr/lib64/nginx/ngx_http_proxy_connect_module
cd /data1/softwares/nginx-1.21.1
patch -p1 < /usr/lib64/nginx/ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure --add-module=/usr/lib64/nginx/ngx_http_proxy_connect_module --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/usr/local/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-pcre=/data1/softwares/pcre-8.32 --with-openssl=/data1/softwares/openssl-1.0.2h
make && make install
--------------nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /usr/local/nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"
[Install]
WantedBy=multi-user.target
--------------nginx.conf
user nginx;
worker_rlimit_nofile 655350;
worker_processes auto;
worker_cpu_affinity auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log warn;
events {
use epoll;
worker_connections 655350;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'--"$upstream_addr" $upstream_status $upstream_response_time "$upstream_http_content_type" "$ssl_protocol" "$ssl_cipher"';
log_format access '{"@timestamp":"$time_iso8601",'
'"remote_IP":"$remote_addr",'
'"time_local":"[$time_local]",'
'"request":"$request",'
'"status_code":$status,'
'"size":$body_bytes_sent,'
'"referer":"$http_referer",'
'"http_host":"$http_host",'
'"DeviceIdentifier":"$http_DeviceIdentifier",'
'"DeviceType":"$http_DeviceType",'
'"LoanUserID":"$http_LoanUserID",'
'"reqs_body":"$request_body",'
'"ssl_protocol":"$ssl_protocol",'
'"ssl_cipher":"$ssl_cipher",'
'"user_agent":"$http_user_agent",'
'"x_forward_for":"$http_x_forwarded_for",'
'"upstream_addr":"$upstream_addr",'
'"upstream_statcode":"$upstream_status",'
'"request_time":"$request_time",'
'"upstream_resptime":"$upstream_response_time",'
'"upstream_conttype":"$upstream_http_content_type",'
'"http_Content-Type":"$sent_http_content_type",'
'"http_Content-Length":"$sent_http_content_length",'
'"http_Connection":"$sent_http_connection",'
'"http_Cache-Control":"$sent_http_cache_control",'
'"http_Expires":"$sent_http_expires",'
'"http_Last-Modified":"$sent_http_last_modified",'
'"http_Location":"$sent_http_location",'
'"http_X-AspNetMvc-Version":"$sent_http_x_aspnetmvc_version",'
'"http_X-AspNet-Version":"$sent_http_x_aspnet_version",'
'"http_X-Powered-By":"$sent_http_x_powered_by"}';
log_format access_extend '{"@timestamp":"$time_iso8601",'
'"remote_IP":"$remote_addr",'
'"time_local":"[$time_local]",'
'"request":"$request",'
'"status_code":$status,'
'"size":$body_bytes_sent,'
'"referer":"$http_referer",'
'"http_host":"$http_host",'
'"DeviceIdentifier":"$http_DeviceIdentifier",'
'"DeviceType":"$http_DeviceType",'
'"LoanUserID":"$http_LoanUserID",'
'"reqs_body":"$request_body",'
'"ssl_protocol":"$ssl_protocol",'
'"ssl_cipher":"$ssl_cipher",'
'"user_agent":"$http_user_agent",'
'"x_forward_for":"$http_x_forwarded_for",'
'"upstream_addr":"$upstream_addr",'
'"upstream_statcode":"$upstream_status",'
'"upstream_resptime":"$upstream_response_time",'
'"upstream_conttype":"$upstream_http_content_type",'
'"http_Cookie":"$http_cookie",'
'"http_Content-Type":"$sent_http_content_type",'
'"http_Content-Length":"$sent_http_content_length",'
'"http_Connection":"$sent_http_connection",'
'"http_Cache-Control":"$sent_http_cache_control",'
'"http_Expires":"$sent_http_expires",'
'"http_Last-Modified":"$sent_http_last_modified",'
'"http_Location":"$sent_http_location",'
'"http_X-AspNetMvc-Version":"$sent_http_x_aspnetmvc_version",'
'"http_X-AspNet-Version":"$sent_http_x_aspnet_version",'
'"http_X-Powered-By":"$sent_http_x_powered_by"}';
client_body_temp_path /tmp/nginx_client_body_temp;
scgi_temp_path /tmp/nginx_scgi_temp;
uwsgi_temp_path /tmp/nginx_uwsgi_temp;
fastcgi_temp_path /tmp/nginx_fastcgi_temp;
proxy_temp_path /tmp/nginx_proxy_temp;
sendfile on;
tcp_nopush on;
server_tokens off;
keepalive_timeout 120;
tcp_nodelay on;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
client_max_body_size 300m;
large_client_header_buffers 4 32k;
proxy_pass_request_headers on;
proxy_intercept_errors on;
proxy_ignore_client_abort on;
gzip on;
gzip_comp_level 9;
gzip_min_length 1K;
gzip_buffers 16 32K;
gzip_proxied any;
gzip_http_version 1.1;
gzip_types text/plain
text/css
text/javascript
application/x-httpd-php
application/x-javascript
application/javascript
application/xml
image/jpeg
image/gif
image/png;
gzip_vary on;
include http.d/*.conf;
}
stream {
include tcp.d/*.conf;
}
-----------------------------------proxy.conf
server{
listen 8080;
resolver 10.10.100.114 10.10.100.115;
resolver_timeout 30s;
proxy_connect;
proxy_connect_allow 80 443;
proxy_connect_timeout 10;
proxy_send_timeout 600;
proxy_read_timeout 600;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}
----------------------------------客户端配置代理
vim /etc/profile
http_proxy=http://10.10.20.2:8080/
https_proxy=https://10.10.20.2:8080/
export http_proxy
export https_proxy
source /etc/profile
-------------------------------
参考资料:Nginx配置http https正向代理_11498007的技术博客_51CTO博客
|