请教完整的tlcp代理示例
Closed this issue · 3 comments
zhangshdn commented
感谢
我们现在需要让两台服务器之间使用国密https通讯,需要双向认证,但是不知道g3proxy如何配置,如何使用,有没有示例,多谢了
zh-jq-b commented
两台设备的具体功能说一下,比如
A: 监听TCP端口,转成国密到服务器B
B:监听国密TLS端口,转成TCP到源站服务器C
zhangshdn commented
两个服务器上有个web程序,A服务器上有tomcat_A,B上有tomcat_B
普通情况,我们只需要tomcat_A上的httpclient直接发送http请求到tomcat_B,但是现在要求两者之间需要通过国密ssl通道,如此,看到g3proxy这个开源正向代理,想在A上部署正向代理,然后B上部署一个支持国密的nginx,这样,
tomcat_A -> 正向代理 -> 国密nginx -> tomcat_B,这样实现A到B的通道是国密ssl,
请教下g3proxy应该如何打包,配置,实现此功能
zh-jq-b commented
手动编译指定--features vendored-tongsuo就行,打包用 rel/tlcp-tongsuo 这个分支的scripts下的打包脚本
配置参考如下,未测试,实际启动看报错进行修正
A:监听TCP转到TLCP
---
server:
- name: to-tlcp
type: TcpStream
upstream: tlcp-server.example.net:443
tls_client:
protocol: tlcp
#tlcp_cert_pair: # for mtls client auth
# sign_certificate: /path/to/client-sign.cert
# sign_private_key: /path/to/client-sign.key
# enc_certificate: /path/to/client-enc.cert
# enc_private_key: /path/to/client-enc.key
#ca-certificate: /path/to/tlcp/ca.cert
upstream_tls_name: tlcp-server.example.net
- name: listen-tcp
type: PlainTcpPort
listen: "[::]:80"
server: to-tlcp
resolver:
- name: default
type: c-ares
server:
- 127.0.0.1
escaper:
- name: default
type: direct-fixed
resolver: default
no_ipv6: true
B: 监听TLCP转到TCP
---
server:
- name: to-tcp
type: TcpStream
upstream: 127.0.0.1:80
- name: listen-tlcp
type: NativeTlsPort
listen: "[::]:443"
server: to-tcp
tls_server:
tlcp_cert_pairs:
- enc_certificate: /path/to/tlcp-enc.cert
enc_private_key: /path/to/tlcp-enc.key
sign_certificate: /path/to/tlcp-sign.cert
sign_private_key: /path/to/tlcp-sign.key
# enable_client_auth: true
# ca_certificate: /path/to/ca.cert
# cert_pairs:
# - certificate: /path/to/tls.cert
# private_key: /path/to.tls.key
resolver:
- name: default
type: c-ares
server:
- 127.0.0.1
escaper:
- name: default
type: direct-fixed
resolver: default
no_ipv6: true
egress_network_filter:
allow: 127.0.0.1