03 使用nginx做yum代理
有时候别人分配的机器只有一台可以连接公网,其它的都出不去,又要使用yum,
则可以在能连接到公网的机器上面配置一个http代理,然后其它机器在/etc/yum.conf里面添加:
proxy=http://代理IP:port这句,之后就可以使用代理访问yum仓库。
[root@server-681863e4-dbcf-4230-98fd-15182c846129 conf.d]# cat >/etc/nginx/conf.d/yumproxy.conf <<"EOF"
server {
listen 9999;
server_name 10.15.9.220;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
location / {
proxy_pass http://mirrors.aliyun.com;
# allow 172.20.5.0/24; #访问控制
# deny all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
EOF
[root@ecs-ebs-std-centos7 ~]# cat >/etc/yum.conf << "EOF"
#YUM PROXY
[main]
proxy=http://10.15.9.220:9999 #添加这句
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
EOF
之后就可使用yum了
问题处理:
报错:
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in <module>
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 375, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 281, in main
return_code = base.doTransaction()
File "/usr/share/yum-cli/cli.py", line 817, in doTransaction
resultobject = self.runTransaction(cb=cb)
File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1854, in runTransaction
self._store_config_in_history()
File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 6870, in _store_config_in_history
myrepos += repo.dump()
File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 531, in dump
output = output + '%s = %s\n' % (attr, res)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 34: ordinal not in range(128)
处理
vim /usr/lib/python2.7/site-packages/yum/yumRepo.py文件,在最前面添加如下几行
import sys
reload(sys)
sys.setdefaultencoding('utf8')
例如:
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# Copyright 2005 Duke University
# Copyright 2007 Red Hat
import sys
reload(sys)
sys.setdefaultencoding('utf8')
import os
import re
import time
import types
需要注意的是,nginx的正向代理默认不支持https,可以使用github大佬chobits写的ngx_http_proxy_connect_module模块来支持https。 github地址:https://github.com/chobits/ngx_http_proxy_connect_module
自己定义docker镜像:
#创建工作目录
mkdir workdir && cd workdir
#下载nginx包
wget http://nginx.org/download/nginx-1.17.4.tar.gz
#从github下载ngx_http_proxy_connect_module模块
git clone https://github.com/chobits/ngx_http_proxy_connect_module.git nginx_proxy
# 如果提示git指令不存在。自行:yum install git -y
# 返回上一级并创建Dockerfile
cd ..
cat > Dockerfile <<"EOF"
FROM centos:7
RUN yum install -y patch gcc glibc-devel make openssl-devel pcre-devel zlib-devel gd-devel geoip-devel perl-devel
RUN groupadd -g 101 nginx \
&& adduser -u 101 -d /var/cache/nginx -s /sbin/nologin -g nginx nginx
COPY ./workdir /workdir
WORKDIR /workdir
RUN tar -zxvf nginx-1.17.4.tar.gz && cd nginx-1.17.4 \
&& patch -p1 < /workdir/nginx_proxy/patch/proxy_connect_rewrite_101504.patch \
&& ./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.1/debian/debuild-base/nginx-1.17.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' --add-module=/workdir/nginx_proxy \
&& make && make install \
&& cd /workdir && rm -rf /workdir/*
CMD ["nginx", "-g", "daemon off;"]
EOF
#构建镜像文件
docker build -t nginx:proxy_1.17.4 .
在有公网的机器上,配置nginx:
[root@secondary conf.d]# cat proxy.conf
server {
listen 9999;
server_name _; #不要设置虚拟主机的名称和IP
# dns resolver used by forward proxying
resolver 114.114.114.114; #必需的,如果没有该指令,nginx无法处理接收到的域名
# forward proxy for CONNECT request
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_read_timeout 10s;
proxy_connect_send_timeout 10s;
# forward proxy for non-CONNECT request
location / {
proxy_pass $scheme://$host$request_uri;
proxy_set_header Host $host;
}
}
在没有公网机器上,设置全局的代理:
http_proxy=10.15.9.220:9999
https_proxy=10.15.9.220:9999
ftp_proxy=10.15.9.220:9999
export http_proxy https_proxy ftp_proxy
linux上设置代理的方法:http://www.361way.com/linux-proxy/4184.html
阿里云的epel源
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo