方案背景
部分客户会在腾讯云短信配置回执URL(功能描述:短信下发给用户后,腾讯云短信服务可以通过回调业务 URL 的方式,通知业务方短信下发的状态),但是客户不希望直接把内部业务的机器配置成回执接收方,把IP暴露出去。
方案介绍
通过nginx添加一层反向代理实现转发,就可以对外隐藏内网机器的信息。
实施方案
准备:(系统 :centos 7.6)
短信状态回调URL机器:外网不能直接访问,与代理机可以通信。 IP:172.16.0.9 A机
nginx代理机器:外网可以直接访问,与代理机可以通信。IP:159.75.219.99 B机
*资源有限,我用同一台机器的内外网IP分别当作A机和B机。
A机搭建短信回执接收接口
安装python环境(3.0+)
wget https://mirrors.tuna.tsinghua.edu.cn/anaconda/miniconda/Miniconda3-py39_4.9.2-Linux-x86_64.sh
bash Miniconda3-py39_4.9.2-Linux-x86_64.sh
source /root/.bashrc
conda -V
conda deactivate
conda create -n py39 python=3.9.2
conda activate py39
pip install flask
编写回执接收接口
# _*_ coding:utf-8 _*_
from flask import Flask
from flask import requestapp=Flask(name)
@app.route("/proxy_callback",methods=["POST"])
def receiveResponse():
if request.method=="POST":
print(request.json)return "sms callback!"
if name=="main":
app.run(host="172.16.0.9",port=9527,debug=True)
运行脚本
B机搭建nginx代理
编译安装nginx
wget http://nginx.org/download/nginx-1.20.1.tar.gz
tar xzvf nginx-1.20.1.tar.gz
cd nginx-1.20.1/
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-threads --with-stream
make && make install
nginx启动测试
cd /usr/local/nginx/
./sbin/nginx -v
./sbin/nginx
nginx主配置文件(nginx.conf)修改
http {
include mime.types;
#default_type application/octet-stream;
default_type application/json;
include vhosts/*.conf;
#log_format main 'remote_addr - remote_user [time_local] "request" '
# 'status body_bytes_sent "$http_referer" '
# '"http_user_agent" "http_x_forwarded_for"';#access_log logs/access.log main; log_format log_req_resp escape=json '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" $request_time "$request_body"';
access_log logs/access.log log_req_resp;
sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}
}
*修改部分
nginx虚拟主机文件配置
mkdir /usr/local/nginx/conf/vhosts
vim T159.75.219.99.conf
T159.75.219.99.conf配置内容
server {
listen 80;
server_name 159.75.219.99;location /proxy_callback { proxy_pass http://172.16.0.9:9527; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host "172.16.0.9:9527";
proxy_set_header Host $host;
proxy_http_version 1.1;
}
}
腾讯云短信控制台配置回调地址
执行短信发送
参考:https://cloud.tencent.com/document/product/382/43196
结果记录
B机nginx日志内容:
A机短信回执接收接口日志
客户拿到这里的信息,就可以再去做自己业务短信下发状态信息的统计和监控等。
结论
通过代理可以让内网的业务机器拿到短信下发状态回执信息,而且不会将内网业务机器信息暴露出去。
这里需要注意的是,增加代理可能会增加一定的延迟并存在单点故障可能,所以用户需要小心使用代理并实时监控代理的健康状况。