方案背景
部分客户会在腾讯云短信配置回执URL(功能描述:短信下发给用户后,腾讯云短信服务可以通过回调业务 URL 的方式,通知业务方短信下发的状态),但是客户不希望直接把内部业务的机器配置成回执接收方,把IP暴露出去。
方案介绍
通过nginx添加一层反向代理实现转发,就可以对外隐藏内网机器的信息。
实施方案
准备:(系统 :centos 7.6)
短信状态回调URL机器:外网不能直接访问,与代理机可以通信。 IP:172.16.0.9 A机
nginx代理机器:外网可以直接访问,与代理机可以通信。IP:159.75.219.99 B机
*资源有限,我用同一台机器的内外网IP分别当作A机和B机。
A机搭建短信回执接收接口
安装python环境(3.0 )
代码语言:javascript复制wget https://mirrors.tuna.tsinghua.edu.cn/anaconda/miniconda/Miniconda3-py39_4.9.2-Linux-x86_64.sh
bash Miniconda3-py39_4.9.2-Linux-x86_64.sh
source /root/.bashrc
conda -V
conda deactivate
conda create -n py39 python=3.9.2
conda activate py39
pip install flask
编写回执接收接口
代码语言:javascript复制# _*_ coding:utf-8 _*_
from flask import Flask
from flask import request
app=Flask(__name__)
@app.route("/proxy_callback",methods=["POST"])
def receiveResponse():
if request.method=="POST":
print(request.json)
return "sms callback!"
if __name__=="__main__":
app.run(host="172.16.0.9",port=9527,debug=True)
运行脚本
B机搭建nginx代理
编译安装nginx
代码语言:javascript复制wget http://nginx.org/download/nginx-1.20.1.tar.gz
tar xzvf nginx-1.20.1.tar.gz
cd nginx-1.20.1/
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-threads --with-stream
make && make install
nginx启动测试
代码语言:javascript复制cd /usr/local/nginx/
./sbin/nginx -v
./sbin/nginx
nginx主配置文件(nginx.conf)修改
代码语言:javascript复制http {
include mime.types;
#default_type application/octet-stream;
default_type application/json;
include vhosts/*.conf;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
log_format log_req_resp escape=json '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $request_time "$request_body"';
access_log logs/access.log log_req_resp;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ .php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ .php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
*修改部分
nginx虚拟主机文件配置
代码语言:javascript复制mkdir /usr/local/nginx/conf/vhosts
vim T159.75.219.99.conf
T159.75.219.99.conf配置内容
代码语言:javascript复制server {
listen 80;
server_name 159.75.219.99;
location /proxy_callback {
proxy_pass http://172.16.0.9:9527;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header Host "172.16.0.9:9527";
proxy_set_header Host $host;
proxy_http_version 1.1;
}
}
腾讯云短信控制台配置回调地址
执行短信发送
参考:https://cloud.tencent.com/document/product/382/43196
结果记录
B机nginx日志内容:
A机短信回执接收接口日志
客户拿到这里的信息,就可以再去做自己业务短信下发状态信息的统计和监控等。
结论
通过代理可以让内网的业务机器拿到短信下发状态回执信息,而且不会将内网业务机器信息暴露出去。
这里需要注意的是,增加代理可能会增加一定的延迟并存在单点故障可能,所以用户需要小心使用代理并实时监控代理的健康状况。