ChekhWasTaken · March 31, 2025 23:12
diff --git a/nginx-stream-proxy.conf b/nginx-stream-proxy.conf
 #    This is a working example of having an HTTPS/SSL forward proxy implementation
 #    with nginx.
 #   
 #    Based on https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799.
 #
 #    This isn't a proxy in traditional sense i.e. you can't use it with curl -x 
 #    or set this as proxy in your browser.
 #    Instead, you'll need to forward your traffic to it. 
 #
 #    Prerequisites (run as root): 
 #
 #    # sysctl net.ipv4.ip_forward=1
 #
 #    See example iptables configuration below:
 #    iptables -t nat     -N redirect-to-nginx
 #    iptables -t nat     -I PREROUTING -i input_if0 -m addrtype ! --dst-type LOCAL -j redirect-to-nginx
 #    iptables -t nat     -A redirect-to-nginx -p tcp -m tcp --dport 443 -j DNAT --to-destination nginx-host-ip:3128
 #
 #    iptables -t filter  -N allow-established
 #    iptables -t filter  -I FORWARD -i input_if0 -j allow-established
 #    iptables -t filter  -A allow-established -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 #    iptables -t filter  -A allow-established -j REJECT
 #
 #    you can use the config below with nginx-unprivileged docker image.
 #
 #    docker run --name="proxy" \
 #        --network="target-network" \
 #        -v /path/to/this/file:/etc/nginx/nginx.conf:ro \
 #        -v /path/to/whitelist.conf:/etc/nginx/proxy/whitelist.conf:ro \
 #        registry.hub.docker.com/nginxinc/nginx-unprivileged:stable
 #
 #    Copyright (C) 2025  Chekhwastaken
 #
 #    This program is free software: you can redistribute it and/or modify
 #    it under the terms of the GNU General Public License as published by
 #    the Free Software Foundation, either version 3 of the License, or
 #    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 #    GNU General Public License for more details.
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <https://www.gnu.org/licenses/>.

 worker_processes  auto;

 pid        /tmp/nginx.pid;


 events {
    worker_connections  1024;
 }

 stream {
    log_format stream_main '$remote_addr:$remote_port $ssl_server_name $ssl_preread_server_name '
                           '$protocol $status';

    access_log /var/log/nginx/access.log  stream_main;
    error_log  /var/log/nginx/error.log notice;

    resolver 9.9.9.9;

    map $ssl_preread_server_name $is_allowed {
        hostnames;

        include proxy/whitelist.conf;
        # example whitelist.conf below
        #
        # .example.com yes;
        # anotherexample.com yes;
        

        default         "no";
    }

    map $is_allowed $domain {
        "yes"    $ssl_preread_server_name;
        "no"     "";

        default  "";
    }

    server {
        listen 3128;

        proxy_pass $domain:443;

        ssl_preread on;

    }
 }
	# This is a working example of having an HTTPS/SSL forward proxy implementation
	# with nginx.
	#
	# Based on https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799.
	#
	# This isn't a proxy in traditional sense i.e. you can't use it with curl -x
	# or set this as proxy in your browser.
	# Instead, you'll need to forward your traffic to it.
	#
	# Prerequisites (run as root):
	#
	# # sysctl net.ipv4.ip_forward=1
	#
	# See example iptables configuration below:
	# iptables -t nat -N redirect-to-nginx
	# iptables -t nat -I PREROUTING -i input_if0 -m addrtype ! --dst-type LOCAL -j redirect-to-nginx
	# iptables -t nat -A redirect-to-nginx -p tcp -m tcp --dport 443 -j DNAT --to-destination nginx-host-ip:3128
	#
	# iptables -t filter -N allow-established
	# iptables -t filter -I FORWARD -i input_if0 -j allow-established
	# iptables -t filter -A allow-established -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	# iptables -t filter -A allow-established -j REJECT
	#
	# you can use the config below with nginx-unprivileged docker image.
	#
	# docker run --name="proxy" \
	# --network="target-network" \
	# -v /path/to/this/file:/etc/nginx/nginx.conf:ro \
	# -v /path/to/whitelist.conf:/etc/nginx/proxy/whitelist.conf:ro \
	# registry.hub.docker.com/nginxinc/nginx-unprivileged:stable
	#
	# Copyright (C) 2025 Chekhwastaken
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program. If not, see <https://www.gnu.org/licenses/>.

	worker_processes auto;

	pid /tmp/nginx.pid;


	events {
	worker_connections 1024;
	}

	stream {
	log_format stream_main '$remote_addr:$remote_port $ssl_server_name $ssl_preread_server_name '
	'$protocol $status';

	access_log /var/log/nginx/access.log stream_main;
	error_log /var/log/nginx/error.log notice;

	resolver 9.9.9.9;

	map $ssl_preread_server_name $is_allowed {
	hostnames;

	include proxy/whitelist.conf;
	# example whitelist.conf below
	#
	# .example.com yes;
	# anotherexample.com yes;


	default "no";
	}

	map $is_allowed $domain {
	"yes" $ssl_preread_server_name;
	"no" "";

	default "";
	}

	server {
	listen 3128;

	proxy_pass $domain:443;

	ssl_preread on;

	}
	}
No results found