参考文档 其他参考nginx官方ngx_stream_module

nginx编译过程

# 安装依赖
yum install -y gcc
yum install -y pcre-devel
yum install -y zlib-devel

# 以下步骤均为相对目录，可以从任意目录开始
wget https://github.com/maxmind/libmaxminddb/releases/download/1.3.2/libmaxminddb-1.3.2.tar.gz
tar -xf libmaxminddb-1.3.2.tar.gz
cd libmaxminddb-1.3.2
./configure && make && make install
echo /usr/local/lib  >> /etc/ld.so.conf.d/local.conf
ldconfig
cd ..
wget http://nginx.org/download/nginx-1.19.4.tar.gz
tar xf nginx-1.19.4.tar.gz
cd nginx-1.19.4
git clone https://github.com/ar414-com/nginx-geoip2
cd nginx-geoip2
tar -xf GeoLite2-City_20200519.tar.gz
mkdir /usr/share/geoip
cp ./GeoLite2-City_20200519/GeoLite2-City.mmdb /usr/share/geoip/
cd ..
./configure --prefix=/opt/nginx --user=www --group=www  --add-module=./nginx-geoip2/ngx_http_geoip2_module --with-stream_realip_module --with-stream
make&& make install

nginx完整配置

• 说明：
  • nginx代理ssh，通过访问nginx的2222端口，间接访问ssh的22端口；
  • nginx使用geoip来获取remote_addr地址所属城市，然后通过变量代理到不同的上游服务，若非成都的ip会返回500，不访问上游服务；
  • 缺点：nginx是单点，容易人为关闭、重启，造成ssh不可用；

worker_processes  1;
events{
    worker_connections  1024;
}
stream{
  log_format  sshlog 'remoteaddr: $realip_remote_addr time:[$time_local] protocol: $protocol status: $status $session_time city: $geoip2_data_city_name\n';
  upstream cd{server 127.0.0.1:22;}
  #upstream default{server 127.0.0.1:80 default;}
  geoip2 /usr/share/geoip/GeoLite2-City.mmdb{
	#$geoip2_data_city_name source=$realip_remote_addr /usr/share/geoip/GeoLite2-City.mmdb;
	$geoip2_data_city_name default=Chengdu source=$remote_addr city names en;
  }
  map $geoip2_data_city_name $mapaddress{
        "Chengdu" cd;
	default   default;
  }
  server{
	listen 2222;#proxy_protocol;
	set_real_ip_from 多层代理信任ip地址;
	proxy_connect_timeout 1m;
	proxy_timeout 3m;
	proxy_pass $mapaddress;
	access_log logs/sshd-access.log sshlog;
	error_log logs/sshd-error.log;
  }
}