CQUPT Reverse Proxy
By Gufeng Shen on · Reading time: 3 mins
Introduction
- This article is a tutorial on how to build your own reverse proxy for CQUPT network. It is not a public service.
endpoint.domainin this article is a placeholder for your own domain name. Please replace it with your own domain name when you use it.
How to use it?
- If the website you’re about to visit have a domain: Replace
cqupt.edu.cnwithendpoint.domainin the domain part of any URL. - If the website you’re about to visit only have an IP address: Prepend the IP address in front of
.endpoint.domain.
e.g.
- If you want to visit
jwzx.cqupt.edu.cn, just typejwzx.endpoint.domain - Visit
127.20.0.1.endpoint.domainfor127.20.0.1
Advanced Notices
- Some destination server requires an TLS connection, and
*.secure.endpoint.domainis aimed to do that. Otherwise,*.endpoint.domainwill initiate a plain HTTP request to the destination. - Considering there will be many direct IP forwards, and there is no need to acquire a certificate for them. Thus, any domain access like
jwzx.endpoint.domainis provided with a valid wildcard certificate, while IP accesses are not. - Destinations with unusual port(other than 80 and 443) are not supported and their link will not be overridden.
Under the hood
- Place a small server in your local network. It can be a Raspberry Pi.
- Install NGINX on the server, and configure it as described below.
- Forward NGINX port on the Internet, and point
*.endpoint.domainand*.secure.endpoint.domainto the server.
Override redirects
Of domains ending with cqupt.edu.cn
proxy_redirect ~^http://cqupt.edu.cn/(.*) https://endpoint.domain/$1;
proxy_redirect ~^http://(.*).cqupt.edu.cn/(.*) https://$1.endpoint.domain/$2;
proxy_redirect ~^https://(.*).cqupt.edu.cn/(.*) https://$1.secure.endpoint.domain/$2;
Of IPs
proxy_redirect ~^http://([0-9.]+)/(.*) http://$1.endpoint.domain/$2;
proxy_redirect ~^https://([0-9.]+)/(.*) http://$1.secure.endpoint.domain/$2;
Override links on pages.
nginx_substitutions_filter is an enhanced sub_filter module that allows multiple regexes to replace concurrently.
Check out Substitutions | NGINX to find out more.
subs_filter 'http://cqupt.edu.cn' https://endpoint.domain gir;
subs_filter 'http://(.*).cqupt.edu.cn' https://$1.endpoint.domain gir;
subs_filter 'https://(.*).cqupt.edu.cn' https://$1.secure.endpoint.domain gir;
subs_filter 'http://([0-9.]+)' http://$1.endpoint.domain gir;
subs_filter 'https://([0-9.]+)' http://$1.secure.endpoint.domain gir;
There is no need to match exact IPs since I configured a firewall to prevent malicious requests.
Use the following statement to resolve our internal domains from our internal DNS servers.
resolver [ns1.ip] [ns2.ip] valid=3600s;
Then configure iptables to filter invalid requests.
# Generated by xtables-save v1.8.3 on Thu Dec 19 03:26:35 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d [network/mask] -p tcp -m owner --uid-owner 33 -j ACCEPT
...
-A OUTPUT -d [ns1.ip] -p udp -m owner --uid-owner 33 -j ACCEPT
-A OUTPUT -d [ns2.ip] -p udp -m owner --uid-owner 33 -j ACCEPT
-A OUTPUT -m owner --uid-owner 33 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Dec 19 03:26:35 2019