反向代理
反向代理基础
1. 什么是反向代理
反向代理是代理服务器的一种,它根据客户端的请求,从后端服务器获取资源,然后再将这些资源返回给客户端。
客户端 → Nginx反向代理 → 后端服务器
← ←
2. 反向代理的优势
- 负载均衡:将请求分发到多个后端服务器
- SSL终端:在代理层处理SSL加密解密
- 缓存:缓存后端响应,提高性能
- 压缩:压缩响应内容,节省带宽
- 安全:隐藏后端服务器信息
基本反向代理配置
1. 简单反向代理
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://192.168.1.100:8080;
}
}
2. 代理到不同路径
server {
listen 80;
server_name api.example.com;
# 代理API请求
location /api/ {
proxy_pass http://backend-api:3000/;
}
# 代理静态文件
location /static/ {
proxy_pass http://static-server:8080/assets/;
}
# 代理WebSocket
location /ws/ {
proxy_pass http://websocket-server:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
3. 代理头设置
location / {
proxy_pass http://backend;
# 设置代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
}
负载均衡配置
1. 上游服务器定义
# 定义上游服务器组
upstream backend {
server 192.168.1.100:8080;
server 192.168.1.101:8080;
server 192.168.1.102:8080;
}
upstream api_servers {
server api1.example.com:3000 weight=3;
server api2.example.com:3000 weight=2;
server api3.example.com:3000 weight=1;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend;
}
location /api/ {
proxy_pass http://api_servers;
}
}
2. 负载均衡算法
轮询(默认)
upstream backend {
server server1.example.com;
server server2.example.com;
server server3.example.com;
}
加权轮询
upstream backend {
server server1.example.com weight=3;
server server2.example.com weight=2;
server server3.example.com weight=1;
}
IP哈希
upstream backend {
ip_hash;
server server1.example.com;
server server2.example.com;
server server3.example.com;
}
最少连接
upstream backend {
least_conn;
server server1.example.com;
server server2.example.com;
server server3.example.com;
}
一致性哈希(需要第三方模块)
upstream backend {
consistent_hash $request_uri;
server server1.example.com;
server server2.example.com;
server server3.example.com;
}
3. 服务器状态控制
upstream backend {
server server1.example.com weight=3 max_fails=3 fail_timeout=30s;
server server2.example.com weight=2 max_fails=2 fail_timeout=20s;
server server3.example.com backup; # 备用服务器
server server4.example.com down; # 临时下线
}
参数说明:
weight:权重,默认为1max_fails:最大失败次数,默认为1fail_timeout:失败超时时间,默认为10sbackup:备用服务器,只有其他服务器都不可用时才使用down:标记服务器永久不可用
高级代理配置
1. 代理缓冲区设置
location / {
proxy_pass http://backend;
# 代理缓冲区设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
proxy_temp_file_write_size 8k;
# 代理超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
2. 代理缓存配置
# 定义缓存路径
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=my_cache:10m
max_size=1g
inactive=60m;
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend;
# 启用缓存
proxy_cache my_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
# 缓存头设置
add_header X-Cache-Status $upstream_cache_status;
}
}
3. SSL代理配置
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
location / {
proxy_pass https://backend-ssl;
# SSL代理设置
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
# 设置代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
WebSocket代理
1. WebSocket代理配置
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server ws1.example.com:8080;
server ws2.example.com:8080;
}
server {
listen 80;
server_name ws.example.com;
location / {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket特定设置
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
}
健康检查
1. 被动健康检查
upstream backend {
server server1.example.com max_fails=3 fail_timeout=30s;
server server2.example.com max_fails=3 fail_timeout=30s;
server server3.example.com max_fails=3 fail_timeout=30s;
}
2. 主动健康检查(Nginx Plus)
upstream backend {
zone backend 64k;
server server1.example.com;
server server2.example.com;
server server3.example.com;
}
server {
listen 80;
location / {
proxy_pass http://backend;
health_check interval=5s fails=3 passes=2 uri=/health;
}
}
3. 自定义健康检查脚本
#!/bin/bash
# health_check.sh
BACKEND_SERVERS=(
"server1.example.com:8080"
"server2.example.com:8080"
"server3.example.com:8080"
)
for server in "${BACKEND_SERVERS[@]}"; do
if curl -f -s "http://$server/health" > /dev/null; then
echo "$server is healthy"
else
echo "$server is unhealthy"
# 可以在这里添加告警逻辑
fi
done
故障转移配置
1. 备用服务器
upstream backend {
server primary.example.com:8080;
server backup1.example.com:8080 backup;
server backup2.example.com:8080 backup;
}
2. 故障转移策略
location / {
proxy_pass http://backend;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 30s;
}
监控和日志
1. 代理状态监控
# 启用状态模块
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# 上游服务器状态(Nginx Plus)
location /upstream_status {
upstream_conf;
allow 127.0.0.1;
deny all;
}
2. 详细日志记录
# 自定义日志格式
log_format proxy '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'upstream: $upstream_addr '
'response_time: $upstream_response_time '
'request_time: $request_time';
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/proxy.log proxy;
location / {
proxy_pass http://backend;
}
}
性能优化
1. 连接池优化
upstream backend {
server server1.example.com:8080;
server server2.example.com:8080;
# 连接池设置
keepalive 32;
keepalive_requests 100;
keepalive_timeout 60s;
}
location / {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
2. 缓存优化
# 代理缓存优化
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=cache_zone:100m
max_size=10g
inactive=60m
use_temp_path=off;
location / {
proxy_pass http://backend;
proxy_cache cache_zone;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
proxy_cache_use_stale updating;
}
实战案例
1. 微服务架构代理
# 用户服务
upstream user_service {
server user1.internal:3001;
server user2.internal:3001;
}
# 订单服务
upstream order_service {
server order1.internal:3002;
server order2.internal:3002;
}
# 支付服务
upstream payment_service {
server payment1.internal:3003;
server payment2.internal:3003;
}
server {
listen 80;
server_name api.example.com;
# 用户相关API
location /api/users/ {
proxy_pass http://user_service/;
include /etc/nginx/proxy_params;
}
# 订单相关API
location /api/orders/ {
proxy_pass http://order_service/;
include /etc/nginx/proxy_params;
}
# 支付相关API
location /api/payments/ {
proxy_pass http://payment_service/;
include /etc/nginx/proxy_params;
}
}
2. 蓝绿部署
# 蓝色环境
upstream blue_env {
server blue1.example.com:8080;
server blue2.example.com:8080;
}
# 绿色环境
upstream green_env {
server green1.example.com:8080;
server green2.example.com:8080;
}
# 当前活跃环境
upstream current_env {
server blue1.example.com:8080;
server blue2.example.com:8080;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://current_env;
include /etc/nginx/proxy_params;
}
}
总结
本课程详细介绍了Nginx反向代理的配置和使用:
- 基础概念:反向代理原理和优势
- 基本配置:简单代理、代理头设置
- 负载均衡:多种算法和服务器状态控制
- 高级功能:缓存、SSL、WebSocket代理
- 健康检查:被动和主动健康检查
- 性能优化:连接池、缓存优化
下一课预告
在下一课中,我们将学习SSL/TLS配置,包括:
- HTTPS配置
- SSL证书管理
- 安全优化设置
- HTTP/2配置
💡 小贴士:反向代理是Nginx最重要的功能之一。在生产环境中,合理配置负载均衡和健康检查对系统稳定性至关重要。
📚 文章对你有帮助?请关注我的公众号,万分感谢!
获取更多优质技术文章,第一时间掌握最新技术动态
关注公众号
第一时间获取最新技术文章
添加微信
技术交流 · 问题答疑 · 学习指导
评论讨论
欢迎留下你的想法和建议