Nginx反向代理配置详解

· 阅读约需17分钟

Nginx反向代理配置详解

Nginx作为高性能的Web服务器和反向代理,是现代Web架构中不可或缺的组件。本文详细讲解Nginx反向代理的核心配置和最佳实践。

一、反向代理基础概念

什么是反向代理?

反向代理服务器位于客户端和后端服务器之间,客户端将请求发送给反向代理,由反向代理转发给后端服务器,再将响应返回给客户端。

主要作用:

  • 负载均衡
  • 隐藏后端服务器真实IP
  • SSL/TLS终端
  • 缓存静态内容
  • 统一入口、安全防护

正向代理 vs 反向代理

特性正向代理反向代理
位置客户端侧服务器侧
代表客户端服务器
用途翻墙、访问控制负载均衡、安全
典型VPN、ShadowsocksNginx、HAProxy

二、基础反向代理配置

最简配置示例

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://127.0.0.1:3000;
    }
}

核心指令详解

proxy_pass:指定后端服务器地址

# 带URI的转发
proxy_pass http://127.0.0.1:3000/api/;

# 不带URI的转发
proxy_pass http://127.0.0.1:3000;

注意:末尾的斜杠会影响转发路径!

常用代理参数

location / {
    # 后端服务器地址
    proxy_pass http://backend;

    # 设置Host头
    proxy_set_header Host $host;

    # 传递真实客户端IP
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # 传递协议信息
    proxy_set_header X-Forwarded-Proto $scheme;
}

三、高级配置技巧

超时配置

location / {
    proxy_pass http://backend;

    # 连接超时
    proxy_connect_timeout 60s;

    # 发送超时
    proxy_send_timeout 60s;

    # 接收超时
    proxy_read_timeout 60s;
}

Buffer配置

location / {
    proxy_pass http://backend;

    # 启用缓冲
    proxy_buffering on;

    # 缓冲区大小
    proxy_buffer_size 4k;
    proxy_buffers 8 4k;
    proxy_busy_buffers_size 8k;
}

WebSocket支持

location /ws {
    proxy_pass http://backend;

    # WebSocket升级
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # 长连接超时
    proxy_read_timeout 86400;
}

四、负载均衡配置

upstream定义后端集群

upstream myapp {
    # 默认轮询
    server 192.168.1.101:3000;
    server 192.168.1.102:3000;
    server 192.168.1.103:3000;
}

server {
    listen 80;
    location / {
        proxy_pass http://myapp;
    }
}

负载均衡策略

1. 加权轮询

upstream myapp {
    server 192.168.1.101:3000 weight=3;
    server 192.168.1.102:3000 weight=2;
    server 192.168.1.103:3000 weight=1;
}

2. IP哈希(会话保持)

upstream myapp {
    ip_hash;
    server 192.168.1.101:3000;
    server 192.168.1.102:3000;
}

3. 最少连接

upstream myapp {
    least_conn;
    server 192.168.1.101:3000;
    server 192.168.1.102:3000;
}

健康检查

upstream myapp {
    server 192.168.1.101:3000 max_fails=3 fail_timeout=30s;
    server 192.168.1.102:3000 max_fails=3 fail_timeout=30s;
    server 192.168.1.103:3000 backup;  # 备用服务器
}

五、缓存配置

基础缓存设置

# http块中定义缓存路径
proxy_cache_path /var/cache/nginx 
    levels=1:2 
    keys_zone=my_cache:10m 
    max_size=10g 
    inactive=60m 
    use_temp_path=off;

server {
    location / {
        proxy_pass http://backend;

        # 启用缓存
        proxy_cache my_cache;

        # 缓存不同状态码的响应
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;

        # 缓存key
        proxy_cache_key $host$request_uri;
    }
}

缓存控制高级配置

location / {
    proxy_pass http://backend;
    proxy_cache my_cache;

    # 忽略后端缓存控制头
    proxy_ignore_headers Cache-Control Expires;

    # 后台更新缓存
    proxy_cache_background_update on;

    # 锁防止缓存雪崩
    proxy_cache_lock on;
}

六、HTTPS反向代理

SSL终端配置

server {
    listen 443 ssl http2;
    server_name example.com;

    # 证书配置
    ssl_certificate /etc/ssl/certs/example.com.crt;
    ssl_certificate_key /etc/ssl/private/example.com.key;

    # SSL优化
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
    ssl_prefer_server_ciphers off;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

# HTTP重定向到HTTPS
server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

七、生产环境最佳实践

完整配置模板

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # 日志格式
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    keepalive_timeout  65;
    tcp_nopush on;
    tcp_nodelay on;

    # Gzip压缩
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml application/json application/javascript;

    # 上游服务器
    upstream backend {
        least_conn;
        server 127.0.0.1:3000 max_fails=3 fail_timeout=30s;
        server 127.0.0.1:3001 max_fails=3 fail_timeout=30s;
    }

    server {
        listen 80;
        server_name example.com;

        client_max_body_size 10M;

        location / {
            proxy_pass http://backend;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 60s;
            proxy_send_timeout 60s;
            proxy_read_timeout 60s;
        }

        # 静态文件直接由Nginx服务
        location /static {
            alias /var/www/static;
            expires 30d;
        }
    }
}

安全加固建议

  1. 隐藏Nginx版本号

    server_tokens off;
  2. 限制请求方法

    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
        return 405;
    }
  3. 防止DDoS

    limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
    limit_req zone=one burst=20;

掌握这些配置,你就能搭建出高性能、高可用的Nginx反向代理服务了。