Nginx反向代理负载均衡配置梳理大全

本文梳理了Nginx在做反向代理时常用的核心配置,所有细节可以参考官网http://nginx.org/,我这里主要起到穿针引线的作用。

本文主要涉及了如下模块: ngx_http_core_module ngx_htpp_access_module ngx_http_geo_module ngx_http_map_module ngx_http_index_module ngx_http_log_module ngx_http_perl_module ngx_http_rewrite_module ngx_http_ssi_module ngx_http_ssl_module ngx_http_upstream_module ngx_http_proxy_module ngx_http_limit_conn_module ngx_http_limit_req_module ngx_stream_core_module ngx_stream_proxy_module ngx_upstream_module 第三方模块如下: redis2-nginx-module redis-nginx-module srcache-nginx-module nginx-upsync-module

一、跳转

利用ngx_http_core_module、ngx_http_rewrite_module模块 主要是301跳转 Return写法:域名http请求跳转到对应的https请求

 server
  {
     listen   80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
    location / {
          return      301 https://$host$request_uri;
   }
    access_log  /data/wwwlogs/access_www.test.com.log  access;
}

Rewrite写法:rewrite写法比较灵活可以调整路径,但没有return高效

server
{
    listen   80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
    location ~* ^/(meinv|huodong|zhuanti)/(.*)$  {
        rewrite  ^/(meinv|huodong|zhuanti)/(.*)$   http://oldwww.test.com/$1/$2 permanent;
    }
    location / {
        proxy_pass http://www_test_com;
    }
    access_log  /data/wwwlogs/access_www.test.com.log  access;
}
upstream www_test_com {
        server 192.168.88.188:80;
        server 192.168.88.189:80;
}
二、重写代理

利用ngx_http_proxy_module、ngx_http_upstream_module模块

server
{
    listen 80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
    location ~* /api/ {
         rewrite /api/(.*)$ /api/$1 break;
         proxy_set_header Host  apiwww.test.com;
         proxy_set_header X-Real-IP  $remote_addr;
         proxy_set_header        X_FORWARDED_FOR $proxy_add_x_forwarded_for;
         proxy_set_header        VIA     111.111.111.111;
         proxy_pass http://www_test_com_api;
     }
    access_log  /data/wwwlogs/access_www.test.com.log  access;
}
upstream www_test_com_api {
        server 192.168.88.188:80;
        server 192.168.88.189:80;
}
三、限速限连接

利用ngx_http_limit_conn_module、ngx_http_limit_req_module模块 首先http区域里面定义好限速限制连接数策略,再在线上具体域名上使用 Http区域配置如下:

map $http_x_forwarded_for  $clientRealIpnormal {
    ""  $remote_addr;
    ~^(?P<firstAddr>[0-9\.]+),?.*$  $firstAddr;
}
map $http_http_cdn_src_ip $clientRealIp{
    ""   $clientRealIpnormal;
    default $http_http_cdn_src_ip;
}
geo  $clientRealIp  $white_ip  {
default 1;
include geo.conf;
}
map $white_ip $limited {
        1  $clientRealIp;
        0  "";
 }

limit_req_status 418;
limit_conn_status 418;

limit_conn_zone $limited zone=addr:200m;
limit_req_zone  $limited zone=zero1:20m rate=1r/s;
limit_req_zone  $limited zone=zero2:20m rate=2r/s;
limit_req_zone  $limited zone=zero:20m rate=3r/s;
limit_req_zone  $limited zone=one:20m rate=10r/s;
limit_req_zone  $limited zone=two:20m rate=20r/s;
limit_req_log_level info;
limit_conn_log_level info;

线上域名开启配置如下:

server
{
    listen   80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
    location / {
          limit_req zone=two burst=5 nodelay;
          limit_conn  addr 20;
          proxy_pass http://www_test_com;
    }
    access_log  /data/wwwlogs/access_www.test.com.log  access;
}
upstream www_test_com {                      
        server 192.168.88.188:80;
        server 192.168.88.189:80;
}
四、屏蔽IP

1、方法一 使用ngx_http_access_module模块allow、deny控制,缺点是通过remote_addr来屏蔽IP的,优点是支持CIDR等格式地址

allow 111.111.111.111;
allow 192.168.88.0/24;
deny all;

2、方法二 用于自定义客户端IP变量$clientRealIp来屏蔽,缺点IP需要写成正则形式的,优点是支持IP穿透,过CDN的域名这种方法才能生效

if ($clientRealIp ~ "(183.60.189.195|182.10.18.135)")
{
        return 403;
}

3、方法三 自定义屏蔽IP,结合Elasticsearch查询异常IP可自动化屏蔽IP

  set $clientipfileurl  "/usr/local/nginx/html/blockip/$host/$clientRealIp";
  if ( -f  $clientipfileurl) {
    return 403 "Your IP address $clientRealIp is too frequent, please try again later or contact the webmaster, thank you!";
  }
五、屏蔽URL

1、方法一 自动屏蔽,结合Elasticsearch查询异常URL,可自动化屏蔽URL

set $fileurl  "/usr/local/nginx/html/blockurl/$host/$uri";
if ( -f  $fileurl) {
    return 403 "This url $host$uri is too frequent, please try again later or contact the webmaster, thank you!";
 }

2、方法二 手动屏蔽,当某个目录或者URL影响到全站访问时可以手动屏蔽

location ~* ^/mbw/xoxo/123456789/ {
    return 403;
}
六、SSI包含

利用ngx_http_ssi_module模块 开启ssi后,include与ushtml代理到ssi服务器

server
{
    listen   80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
        ssi on;
        ssi_silent_errors off;
        ssi_types text/shtml;
    location ~* ^/(include|ushtml)  {
        proxy_pass http://www_test_com_include;
    }
    location / {
        proxy_pass http://www_test_com;
    }
    access_log  /data/wwwlogs/access_www.test.com.log  access;
}
upstream www_test_com {                      
        server 192.168.88.188:80;
        server 192.168.88.189:80;
}
upstream www_test_com_include {
        server 192.168.88.11:80;
        server 192.168.88.12:80;
}
七、Srcache配置

该架构是给论坛做帖子缓存的,注意只能缓存帖子,目录不能缓存是openresty +srcache+reids2-nginx-module组成:入口是openresty,缓存是codis集群,上游服务器是iis源站 其中http区域配置为删除过期key,更新key的作用,由新第维护lua脚本,配置如下:

http {
    server {
        listen       80;
        server_name  www.test.com;
        allow  192.168.88.0/24;
        allow  192.168.188.0/24;
        deny all;
        location ~ /delkey/(.*) {
                internal;
                set $redis_key $1;
                redis2_query del $redis_key;
                redis2_pass redis_server;
        }
    }
    include proxy.conf;
    include vhosts_all/*.conf;
}

具体源站配置,放在vhost下,目前只有www.test.com域名,配置如下:

upstream www_test_com {                      
        server 192.168.88.188:80;
        server 192.168.88.189:80;
}

server {
      listen       80;
      server_name  www.test.com;
      more_clear_headers  "X-AspNet-Version";
      more_clear_headers  "X-Powered-By";
      location / {
        default_type text/html;
        srcache_methods GET;
        srcache_response_cache_control on;
        srcache_store_statuses 200;
        srcache_store_max_size 1024000;
        set $key $host$uri;
        set_escape_uri $escaped_key $key;
        srcache_fetch GET /redis_get $key;
        srcache_default_expire 0;
        srcache_max_expire 1h;
        srcache_store PUT /redis_set 
        key=$escaped_key&exptime=$srcache_expire;
        add_header X-Cached-From $srcache_fetch_status;
        add_header X-Cached-Store $srcache_store_status;
        add_header X-Key $key;
        add_header X-Query_String $query_string;
        add_header X-expire $srcache_expire;
        access_log /data/wwwlogs/access_www.test.com-redis.log srcache_log;
        proxy_pass http://www_test_com;

     }
     location = /redis_get {
             internal;
             set $redis_key $args;
             redis_pass redis_server;
     }
     location = /redis_set {
             internal;
             set_unescape_uri $exptime $arg_exptime;
             set_unescape_uri $key $arg_key;
              redis2_query set $key $echo_request_body;
             redis2_query expire $key $exptime;
             redis2_pass redis_server;
     }
 }
八、Upsync配置

该项目是动态上下负载,架构为nginx+nginx-upsync-module+consul,配置文件只需要对具体域名进行修改,如下:

server
{
    listen 80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
    location / {
        proxy_pass http://www_test_com;
    }
    location = /upstream_show {
        upstream_show;
    }
    access_log  /data/wwwlogs/access_www.test.com.log  access;
}
upstream www_test_com {
    upsync 192.168.88.58:8500/v1/kv/upstreams/www.test.com/ upsync_timeout=6m upsync_interval=500ms upsync_type=consul strong_dependency=off;
    upsync_dump_path /usr/local/nginx/conf/servers/dump_www.test.com.conf;
    include /usr/local/nginx/conf/servers/include_www.test.com.conf;
}
九、Websock配置

Websock协议为ws,如果还需要添加ssl支持,协议为https正常添加证书就行,websock支持长连接。

server
{
    listen 80;
    server_name www.test.com;
    index index.html index.htm index.shtml;
    location / {
            proxy_pass http://olc_yiche_com;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_read_timeout 28800;
            proxy_redirect    off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP        $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
}
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}

upstream www_test_com {                      
        server 192.168.88.188:80;
        server 192.168.88.189:80;
}
十、其他
1、只允许POST请求
location ~* /hd/api/prizehandler.ashx {
    if ($request_method = GET ) {
        return 403;
        }
        proxy_method POST; 
    proxy_pass http://apiwww_test_com;
}
2、禁止Agent
if ($http_user_agent ~* "(python-requests|Java/1.8.0_40|Java/1.0.0_07|Java/1.7.0_67|Mac OS X 10_7_5|Iceweasel|curl|spider|ChinaCache)") 
{ 
       return 403; 
}
3、设置过期时间
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css)$
{ 
       expires      30d;
       proxy_pass http://image_test_com;
}
4、设置权限
location / {
       auth_basic "Please input Username and Password";
       auth_basic_user_file /usr/local/nginx/conf/.pass_file;
}
5、rewrite忽略大小写
rewrite (?i)^/newsimg_(\d+)x(\d+)/(.*)$ /videoimgnew.php?w=$1&h=$2&dir=$3 break;
6、404冗余

方法一 通过$request_filename判断

if ( !-f $request_filename ){
     proxy_pass http://image_test_com;
     break;
}

方法二 if判断效率比较低,可以使用try_files

location / {
    try_files $uri @backend;
}
location @backend {
     proxy_pass http://image_test_com;
}

方法三 通过error_page功能

location / {
        error_page 404 500 = @fallback;
        proxy_pass http://image_test_com;
    }
location @fallback {
     proxy_pass http://imagebak_test_com;
}
7、url大小写转换

http区域配置如下

   perl_set $url ' 
   sub {
   my $r = shift;
   my $re = lc($r->uri);
   return $re;
   } ';

域名server区域配置如下

    if ($uri ~ [A-Z])
    {
      rewrite ^(.*)$  $url last;
    } 
8、支持跨域

字体支持所有域名跨域调用,某些客户端可能支持的不太友好

location ~* /topics/iconfont/
    {
           add_header Access-Control-Allow-Origin *;
}
9、SSL支持

该域名配置同时支持http与https,配置如下:

server
{
    listen 80;
    listen 443;
    server_name zhongce.m.yiche.com;
    index index.html index.htm index.shtml;
        ssl                         on;
        ssl_certificate             globalsignssl/server.cer;
        ssl_certificate_key      globalsignssl/server.key;
        ssl_prefer_server_ciphers   on;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_protocols               TLSv1.2 TLSv1.1 TLSv1;
        ssl_session_cache           shared:SSL:10m;
        ssl_session_timeout         60m;
    location / {
         proxy_pass http://www_test_com;
     }
}
10、tcp负载

需要开启stream模块,如果要支持ssl,需要开启stream_ssl模块 http区域配置如下:

cat /usr/local/nginx/conf/nginx.conf
user  www www;
worker_processes  auto;
worker_cpu_affinity auto;
error_log  logs/error.log  error;
pid        logs/nginx.pid;
worker_rlimit_nofile 409600;
events
{
  use epoll;
  worker_connections 409600;
}
stream {

log_format basic '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time';

log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

include tcpupstream/*.conf;
}

tcp负载配置如下: cat /usr/local/nginx/conf/tcpupstream/test12306.conf

upstream test_12306 {
        server 192.168.88.21:12306;
        server 192.168.88.22:12306;
 }
server {
        listen 12306;
        proxy_connect_timeout 10s;
        proxy_timeout 30s;
        proxy_pass test_12306;
        access_log /data/wwwlogs/access_test12306.log proxy;
}

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏Angular&服务

Nginx配置https协议

使用 https 协议访问你的域名, 如 https://www.yourdomain.com/hello.html 检查是否成功,如果地址栏出现绿色带安全字样...

1771
来自专栏小樱的经验随笔

【经验分享】Hydra(爆破神器)使用方法

这个也是backtrack下面很受欢迎的一个工具 参数详解: -R 根据上一次进度继续破解 -S 使用SSL协议连接 -s 指定端口 -l 指定用户名 -L 指...

6636
来自专栏PHP在线

apache开启openssl支持

一、 加载 Apache SSL 模块 如果已经安装过 apache2.2 ,现在需要额外添加 SSL 支持,那么你需要重新编译安装一次 apache2。 编...

4157
来自专栏Linyb极客之路

JSON Web Token 入门教程

JSON Web Token(缩写 JWT)是目前最流行的跨域认证解决方案,本文介绍它的原理和用法。

1242
来自专栏YouMeek

优化单点登录流程的好东西:JWT 介绍

JWT 概念 官网介绍:https://jwt.io/introduction/ 别人翻译(翻译得很好):https://github.com/smilings...

1.4K8
来自专栏Android开发与分享

【Android】RxJava的使用(四)线程控制 —— Scheduler

36712
来自专栏bboysoul

让网站用上https

个人认为让一个没什么流量的网站支持https是没什么意义的,第一,支持https后访问速度会变慢 而且浪费服务器资源,但是没办法,一切为了装逼,为了装逼的一切...

1813
来自专栏运维

Nginx反向代理负载均衡配置梳理大全

利用ngx_http_core_module、ngx_http_rewrite_module模块 主要是301跳转 Return写法:域名http请求跳转到对应...

1241
来自专栏LeoXu的博客

一种C/S架构下的 RSA + AES 组合加密方案业务流程

一、初步方案: 1、客户端初始化,调用服务端AES加密key获取接口; 2、服务端从配置文件获取AES加密key,用RSA私钥对其进行加密,返回给客户端; ...

1282
来自专栏惨绿少年

全站HTTPS简单实践

第一个里程碑:创建https证书 1 [root@web01 backup]# openssl req -new -x509 -nodes -out ser...

2170

扫码关注云+社区