企业级Nginx高可用架构实战：全站HTTPS WordPress部署、双主负载均衡与智能灰度发布一体化解决方案

一、全站 HTTPS 的 WordPress 部署

1. 基础环境准备

# 系统更新与依赖安装
sudo apt update && sudo apt upgrade -y
sudo apt install nginx mysql-server php-fpm php-mysql certbot python3-certbot-nginx -y

2. 数据库配置

CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'StrongPassword123!';
GRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'localhost';
FLUSH PRIVILEGES;

3. WordPress 安装

wget https://wordpress.org/latest.tar.gz
tar -zxvf latest.tar.gz
sudo mv wordpress /var/www/html/
sudo chown -R www-data:www-data /var/www/html/wordpress

4. Nginx SSL 配置 (/etc/nginx/sites-available/wordpress)

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri; # 强制HTTPS重定向
}

server {
    listen 443 ssl http2;
    server_name example.com;
    
    # SSL证书路径（由Certbot自动生成）
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # 安全增强配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=63072000" always; # HSTS
    
    root /var/www/html/wordpress;
    index index.php;
    
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        fastcgi_param HTTPS on; # 确保PHP获取正确的HTTPS状态
    }
    
    # 静态文件缓存配置
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }
}

5. 获取 SSL 证书

sudo certbot --nginx -d example.com
sudo systemctl restart nginx

---

二、高可用架构：Nginx + Keepalived 双主节点

1. 双机环境准备（Node1: 192.168.1.10, Node2: 192.168.1.20）

# 在两台服务器安装Keepalived
sudo apt install keepalived -y

2. Keepalived 主配置 (Node1: /etc/keepalived/keepalived.conf)

vrrp_script chk_nginx {
    script "/usr/bin/killall -0 nginx" # 检查Nginx进程是否存在
    interval 2
    weight 2
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51 # 必须相同组内一致
    priority 100         # 节点1优先级更高
    
    virtual_ipaddress {
        192.168.1.100/24 dev eth0
    }
    
    track_script {
        chk_nginx
    }
}

vrrp_instance VI_2 {
    state BACKUP
    interface eth0
    virtual_router_id 52
    priority 90
    
    virtual_ipaddress {
        192.168.1.101/24 dev eth0
    }
    
    track_script {
        chk_nginx
    }
}

3. 节点2配置调整

# 修改priority字段：
vrrp_instance VI_1 { priority 90 }
vrrp_instance VI_2 { priority 100 }

4. 启动服务

sudo systemctl enable keepalived && sudo systemctl start keepalived

架构说明：

• 使用两个VRRP实例实现双VIP负载
• VIP 192.168.1.100 主节点为Node1
• VIP 192.168.1.101 主节点为Node2
• 通过DNS轮询或外部负载均衡分配两个VIP流量

---

三、灰度发布实现

1. Nginx 上游服务器配置

# 定义新旧版本服务器组
upstream backend {
    server 192.168.1.10:80; # 旧版服务器
    server 192.168.1.20:80 backup; # 新版备用
}

upstream canary_backend {
    server 192.168.1.20:80; # 新版服务器
}

2. 流量分割配置

http {
    split_clients "${remote_addr}AAA" $variant {
        5%     canary_backend; # 5%流量到新版
        *       backend;
    }

    server {
        listen 80;
        
        location / {
            proxy_pass http://$variant;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            
            # 添加版本标记头
            add_header X-Canary-Version $variant;
        }
    }
}

3. 高级会话保持方案

map $cookie_canary $group {
    default $variant;
    "canary" canary_backend;
    "stable" backend;
}

server {
    location / {
        if ($cookie_canary = "") {
            add_header Set-Cookie "canary=$group;Path=/;Max-Age=86400";
        }
        proxy_pass http://$group;
    }
}

---

四、企业级优化措施

1. 安全加固

# 在http块添加：
server_tokens off;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
client_body_buffer_size 10K;
client_max_body_size 8m;

2. 性能调优

# 全局配置优化
worker_processes auto;
events {
    worker_connections 1024;
    multi_accept on;
}

http {
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 30s;
    keepalive_timeout 15;
    keepalive_requests 100000;
    reset_timedout_connection on;
}

3. 日志分析配置

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for"'
                'CanaryGroup: $group'; # 添加灰度分组标识

access_log /var/log/nginx/access.log main buffer=32k flush=5m;

---

五、验证与监控

1. 服务状态检查

# 检查VIP绑定
ip addr show eth0 | grep '192.168.1.100'

# 查看Keepalived日志
journalctl -u keepalived -f

# 灰度流量验证
curl -I http://example.com | grep X-Canary-Version

2. 自动化监控建议

# 使用Prometheus监控模板
scrape_configs:
  - job_name: 'nginx'
    static_configs:
      - targets: ['192.168.1.10:9113', '192.168.1.20:9113']