Nginx 反向代理完整指南
一、基础概念
反向代理是指服务器代理客户端去访问后端真实服务器,客户端无需知道实际服务器地址。
二、快速安装
Linux(Ubuntu/Debian)
bash
复制代码
sudo apt-get update
sudo apt-get install nginx
sudo systemctl start nginx
sudo systemctl enable nginx
Linux(CentOS/RHEL)
bash
复制代码
sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx
macOS
bash
复制代码
brew install nginx
brew services start nginx
三、核心配置
文件位置
| 系统 |
配置路径 |
| Ubuntu/Debian |
/etc/nginx/nginx.conf |
| CentOS/RHEL |
/etc/nginx/nginx.conf |
| macOS |
/usr/local/etc/nginx/nginx.conf |
最小化反向代理配置
nginx
复制代码
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
四、常用代理配置详解
1. 单后端服务
nginx
复制代码
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://backend-server:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
2. 负载均衡(多后端)
nginx
复制代码
upstream backend {
server 192.168.1.10:8080 weight=5;
server 192.168.1.11:8080 weight=3;
server 192.168.1.12:8080 backup;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
3. 路径路由
nginx
复制代码
server {
listen 80;
server_name example.com;
location /api/ {
proxy_pass http://api-server:3000;
}
location /static/ {
root /var/www/html;
}
location /admin/ {
proxy_pass http://admin-server:8080;
}
}
4. WebSocket 支持
nginx
复制代码
server {
listen 80;
server_name websocket.example.com;
location /ws {
proxy_pass http://ws-server:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 3600s;
}
}
5. HTTPS + 重定向
nginx
复制代码
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
五、常用代理参数
| 参数 |
说明 |
示例 |
proxy_pass |
后端服务地址 |
http://backend:8080 |
proxy_set_header |
设置请求头 |
Host $host |
proxy_redirect |
重定向处理 |
off |
proxy_connect_timeout |
连接超时 |
60s |
proxy_send_timeout |
发送超时 |
60s |
proxy_read_timeout |
读取超时 |
60s |
proxy_buffering |
响应缓冲 |
on/off |
proxy_buffer_size |
缓冲大小 |
4k |
高性能配置示例
nginx
复制代码
location / {
proxy_pass http://backend;
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_busy_buffers_size 16k;
# 请求头设置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 其他设置
proxy_http_version 1.1;
proxy_redirect off;
}
六、调试与验证
配置检查
bash
复制代码
# 检查配置语法
nginx -t
# 查看详细配置
nginx -T
重启服务
bash
复制代码
# 重启 Nginx
sudo systemctl restart nginx
# 平滑重启(不中断连接)
sudo nginx -s reload
日志查看
bash
复制代码
# 访问日志
sudo tail -f /var/log/nginx/access.log
# 错误日志
sudo tail -f /var/log/nginx/error.log
测试反向代理
bash
复制代码
curl -i http://example.com
curl -H "Host: example.com" http://127.0.0.1
七、常见问题排查
502 Bad Gateway
nginx
复制代码
# 增加超时时间
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
# 检查后端服务是否运行
连接拒绝
bash
复制代码
# 检查防火墙
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# 检查后端服务监听地址
netstat -tlnp | grep LISTEN
请求头丢失
nginx
复制代码
# 明确传递请求头
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
八、生产环境配置模板
nginx
复制代码
# /etc/nginx/conf.d/production.conf
upstream production_backend {
least_conn;
server backend1.internal:8080 max_fails=3 fail_timeout=30s;
server backend2.internal:8080 max_fails=3 fail_timeout=30s;
server backend3.internal:8080 backup;
}
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
location / {
proxy_pass http://production_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
}
}