1. Nginx 代理基本原理
Nginx 可以通过 Stream 模块(TCP/UDP 代理)和 HTTP 模块(HTTP 代理)来代理各种后端服务。
2. 代理配置示例
2.1 代理 MySQL(TCP 代理)
bash
# nginx.conf 主配置文件
stream {
# MySQL 代理
upstream mysql_backend {
server 192.168.1.100:3306;
# 可以添加多个后端
# server 192.168.1.101:3306;
}
server {
listen 3306; # 代理监听端口
proxy_pass mysql_backend;
proxy_timeout 3s;
proxy_connect_timeout 2s;
# SSL 支持(如果需要)
# ssl_preread on;
# proxy_ssl on;
# proxy_ssl_name $ssl_preread_server_name;
}
}2.2 代理 Redis(TCP 代理)
bash
stream {
# Redis 单节点
upstream redis_single {
server 192.168.1.100:6379;
}
# Redis 集群(简单轮询)
upstream redis_cluster {
server 192.168.1.101:6379;
server 192.168.1.102:6379;
server 192.168.1.103:6379;
}
server {
listen 6379;
proxy_pass redis_single;
proxy_timeout 3s;
proxy_buffer_size 4k;
}
server {
listen 6380;
proxy_pass redis_cluster;
proxy_timeout 3s;
}
}2.3 代理 RabbitMQ(AMQP 和 Web 管理界面)
bash
# TCP 代理 AMQP 协议
stream {
upstream rabbitmq_amqp {
server 192.168.1.100:5672;
}
server {
listen 5672;
proxy_pass rabbitmq_amqp;
proxy_timeout 3s;
}
}
# HTTP 代理 Web 管理界面
http {
upstream rabbitmq_http {
server 192.168.1.100:15672;
}
server {
listen 15672;
server_name rabbitmq.example.com;
location / {
proxy_pass http://rabbitmq_http;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}2.4 代理 Kafka
bash
stream {
# Kafka brokers
upstream kafka_broker1 {
server 192.168.1.100:9092;
}
upstream kafka_broker2 {
server 192.168.1.101:9092;
}
# 监听不同端口对应不同 broker
server {
listen 19092;
proxy_pass kafka_broker1;
proxy_timeout 10s;
}
server {
listen 29092;
proxy_pass kafka_broker2;
proxy_timeout 10s;
}
}2.5 代理 MongoDB
bash
stream {
upstream mongodb {
server 192.168.1.100:27017;
}
server {
listen 27017;
proxy_pass mongodb;
proxy_timeout 10s;
# MongoDB 可能需要更长的超时时间
proxy_connect_timeout 10s;
}
}3. 高级配置功能
3.1 负载均衡配置
bash
stream {
upstream backend_pool {
# 负载均衡算法
least_conn; # 最少连接
# 权重配置
server 192.168.1.100:3306 weight=3;
server 192.168.1.101:3306 weight=2;
server 192.168.1.102:3306 weight=1;
# 健康检查
# 需要 nginx-plus 或第三方模块
}
}3.2 SSL/TLS 终端
bash
stream {
# Redis with SSL termination
server {
listen 6380 ssl;
proxy_pass redis_backend;
ssl_certificate /etc/nginx/ssl/redis.crt;
ssl_certificate_key /etc/nginx/ssl/redis.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# SSL 会话重用
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}
}3.3 访问控制和限流
bash
stream {
server {
listen 3306;
proxy_pass mysql_backend;
# 连接限流
limit_conn_zone $binary_remote_addr zone=mysql_zone:10m;
limit_conn mysql_zone 100; # 每个 IP 最多 100 个连接
# 访问控制
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
}
}这样配置后,Nginx 可以作为统一的入口点代理各种后端服务,提供负载均衡、SSL 终端、访问控制等功能。