我们使用stream模块配置四层负载均衡(TCP/UDP)。注意:四层负载均衡通常用于数据库、SSH、游戏服务器等基于TCP/UDP的服务,而不像七层负载均衡(HTTP)那样处理应用层协议。
在Nginx中配置四层负载均衡,需要在stream块中定义upstream和server。
什么是四层负载均衡
- 工作在OSI模型的传输层(TCP/UDP)
- 基于IP地址和端口进行转发
- 不解析应用层协议(如HTTP)
- 性能更高,延迟更小
与七层负载均衡对比
| 特性 | 四层负载均衡 | 七层负载均衡 |
|---|---|---|
| OSI层 | 传输层(4层) | 应用层(7层) |
| 转发依据 | IP+端口 | URL、Header、Cookie等 |
| 性能 | 更高 | 相对较低 |
| 协议支持 | TCP/UDP | HTTP/HTTPS/FTP等 |
| 配置模块 | stream | http |
核心配置文件结构
bash
# 主配置文件 nginx.conf
events {
worker_connections 1024;
}
# 四层负载均衡配置块
stream {
# 上游服务器组定义
upstream backend_servers {
# 负载均衡算法
# 服务器配置
}
# 服务监听配置
server {
# 监听端口
# 代理设置
}
}最小化配置示例
bash
events {
worker_connections 1024;
}
stream {
# 定义上游服务器组
upstream mysql_servers {
server 192.168.1.101:3306 weight=3;
server 192.168.1.102:3306 weight=2;
server 192.168.1.103:3306 weight=1;
}
# 监听3307端口,转发到MySQL集群
server {
listen 3307;
proxy_pass mysql_servers;
proxy_timeout 3s;
proxy_connect_timeout 2s;
}
}详细配置参数
上游服务器配置
bash
upstream backend {
# 负载均衡算法
hash $remote_addr consistent; # 一致性哈希
# least_conn; # 最少连接
# random; # 随机算法
# round-robin; # 轮询(默认)
# 服务器参数
server backend1.example.com:8080 weight=5;
server backend2.example.com:8080 weight=3;
server backup1.example.com:8080 backup; # 备份服务器
server backup2.example.com:8080 down; # 标记为下线
# 健康检查
health_check interval=10s passes=2 fails=3;
# 连接参数
zone backend_cluster 64k; # 共享内存区域
keepalive 32; # 保持连接数
keepalive_timeout 60s; # 保持连接超时
}服务器监听配置
bash
server {
# 基本监听
listen 1935; # TCP端口
listen 1935 udp; # UDP端口
listen 1935 ssl; # SSL/TLS
listen [::]:1935 ipv6only=on; # IPv6
# 代理设置
proxy_pass backend;
proxy_timeout 10s; # 代理超时
proxy_connect_timeout 5s; # 连接超时
# 缓冲设置
proxy_buffer_size 16k; # 缓冲区大小
proxy_download_rate 1m; # 下载限速
proxy_upload_rate 512k; # 上传限速
# SSL配置
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# 日志
access_log /var/log/nginx/tcp-access.log;
error_log /var/log/nginx/tcp-error.log;
}负载均衡算法详解
轮询算法(默认)
bash
upstream backend {
# 默认即为轮询
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}加权轮询
bash
upstream backend {
server 192.168.1.10:8080 weight=5; # 50%流量
server 192.168.1.11:8080 weight=3; # 30%流量
server 192.168.1.12:8080 weight=2; # 20%流量
}最少连接
bash
upstream backend {
least_conn;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}一致性哈希
bash
upstream backend {
hash $remote_addr consistent; # 基于客户端IP
# hash $binary_remote_addr; # 二进制格式IP
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}随机算法
bash
upstream backend {
random;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}实际应用场景
MySQL负载均衡
bash
stream {
upstream mysql_master_slave {
# 主库写操作
server 192.168.1.100:3306 weight=5;
# 从库读操作
server 192.168.1.101:3306 weight=3;
server 192.168.1.102:3306 weight=2;
# 备份服务器
server 192.168.1.103:3306 backup;
}
# 读写分离代理
server {
listen 3306;
proxy_pass mysql_master_slave;
proxy_timeout 5s;
proxy_connect_timeout 2s;
# 日志记录
access_log /var/log/nginx/mysql-access.log stream;
# 连接限制
proxy_download_rate 2m;
proxy_upload_rate 1m;
}
}Redis集群代理
bash
stream {
upstream redis_cluster {
hash $remote_addr consistent;
server 192.168.1.10:6379;
server 192.168.1.11:6379;
server 192.168.1.12:6379;
# 健康检查
health_check interval=5s;
}
server {
listen 6379;
proxy_pass redis_cluster;
proxy_timeout 2s;
proxy_buffer_size 4k;
}
}SSH跳板机
bash
stream {
upstream ssh_servers {
least_conn;
server 192.168.1.10:22;
server 192.168.1.11:22;
server 192.168.1.12:22;
}
server {
listen 2222;
proxy_pass ssh_servers;
proxy_timeout 1h;
proxy_connect_timeout 10s;
# 访问控制
allow 10.0.0.0/8;
deny all;
# 连接数限制
proxy_download_rate 512k;
proxy_upload_rate 256k;
}
}DNS负载均衡
bash
stream {
upstream dns_servers {
# DNS over UDP
server 192.168.1.10:53;
server 192.168.1.11:53;
}
server {
listen 53 udp reuseport; # UDP负载均衡
proxy_pass dns_servers;
proxy_timeout 3s;
# 缓冲区设置
proxy_buffer_size 4k;
}
}SSL/TLS终止
bash
stream {
upstream backend_servers {
server 192.168.1.10:443;
server 192.168.1.11:443;
}
server {
listen 443 ssl;
proxy_pass backend_servers;
# SSL配置
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# SSL会话恢复
ssl_session_tickets on;
}
}TCP优化参数
server {
listen 8080;
proxy_pass backend;
# TCP优化
tcp_nodelay on; # 禁用Nagle算法
tcp_nopush on; # 优化发送数据包
so_keepalive on; # 启用TCP keepalive
proxy_socket_keepalive on; # 代理连接保持活跃
# 超时设置
proxy_connect_timeout 5s;
proxy_timeout 300s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
# 缓冲区优化
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
}连接数限制
bash
stream {
# 定义限制区域
limit_conn_zone $binary_remote_addr zone=per_ip:10m;
limit_conn_zone $server_name zone=per_server:10m;
upstream backend {
server 192.168.1.10:8080;
}
server {
listen 8080;
proxy_pass backend;
# 连接限制
limit_conn per_ip 10; # 每个IP最多10个连接
limit_conn per_server 100; # 本服务最多100个连接
# 连接速率限制
limit_rate_after 1m; # 1MB后开始限速
limit_rate 100k; # 限速100KB/s
}
}日志配置
bash
stream {
# 自定义日志格式
log_format tcp_log '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr"';
upstream backend {
server 192.168.1.10:8080;
}
server {
listen 8080;
proxy_pass backend;
# 访问日志
access_log /var/log/nginx/tcp-access.log tcp_log;
error_log /var/log/nginx/tcp-error.log warn;
# 日志级别
error_log /var/log/nginx/debug.log debug;
}
}DDoS防护
bash
stream {
# 限制连接速率
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
server {
listen 80;
# 连接数限制
limit_conn conn_limit_per_ip 20;
limit_req zone=req_limit_per_ip burst=30 nodelay;
# 超时设置防止慢连接攻击
proxy_connect_timeout 5s;
proxy_timeout 30s;
}
}