一、负载均衡场景
1.1 基础负载均衡配置
nginx
http {
# 定义上游服务器组
upstream backend_servers {
# 权重负载均衡
server 192.168.1.101:8080 weight=3; # 权重3,处理更多请求
server 192.168.1.102:8080 weight=2;
server 192.168.1.103:8080 weight=1;
# 健康检查参数
max_fails=3; # 最大失败次数
fail_timeout=30s; # 失败超时时间
}
upstream api_cluster {
# IP哈希负载均衡(会话保持)
ip_hash;
server 10.0.1.10:8000;
server 10.0.1.11:8000;
server 10.0.1.12:8000 backup; # 备份服务器
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 负载均衡参数
proxy_next_upstream error timeout http_500 http_502 http_503;
proxy_connect_timeout 5s;
proxy_read_timeout 60s;
}
location /api/ {
proxy_pass http://api_cluster;
}
}
}1.2 高级负载均衡策略
nginx
upstream app_servers {
# 最少连接数算法
least_conn;
server 192.168.1.100:8000;
server 192.168.1.101:8000;
server 192.168.1.102:8000;
# 持久化会话(商业版)
# sticky cookie srv_id expires=1h domain=.example.com path=/;
}
upstream dynamic_backend {
# 通过DNS动态发现后端
server backend-service.internal.com resolve;
# 健康检查增强
health_check interval=5s fails=3 passes=2 uri=/health;
}二、反向代理场景
2.1 基础反向代理
nginx
server {
listen 80;
server_name api.example.com;
# 基础代理设置
location / {
proxy_pass http://localhost:3000; # 转发到本地Node.js应用
# 代理头设置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 75s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
# 缓冲区优化
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
}
# 代理WebSocket
location /ws/ {
proxy_pass http://websocket_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}2.2 路径重写代理
nginx
server {
listen 80;
server_name gateway.example.com;
# 路径映射:/service1/xxx -> http://service1/xxx
location /service1/ {
proxy_pass http://service1.internal:8080/; # 注意结尾的/
# 保留原始路径
proxy_set_header X-Original-URI $request_uri;
}
# 路径重写:/user-api/xxx -> /xxx
location /user-api/ {
rewrite ^/user-api/(.*)$ /$1 break;
proxy_pass http://user-service.internal:3000;
}
# 条件代理
location /download/ {
# 根据文件类型代理到不同后端
if ($request_uri ~* \.(mp4|avi)$) {
proxy_pass http://video-server:8080;
}
if ($request_uri ~* \.(pdf|doc)$) {
proxy_pass http://doc-server:8081;
}
proxy_pass http://default-server:8082;
}
}三、HTTP重定向(反向跳转)场景
3.1 HTTP到HTTPS重定向
nginx
server {
listen 80;
server_name example.com www.example.com;
# 301永久重定向到HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
location / {
# HTTPS站点配置
}
}3.2 域名重定向和路径重写
nginx
# 多个域名统一
server {
listen 80;
server_name old-domain.com www.old-domain.com;
return 301 https://new-domain.com$request_uri;
}
# 路径重定向
server {
listen 80;
server_name example.com;
# 旧路径到新路径
location /old-path/ {
return 301 /new-path/;
}
# 带参数重定向
location /search {
if ($arg_q = "nginx") {
return 301 /docs/nginx-tutorial;
}
}
# 重写规则
location /blog/ {
# 保留查询参数
rewrite ^/blog/(\d+)/(.*)$ /articles/$2?id=$1 permanent;
}
# 临时重定向(302)
location /maintenance {
return 302 /under-construction.html;
}
}四、扩展场景配置
4.1 SSL/TLS终止
nginx
server {
listen 443 ssl http2;
server_name secure.example.com;
# SSL证书
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# SSL优化
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
location / {
proxy_pass http://backend_servers;
proxy_set_header X-Forwarded-Proto https;
}
}4.2 缓存配置
nginx
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m
max_size=1g inactive=60m use_temp_path=off;
server {
location / {
proxy_pass http://backend;
# 启用缓存
proxy_cache my_cache;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503;
# 缓存控制头
add_header X-Cache-Status $upstream_cache_status;
}
# 静态文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
# 代理到CDN或对象存储
proxy_pass http://cdn-backend;
}
}4.3 限流和防护
nginx
# 限流区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req_zone $server_name zone=domain_limit:10m rate=100r/s;
server {
location /api/ {
# 限流配置
limit_req zone=api_limit burst=20 nodelay;
limit_req_status 429;
proxy_pass http://api_backend;
}
# 下载限速
location /download/ {
limit_rate 1m; # 限制1MB/s
proxy_pass http://storage_backend;
}
# 连接数限制
location /ws/ {
limit_conn perip 10; # 每个IP最多10个连接
proxy_pass http://websocket_backend;
}
}4.4 动静分离
nginx
server {
root /var/www/html;
# 动态内容
location ~ \.(php|jsp|do)$ {
proxy_pass http://app_servers;
proxy_set_header Host $host;
}
# 静态文件
location ~* \.(css|js|jpg|jpeg|png|gif|ico|woff|woff2|ttf|svg)$ {
expires 30d;
add_header Cache-Control "public, no-transform";
# 尝试本地文件,不存在则代理
try_files $uri @static_backend;
}
location @static_backend {
proxy_pass http://cdn_servers;
}
# API接口
location /api/ {
proxy_pass http://api_servers;
proxy_set_header X-API-Version v2;
}
}4.5 健康检查和状态监控
nginx
# 启用状态页面
server {
listen 8080;
server_name localhost;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location /upstream_status {
upstream_show;
}
}
# 主动健康检查(商业版功能)
upstream backend {
zone backend 64k;
server backend1.example.com:80 resolve;
server backend2.example.com:80 resolve;
health_check interval=5s fails=3 passes=2 uri=/health_check;
}五、完整示例配置
nginx
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# 基础优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml;
# 上游服务器组
upstream app_backend {
least_conn;
server 10.0.1.10:3000 max_fails=3 fail_timeout=30s;
server 10.0.1.11:3000 max_fails=3 fail_timeout=30s;
server 10.0.1.12:3000 backup;
}
# 主服务器配置
server {
listen 80;
server_name www.example.com;
# HTTP重定向到HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
# 安全头部
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# 根路径
location / {
proxy_pass http://app_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 静态资源
location /static/ {
alias /var/www/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
# API限流
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
proxy_pass http://app_backend;
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
}
# 错误页面
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
}
}关键配置说明:
-
负载均衡算法选择:
round-robin:默认,轮询least_conn:最少连接ip_hash:会话保持hash:自定义哈希键
-
代理关键指令:
proxy_pass:代理转发proxy_set_header:修改请求头proxy_redirect:重写响应头中的Location
-
性能优化要点:
- 合理设置缓冲区大小
- 启用keepalive连接
- 配置适当的超时时间
- 启用gzip压缩
-
安全建议:
- 始终使用HTTPS
- 配置适当的限流策略
- 设置安全响应头
- 限制访问权限