05-Nginx-LB配置详解
本文档详细介绍Nginx负载均衡器的配置,是整个架构中接收客户端请求的入口点。
架构位置
客户端
│
▼
┌─────────────────┐
│ VIP 172.20.1.100│ ← Keepalived浮动IP
└────────┬────────┘
│
▼
┌─────────────────┐
│ Nginx-LB │ ← 负载均衡层
│ 172.20.1.11/12/13 │
└────────┬────────┘
│
▼
┌─────────────────┐
│ PHP服务集群 │ ← 3个PHP服务节点
│ 172.20.2.11/12/13│
└─────────────────┘配置组件
Nginx-LB使用3个配置文件:
-
nginx.conf- 主配置文件,包含upstream定义 -
conf.d/upstream.conf- 服务器块配置 -
ssl.conf- SSL/TLS配置
完整配置
nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'upstream: $upstream_addr '
'upstream_status: $upstream_status '
'request_time: $request_time '
'upstream_response_time: $upstream_response_time';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 100M;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss
application/rss+xml font/truetype font/opentype
application/vnd.ms-fontobject image/svg+xml;
upstream web_backend {
least_conn;
server 172.20.2.11:80 max_fails=3 fail_timeout=30s;
server 172.20.2.12:80 max_fails=3 fail_timeout=30s;
server 172.20.2.13:80 max_fails=3 fail_timeout=30s;
}
include /etc/nginx/conf.d/*.conf;
}conf.d/upstream.conf
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://web_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 10s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}ssl.conf
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;配置项详解
1. worker_processes
worker_processes auto;-
auto:让Nginx自动检测CPU核心数并启动相应数量的worker进程 -
推荐值:CPU核心数或
auto
2. worker_connections
worker_connections 1024;-
每个worker进程允许的最大并发连接数
-
1024是保守值,可根据需要调大
3. use epoll
use epoll;-
使用epoll事件模型(Linux高性能I/O复用)
-
适用于高并发场景
4. multi_accept
multi_accept on;-
一次accept尽可能多的连接
-
提升并发处理能力
5. sendfile
sendfile on;
tcp_nopush on;
tcp_nodelay on;-
sendfile:使用内核级文件传输,减少上下文切换 -
tcp_nopush:在响应头后立即发送数据包 -
tcp_nodelay:禁用Nagle算法,降低延迟
6. 日志格式
log_format main '...upstream: $upstream_addr...upstream_status: $upstream_status...';-
记录upstream地址和状态,便于排查问题
-
包含请求时间、响应时间等关键指标
7. Gzip压缩
gzip on;
gzip_types text/plain application/json...;-
启用gzip压缩减少传输量
-
针对文本类内容压缩
8. upstream配置
upstream web_backend {
least_conn;
server 172.20.2.11:80 max_fails=3 fail_timeout=30s;
server 172.20.2.12:80 max_fails=3 fail_timeout=30s;
server 172.20.2.13:80 max_fails=3 fail_timeout=30s;
}负载均衡算法:
-
least_conn:最少连接数优先 -
其他可选:
ip_hash、hash、round_robin(默认)
健康检查参数:
-
max_fails=3:连续3次失败后认为服务器不可用 -
fail_timeout=30s:失败后30秒内不再尝试
9. 代理配置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;-
传递真实客户端IP到后端PHP服务
-
保留原始请求协议(HTTP/HTTPS)
10. 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
}-
用于Keepalived检测Nginx状态
-
关闭访问日志减少磁盘IO
服务IP分配
| 节点 | nginx-lb IP |
|---|---|
| Node1 | 172.20.1.11 |
| Node2 | 172.20.1.12 |
| Node3 | 172.20.1.13 |
Docker Compose配置
nginx-lb:
image: nginx:alpine
container_name: nginx-lb
networks:
frontend-net:
ipv4_address: 172.20.1.11 # Node1
# 172.20.1.12 (Node2)
# 172.20.1.13 (Node3)
backend-net:
ipv4_address: 172.20.2.100 # Node1
# 172.20.2.101 (Node2)
# 172.20.2.102 (Node3)
volumes:
- ./config/nginx-lb/nginx.conf:/etc/nginx/nginx.conf:ro
- ./config/nginx-lb/conf.d:/etc/nginx/conf.d:ro
- ./config/nginx-lb/ssl.conf:/etc/nginx/ssl.conf:ro
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost/health > /dev/null 2>&1 || exit 1"]
interval: 10s
timeout: 5s
retries: 3常见问题
Q1: upstream返回502 Bad Gateway
-
检查PHP服务是否运行:
docker ps | grep php -
检查网络连通性:
ping 172.20.2.11 -
查看Nginx错误日志:
docker logs nginx-lb
Q2: 所有upstream都失败
-
确认3个PHP服务的healthcheck状态
-
检查后端网络配置
Q3: 日志不记录upstream信息
-
确认log_format包含
$upstream_addr和$upstream_status -
重载配置:
docker exec nginx-lb nginx -s reload
下一步
-
06-Keepalived配置详解.md - 了解VIP高可用
-
07-PHP服务配置详解.md - 了解PHP服务配置