共计 6642 个字符,预计需要花费 17 分钟才能阅读完成。
1. Nginx 简介
Nginx 是一个轻量级的 Web 服务器 / 反向代理服务器及电子邮件代理服务器,以其高性能、高并发和低内存占用而闻名。
2. 安装 Nginx
Ubuntu/Debian
sudo apt update
sudo apt install nginxCentOS/RHEL
sudo yum install nginx
# 或者对于新版
sudo dnf install nginx3. 基本命令
# 启动 Nginx
sudo systemctl start nginx
# 停止 Nginx
sudo systemctl stop nginx
# 重启 Nginx
sudo systemctl restart nginx
# 重新加载配置(不中断服务)sudo systemctl reload nginx
# 查看状态
sudo systemctl status nginx
# 设置开机启动
sudo systemctl enable nginx4. 配置文件结构
Nginx 的主要配置文件通常位于:
/etc/nginx/nginx.conf(主配置文件)/etc/nginx/sites-available/(可用站点配置)/etc/nginx/sites-enabled/(已启用站点配置)
5. 基本配置示例
创建一个简单的虚拟主机配置:
server {
listen 80;
server_name example.com www.example.com;
# 网站根目录
root /var/www/html;
# 默认索引文件
index index.html index.htm;
# 位置块
location / {try_files $uri $uri/ =404;}
# 静态文件处理
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}6. 检查配置和重启
# 检查配置文件语法
sudo nginx -t
# 如果测试通过,重新加载配置
sudo systemctl reload nginx7. 日志文件
- 访问日志:
/var/log/nginx/access.log - 错误日志:
/var/log/nginx/error.log
8. 简单性能优化
# 在 nginx.conf 的 http 块中添加
http {
# 基础设置
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Gzip 压缩
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}好的,我们来深入探讨 Nginx 的反向代理、负载均衡和 SSL 配置。
9. 反向代理配置
基础反向代理
server {
listen 80;
server_name example.com;
location / {
# 反向代理到后端应用
proxy_pass http://localhost:3000;
# 重要代理头设置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
}
}多路径反向代理
server {
listen 80;
server_name example.com;
# API 路径代理到后端 API 服务
location /api/ {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 重写路径(可选)rewrite ^/api/(.*) /$1 break;
}
# 管理后台代理到不同端口
location /admin/ {
proxy_pass http://localhost:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# 静态文件直接服务
location /static/ {
alias /var/www/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
}10. 负载均衡配置
定义上游服务器组
http {
# 定义上游服务器组
upstream backend_servers {
# 负载均衡算法:# 默认轮询 (round-robin)
# least_conn - 最少连接
# ip_hash - IP 哈希(会话保持)# hash - 自定义哈希
server 192.168.1.10:8080 weight=3; # 权重 3
server 192.168.1.11:8080 weight=2; # 权重 2
server 192.168.1.12:8080 weight=1; # 权重 1
server 192.168.1.13:8080 backup; # 备份服务器
}
upstream api_cluster {
least_conn; # 最少连接算法
server 192.168.1.20:3000 max_fails=3 fail_timeout=30s;
server 192.168.1.21:3000 max_fails=3 fail_timeout=30s;
server 192.168.1.22:3000 max_fails=3 fail_timeout=30s;
}
}使用负载均衡
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 健康检查相关
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_connect_timeout 2s;
proxy_read_timeout 10s;
}
location /api/ {
proxy_pass http://api_cluster;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}会话保持配置
upstream app_servers {
ip_hash; # 基于客户端 IP 的会话保持
server 192.168.1.30:8080;
server 192.168.1.31:8080;
server 192.168.1.32:8080;
}11. SSL/TLS 配置
基础 SSL 配置
server {
listen 443 ssl;
server_name example.com www.example.com;
# SSL 证书路径
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL 协议配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# SSL 加密套件
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
# 会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https; # 重要:告诉后端使用的是 HTTPS
}
}
# HTTP 重定向到 HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}高级 SSL 安全配置
http {
# SSL 优化配置
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# 生成 dhparam.pem: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
server {
listen 443 ssl http2; # 启用 HTTP/2
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# 现代 SSL 配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS 预加载
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/ca-certs.pem;
# 安全头
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location / {
proxy_pass http://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
}12. 完整综合示例
http {
# 上游服务器定义
upstream web_servers {
least_conn;
server 10.0.1.10:80 weight=2;
server 10.0.1.11:80 weight=1;
server 10.0.1.12:80 backup;
}
upstream api_servers {
ip_hash;
server 10.0.2.10:3000;
server 10.0.2.11:3000;
}
# 优化配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m;
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# SSL 配置
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 主站点
location / {
proxy_pass http://web_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 缓存配置
proxy_cache my_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
}
# API 接口
location /api/ {
proxy_pass http://api_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# API 特定超时设置
proxy_connect_timeout 5s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
# 静态文件
location /static/ {
alias /var/www/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
# 健康检查端点
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 10.0.0.0/8;
deny all;
}
}
}13. 常用命令和调试
# 测试配置文件
sudo nginx -t
# 重新加载配置
sudo systemctl reload nginx
# 查看 Nginx 状态
sudo systemctl status nginx
# 查看连接状态
curl http://localhost/nginx_status
# 检查 SSL 配置
openssl s_client -connect example.com:443
# 性能测试
ab -n 1000 -c 10 https://example.com/
正文完
