nginx 反向代理和负载均衡策略配置实战使用案例
2022-04-27 本文已影响0人
运气爆棚lsw
本文主要包含
1.Nginx配置文件详解
2.Nginx实现负载均衡
3.Nginx前端项目部署
4.Nginx配置SSL访问
首先Nginx能做反向代理【关于反向代理和正向代理此处不做说明了,感兴趣的小伙伴自行谷歌】;比方说,我想在本地使用 www.google.com 的域名去访问www.taobao.com。那么这个时候我们就可以通过nginx去实现
再者Nginx能实现负载均衡,就是说应用部署在不同的服务器上,但是通过统一的域名进入,nginx则对请求进行分发,将请求分发到不同的服务器上去处理,这样就可以有效的减轻了单台服务器的压力,解决单点故障,在上面这两种情况下,nginx服务器的作用都只是作为分发服务器,真正的内容,我们可以放在其他的服务器上,这样来,还能起到一层安全隔壁的作用,nginx可以作为隔离层
解决跨域问题
同源:URL由协议、域名、端口和路径组成,如果两个URL的协议、域名和端口相同,则表示他们同源
浏览器的同源策略:浏览器的同源策略,限制了来自不同源的"document"或脚本,对当前"document"读取或设置某些属性。
从一个域上加载的脚本不允许访问另外一个域的文档属性(同源表示:协议、域名和端口相同)
例如:因为nginx和tomcat不能共用同一端口,url一样,端口不同,这样就会有跨域问题
Nginx配置文件
配置文件主要由四部分组成:
main(全区设置)
server(主机配置)
http(控制着nginx http处理的所有核心特性)
location(URL匹配特定位置设置)。
upstream(负载均衡服务器设置)
#Nginx的worker进程运行用户以及用户组
#user nobody;
#Nginx开启的进程数
worker_processes 1;
#定义全局错误日志定义类型,[debug|info|notice|warn|crit]
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#指定进程ID存储文件位置
#pid logs/nginx.pid;
#事件配置
events {
#use [ kqueue | rtsig | epoll | /dev/poll | select | poll ];
#epoll模型是Linux内核中的高性能网络I/O模型,如果在mac上面,就用kqueue模型。
use kqueue;
#每个进程可以处理的最大连接数,理论上每台nginx服务器的最大连接数为worker_processes*worker_connections。理论值:worker_rlimit_nofile/worker_processes
worker_connections 1024;
}
#http参数
http {
#文件扩展名与文件类型映射表
include mime.types;
#默认文件类型
default_type application/octet-stream;
#日志相关定义
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#连接日志的路径,指定的日志格式放在最后。
#access_log logs/access.log main;
#开启高效传输模式
sendfile on;
#防止网络阻塞
#tcp_nopush on;
#客户端连接超时时间,单位是秒
#keepalive_timeout 0;
keepalive_timeout 65;
#开启gzip压缩输出
#gzip on;
#虚拟主机基本设置
server {
#监听的端口号
listen 80;
#访问域名
server_name localhost;
#编码格式,如果网页格式与当前配置的不同的话将会被自动转码
#charset koi8-r;
#虚拟主机访问日志定义
#access_log logs/host.access.log main;
#对URL进行匹配
location / {
#访问路径,可相对也可绝对路径
root html;
#首页文件,匹配顺序按照配置顺序匹配
index index.html index.htm;
}
#错误信息返回页面
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
#访问URL以.php结尾则自动转交给127.0.0.1
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
# location ~ \.php$ {
# proxy_pass http://127.0.0.1;
# }
# php脚本请求全部转发给FastCGI处理
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# 禁止访问.ht页面
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
#第二个虚拟主机配置
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
#HTTPS虚拟主机定义
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
include servers/*;
}
反向代理实例---》假设现在代理 www.baidu.com
server {
# 监听80端口
listen 80;
server_name localhost;
# individual nginx logs for this web vhost
access_log /tmp/access.log;
error_log /tmp/error.log ;
# 配置代理
location / {
proxy_pass http://www.baidu.com;
}
负载均衡实例 (下面主要验证最常用的三种负载策略。虚拟主机配置)
server {
#监听80端口
listen 80;
server_name localhost;
# individual nginx logs for this web vhost
access_log /tmp/access.log;
error_log /tmp/error.log ;
location / {
# 负载均衡策略
# 轮询
# proxy_pass http://polling_strategy;
# weight权重
# proxy_pass http://weight_strategy;
# ip_hash
# proxy_pass http://ip_hash_strategy;
# fair
# proxy_pass http://fair_strategy;
# url_hash
# proxy_pass http://url_hash_strategy;
# 重定向
# rewrite ^ http://localhost:8080;
}
轮询策略
# 1、轮询(默认)
# 每个请求按时间顺序逐一分配到不同的后端服务器,如果后端服务器down掉,能自动剔除。
upstream polling_strategy {
server www.net:8080; # 应用服务器1
server www.net:8081; # 应用服务器2
}
测试结果(通过端口号来区分当前访问):
8081:hello
8080:hello
8081:hello
8080:hello
权重策略
#2、指定权重
# 指定轮询几率,weight和访问比率成正比,用于后端服务器性能不均的情况。
upstream weight_strategy {
server glmapper.net:8080 weight=1; # 应用服务器1
server glmapper.net:8081 weight=9; # 应用服务器2
}
测试结果:总访问次数15次,根据上面的权重配置,两台机器的访问比重:2:13
ip hash策略
iphash 算法: ip是基本的点分十进制,将ip的前三个端作为参数加入hash函数。这样做的目的是保证ip地址前三位相同的用户经过hash计算将分配到相同的后端server。作者的这个考虑是极为可取的,因此ip地址前三位相同通常意味着来着同一个局域网或者相邻区域,使用相同的后端服务让nginx在一定程度上更具有一致性
假设5台机器均在同一个局域网内【192.168.0.X】测试时发现5台机器每次都路由到了同一个服务器上,一开始以为是配置问题,但是排查之后也排除了这个可能性。最后考虑到可能是对于同网段的ip做了特殊处理,验证之后确认了猜测
#3、IP绑定 ip_hash
#每个请求按访问ip的hash结果分配,这样每个访客固定访问一个后端服务器,
#可以解决session的问题;在不考虑引入分布式session的情况下,
#原生HttpSession只对当前servlet容器的上下文环境有效
upstream ip_hash_strategy {
ip_hash;
server glmapper.net:8080; # 应用服务器1
server glmapper.net:8081; # 应用服务器2
}
其他负载均衡策略
#4、fair(第三方)
#按后端服务器的响应时间来分配请求,响应时间短的优先分配。
upstream fair_strategy {
server glmapper.net:8080; # 应用服务器1
server glmapper.net:8081; # 应用服务器2
fair;
}
#5、url_hash(第三方)
#按访问url的hash结果来分配请求,使每个url定向到同一个后端服务器,
#后端服务器为缓存时比较有效。
upstream url_hash_strategy {
server glmapper.net:8080; # 应用服务器1
server glmapper.net:8081; # 应用服务器2
hash $request_uri;
hash_method crc32;
}
重定向rewrite
验证思路:本地使用localhost:80端口进行访问,根据nginx的配置,如果重定向没有生效,则最后会停留在当前localhost:80这个路径,浏览器中的地址栏地址不会发生改变;如果生效了则地址栏地址变为localhost:8080;
通过验证,满足预期!
location / {
#重定向
#rewrite ^ http://localhost:8080;
}
nginx配置Vue前端发布history模式访问
# nginx配置history模式访问:
server {
listen 900;
server_name localhost;
error_page 500 502 503 504 /50x.html;
location / {
root C:/Users/lenovo/Desktop/前端代码/dist;
index /index.html; try_files $uri $uri/ /index.html;
}
}
nginx配置静态资源文件映射
##静态资源文件:
server{
listen 9998;
server_name localhost;
location /file {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
# 文件夹路径
alias C:/Users/lenovo/Desktop/TestRes/;
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
}
}
实际线上Nginx配置文件参考
user root;
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
client_max_body_size 4096m;
server {
listen 1000;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# 配置前端Vue的dist包发布
location / {
root /usr/local/vue/dist;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
# 转发后端Nginx请求
location /service/ {
proxy_pass http://localhost:3389/;
}
# 配置文件路径映射
location /files {
alias /usr/local/resource/;
autoindex on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
#以下属性中,以ssl开头的属性表示与证书配置有关。
server {
listen 6666 ssl;
# listen 443 ssl;
#配置HTTPS的默认访问端口为443。
#如果未在此处配置HTTPS的默认访问端口,可能会造成Nginx无法启动。
#如果您使用Nginx 1.15.0及以上版本,请使用listen 443 ssl代替listen 443和ssl on
server_name www.test.cn; #需要将www.test.cn替换成证书绑定的域名。
root html;
index index.html index.htm;
# cert为当前路径的文件夹
ssl_certificate cert/www.test.cn.pem; #需要将www.test.cn.pem替换成已上传的证书文件的名称。
ssl_certificate_key cert/www.test.cn.key; #需要将www.test.cn.key替换成已上传的证书私钥文件的名称。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#表示使用的加密套件的类型。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #表示使用的TLS协议的类型。
ssl_prefer_server_ciphers on;
location /base {
root html; #站点目录。
index index.html index.htm;
}
location / {
root /usr/local/vue/dist;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
location /service/ {
proxy_pass http://localhost:3389/;
}
location /files {
alias /usr/local/static/;
autoindex on;
}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
后台服务访问代理配置
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 8988;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
client_max_body_size 100m;
proxy_pass http://127.0.0.1/mobile/;
proxy_redirect off;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host:$server_port;
}
location /etc {
client_max_body_size 100m;
proxy_pass http://127.0.0.1/api/notice;
proxy_redirect off;
proxy_read_timeout 3600;
proxy_send_timeout 3600;
proxy_buffer_size 128k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host:$server_port;
}
location /fileResult {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
alias /root/fileResult ;
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
}
location /fileLocal {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
# 文件路径
alias /root/local;
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
Nginx调优
增加工作线程数和并发连接数
[root@localhost /]# vi /etc/nginx/nginx.conf
worker_processes 4; # 一般CPU 是几核就设置为几 也可以设置成auto
events {
worker_connections 10240; # 每个进程打开的最大连接数,包含了 Nginx 与客户端和 Nginx 与 upstream 之间的连接
multi_accept on; # 可以一次建立多个连接
use epoll; #epoll这种网络模型
}
查看nginx 语法是否正确
[root@localhost /]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
启用长连接
[root@localhost /]# vi /etc/nginx/nginx.conf
配置反向代理
upstream server_pool{
server localhost:8080 weight=1 max_fails=2 fail_timeout=30s;
server localhost:8081 weight=1 max_fails=2 fail_timeout=30s;
keepalive 300; # 300个长连接 提高效率
}
配置反向代理服务
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://server_pool; #所有请求都代理给server_pool
}
配置压缩
gzip on;
gzip_http_version 1.1;
gzip_disable "MSIE [1-6].(?!.*SV1)";
gzip_proxied any;
gzip_types text/plain text/css application/javascript application/x-javascript application/json application/xml application/vnd.ms-fontobject application/x-font-ttf application/svg+xml application/x-icon;
gzip_vary on;
gzip_static on;
操作系统优化
配置文件/etc/sysctl.conf
sysctl -w net.ipv4.tcp_syncookies=1 # 防止一个套接字在有过多试图连接到时引起过载
sysctl -w net.core.somaxconn=1024 # 默认128,操作系统连接队列
sysctl -w net.ipv4.tcp_fin_timeout=10 # timewait 的超时时间
sysctl -w net.ipv4.tcp_tw_reuse=1 # os 直接使用 timewait的连接
sysctl -w net.ipv4.tcp_tw_recycle=0 # 回收禁用
/etc/security/limits.conf
hard nofile 204800
soft nofile 204800
soft core unlimited
soft stack 204800
其它优化
sendfile on; # 减少文件在应用和内核之间拷贝
tcp_nopush on; # 当数据包达到一定大小再发送
tcp_nodelay off; # 有数据随时发送
