@[TOC](Nginx 反向代理缓存 IP透传 小节10)

ngx_http_proxy_module(一)

1. proxy_set_header field value;

设定转发往后端主机的请求报文的请求首部的值；
Context: http, server, location
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   请求报文的标准格式如下：
   X-Forwarded-For: client1, proxy1, proxy2

反向代理缓存

nginx

[root@nginx ~]# vim /etc/nginx/conf.d/test.conf 

server_tokens off;
server {
    listen 80;
    server_name www.a.net;
    root /data/site1/;
#    ssl_certificate /etc/nginx/ssl/a.net.crt;
#    ssl_certificate_key /etc/nginx/ssl/a.net.key;
#    ssl_session_cache shared:sslcache:20m;
#    ssl_session_timeout 10m;
    access_log /var/log/nginx/a_net.access.log access_json;
   location ~* ^.*\.(gif|jpg|bmp|jpeg)$ {
       proxy_pass http://192.168.37.20;
   }
   location /api {
       proxy_set_header X-Real-IP $remote_addr;    <--
       proxy_pass http://192.168.37.30:8000;
   }

}

server {
    listen 80;
    server_name     www.a.org;
    root    /data/site2/;
    ssl_certificate /etc/nginx/ssl/a.org.crt;
    ssl_certificate_key /etc/nginx/ssl/a.org.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
    access_log /var/log/nginx/a_org.access.log main;
    valid_referers none block server_names
    *.a.org ~\.google\. ~\.baidu\.;
    if ($invalid_referer) {
        return 403 "Forbidden Access";
    }
}

ngx_http_proxy_module（二）

proxy_cache_path;

• 定义可用于proxy功能的缓存；Context：http
• proxy_cache_path path [levels=levels] [use_temp_path=on|off]keys_zone=name:size [inactive=time] [max_size=size][manager_files=number] [manager_sleep=time] [manager_threshold=time][loader_files=number] [loader_sleep=time] [loader_threshold=time][purger=on|off] [purger_files=number] [purger_sleep=time][purger_threshold=time]; -示例：在http配置定义缓存信息

proxy_cache_path /var/cache/nginx/proxy_cache #定义缓存保存路径，proxy_cache会自动创建

levels=1:2:2 #定义缓存目录结构层次，1:2:2 可以生成2^4x2^8x2^8=1048576个目录

keys_zone=proxycache:20m #指内存中缓存的大小，主要用于存放key和metadata（如：使用次数）

inactive=120s；#缓存有效时间

max_size=1g; #最大磁盘占用空间，磁盘存入文件内容的缓存空间最大值

ngx_http_proxy_module(三)

1. proxy_cache zone | off; 默认off

指明调用的缓存，或关闭缓存机制；Context:http, server, location

2. proxy_cache_key string;

缓存中用于“键”的内容

默认值：proxy_cache_key $scheme$proxy_host$request_uri;

3. proxy_cache_valid [code ...] time;

定义对特定响应码的响应内容的缓存时长
定义在http{...}中
示例:
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;

ngx_http_proxy_module(四)

1. 示例：在http配置定义缓存信息

proxy_cache_path /var/cache/nginx/proxy_cache
   levels=1:2:2 keys_zone=proxycache:20m
   inactive=120s max_size=1g;
说明：proxycache:20m 指内存中缓存的大小，主要用于存放key和metadata（如：使用次数）    
       max_size=1g 指磁盘存入文件内容的缓存空间最大值
proxy_cache proxycache;
proxy_cache_key $request_uri;
proxy_cache_valid 200 302 301 1h;
proxy_cache_valid any 1m;        

nginx

[root@nginx ~]# vim /etc/nginx/nginx.conf
...
http {                  <--放到http下
    proxy_cache_path /var/cache/nginx/proxy_cache levels=1:2:2 keys_zone=proxycache:20m inactive=120s max_size=1g;   <--
...

[root@nginx ~]# cat /etc/nginx/conf.d/test.conf
server_tokens off;
server {
    listen 80;
    server_name www.a.net;
    root /data/site1/;

    proxy_cache proxycache;                  <--启用缓存
    proxy_cache_key $request_uri;            <--
    proxy_cache_valid 200 302 301 1h;        <--
    proxy_cache_valid any 1m;                <--

#    ssl_certificate /etc/nginx/ssl/a.net.crt;
#    ssl_certificate_key /etc/nginx/ssl/a.net.key;
#    ssl_session_cache shared:sslcache:20m;
#    ssl_session_timeout 10m;
    access_log /var/log/nginx/a_net.access.log access_json;
   location ~* ^.*\.(gif|jpg|bmp|jpeg)$ {
       proxy_pass http://192.168.37.20;
   }
   location /api {
       proxy_set_header X-Real-IP $remote_addr;
       proxy_pass http://192.168.37.30:8000;
   }

}

server {
    listen 80;
    server_name     www.a.org;
    root    /data/site2/;
    ssl_certificate /etc/nginx/ssl/a.org.crt;
    ssl_certificate_key /etc/nginx/ssl/a.org.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
    access_log /var/log/nginx/a_org.access.log main;
    valid_referers none block server_names
    *.a.org ~\.google\. ~\.baidu\.;
    if ($invalid_referer) {
        return 403 "Forbidden Access";
    }
}

[root@nginx ~]# mkdir /var/cache/nginx
[root@nginx ~]# nginx -s reload
[root@nginx ~]# tree /var/cache/nginx/proxy_cache/
/var/cache/nginx/proxy_cache/

0 directories, 0 files

cetnos6

[root@centos6 ~]$ ab -c1000 -n 2000 www.a.net/api/m.html

nginx

[root@nginx ~]# tree /var/cache/nginx/proxy_cache/
/var/cache/nginx/proxy_cache/
└── d
    └── 3a
        └── 9d
            └── 8fc652186a4c0471a27257b60cb9d3ad

3 directories, 1 file

ngx_http_proxy_module(五)

1. proxy_hide_header field;

• 用于隐藏后端服务器特定的响应首部，默认nginx在响应报文中不传递后端服务器的首部字段Date, Server, X-Pad, X-Accel等

示例：
proxy_hide_header Etag;

2. proxy_pass_header field;

• 默认nginx在响应报文中不传递后端服务器的首部字段Date, Server, X-Pad, XAccel等参数，如果要传递的话则要使用 proxy_pass_header field声明将后端服务器返回的值传递给客户端

IP透传

示例5.1：

centos6

[root@centos6 ~]$ curl -I http://www.a.net/api/
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Aug 2022 08:33:40 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: keep-alive
Last-Modified: Thu, 11 Aug 2022 10:26:15 GMT
ETag: "2b-5e5f49868ed1e"    <--
Accept-Ranges: bytes

nginx

[root@nginx ~]# curl -I 192.168.37.30/api/
HTTP/1.1 200 OK
Date: Fri, 12 Aug 2022 08:27:52 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 11 Aug 2022 10:26:15 GMT
ETag: "2b-5e5f49868ed1e"    <--
Accept-Ranges: bytes
Content-Length: 43
Content-Type: text/html; charset=UTF-8


[root@nginx ~]# vim /etc/nginx/conf.d/test.conf 
server_tokens off;
server {
    listen 80;
    server_name www.a.net;
    root /data/site1/;

    proxy_hide_header Etag;    <--隐藏后端服务器特定的响应头部

    proxy_cache proxycache;
    proxy_cache_key $request_uri;
    proxy_cache_valid 200 302 301 1h;
    proxy_cache_valid any 1m;

#    ssl_certificate /etc/nginx/ssl/a.net.crt;
#    ssl_certificate_key /etc/nginx/ssl/a.net.key;
#    ssl_session_cache shared:sslcache:20m;
#    ssl_session_timeout 10m;
    access_log /var/log/nginx/a_net.access.log access_json;
   location ~* ^.*\.(gif|jpg|bmp|jpeg)$ {
       proxy_pass http://192.168.37.20;
   }
   location /api {
       proxy_set_header X-Real-IP $remote_addr;
       proxy_pass http://192.168.37.30:8000;
   }

}

server {
    listen 80;
    server_name     www.a.org;
    root    /data/site2/;
    ssl_certificate /etc/nginx/ssl/a.org.crt;
    ssl_certificate_key /etc/nginx/ssl/a.org.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
    access_log /var/log/nginx/a_org.access.log main;
    valid_referers none block server_names
    *.a.org ~\.google\. ~\.baidu\.;
    if ($invalid_referer) {
        return 403 "Forbidden Access";
    }
}

[root@nginx ~]# nginx -s reload

centos6

隐藏了

[root@centos6 ~]$ curl -I http://www.a.net/api/
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 12 Aug 2022 08:36:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: keep-alive
Last-Modified: Thu, 11 Aug 2022 10:26:15 GMT
Accept-Ranges: bytes

示例5.2：

nginx

[root@nginx ~]# vim /etc/nginx/conf.d/test.conf 
...
    proxy_hide_header Etag;
    proxy_pass_header Server;    <--
...

[root@nginx ~]# nginx -s reload

centos6

[root@centos6 ~]$ curl -I http://www.a.net/api/
HTTP/1.1 200 OK
Date: Fri, 12 Aug 2022 08:48:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: keep-alive
Server: Apache/2.4.6 (CentOS)     <--
Last-Modified: Thu, 11 Aug 2022 10:26:15 GMT
Accept-Ranges: bytes

ngx_http_headers_module(一)

1. ngx_http_headers_module模块

• 向代理服务器给客户端的响应报文添加自定义首部，或修改指定首部的值

2. add_header name value [always];

添加自定义首部
add_header X-Via $server_addr;
add_header X-Cache $upstream_cache_status;
add_header X-Accel $server_name;

3. add_trailer name value [always];

• 添加自定义响应信息的尾部，1.13.2版后支持

nginx

[root@nginx ~]# vim /etc/nginx/conf.d/test.conf 
...
    proxy_hide_header Etag;
    proxy_pass_header Server;
    add_header X-Cache $upstream_cache_status;    <--
...

[root@nginx ~]# nginx -s reload

centos6

[root@centos6 ~]$ curl -I http://www.a.net/api/
HTTP/1.1 200 OK
Date: Fri, 12 Aug 2022 08:55:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: keep-alive
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 11 Aug 2022 10:26:15 GMT
X-Cache: MISS    <--第一次没命中
Accept-Ranges: bytes

[root@centos6 ~]$ curl -I http://www.a.net/api/
HTTP/1.1 200 OK
Date: Fri, 12 Aug 2022 08:55:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 43
Connection: keep-alive
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 11 Aug 2022 10:26:15 GMT
X-Cache: HIT     <--第二次命中
Accept-Ranges: bytes

ngx_http_headers_module(二)

1. proxy_connect_timeout time;

• 定义与后端服务器建立连接的超时时长，如超时会出现502错误，默认为60s，一般不建议超出75s

2. proxy_send_timeout time;

• 对后端服务器send，将请求发送给后端服务器的超时时长；默认为60s

3. proxy_read_timeout time;

• 从后端服务器read，等待后端服务器发送响应报文的超时时长，默认为60s

4. proxy_ignore_client_abort off；

• 当客户端网络中断请求时，nginx服务器中断其对后端服务器的请求。即如果此项设置为on开启，则服务器会忽略客户端中断并一直等着代理服务执行返回，如果设置为off，则客户端中断后nginx也会中断客户端请求并立即记录499日志，默认为off