Nginx 反向代理完全指南:从安装到生产环境全流程

micefind
123 阅读2分钟

Nginx 反向代理完整指南

一、基础概念

反向代理是指服务器代理客户端去访问后端真实服务器,客户端无需知道实际服务器地址。

二、快速安装

Linux(Ubuntu/Debian)

sudo apt-get update
sudo apt-get install nginx
sudo systemctl start nginx
sudo systemctl enable nginx

Linux(CentOS/RHEL)

sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx

macOS

brew install nginx
brew services start nginx

三、核心配置

文件位置

系统配置路径
Ubuntu/Debian/etc/nginx/nginx.conf
CentOS/RHEL/etc/nginx/nginx.conf
macOS/usr/local/etc/nginx/nginx.conf

最小化反向代理配置

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

四、常用代理配置详解

1. 单后端服务

server {
    listen 80;
    server_name api.example.com;

    location / {
        proxy_pass http://backend-server:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

2. 负载均衡(多后端)

upstream backend {
    server 192.168.1.10:8080 weight=5;
    server 192.168.1.11:8080 weight=3;
    server 192.168.1.12:8080 backup;
}

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

3. 路径路由

server {
    listen 80;
    server_name example.com;

    location /api/ {
        proxy_pass http://api-server:3000;
    }

    location /static/ {
        root /var/www/html;
    }

    location /admin/ {
        proxy_pass http://admin-server:8080;
    }
}

4. WebSocket 支持

server {
    listen 80;
    server_name websocket.example.com;

    location /ws {
        proxy_pass http://ws-server:9000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 3600s;
    }
}

5. HTTPS + 重定向

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

五、常用代理参数

参数说明示例
proxy_pass后端服务地址http://backend:8080
proxy_set_header设置请求头Host $host
proxy_redirect重定向处理off
proxy_connect_timeout连接超时60s
proxy_send_timeout发送超时60s
proxy_read_timeout读取超时60s
proxy_buffering响应缓冲on/off
proxy_buffer_size缓冲大小4k

高性能配置示例

location / {
    proxy_pass http://backend;
  
    # 超时设置
    proxy_connect_timeout 30s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;
  
    # 缓冲设置
    proxy_buffering on;
    proxy_buffer_size 8k;
    proxy_buffers 8 8k;
    proxy_busy_buffers_size 16k;
  
    # 请求头设置
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  
    # 其他设置
    proxy_http_version 1.1;
    proxy_redirect off;
}

六、调试与验证

配置检查

# 检查配置语法
nginx -t

# 查看详细配置
nginx -T

重启服务

# 重启 Nginx
sudo systemctl restart nginx

# 平滑重启(不中断连接)
sudo nginx -s reload

日志查看

# 访问日志
sudo tail -f /var/log/nginx/access.log

# 错误日志
sudo tail -f /var/log/nginx/error.log

测试反向代理

curl -i http://example.com
curl -H "Host: example.com" http://127.0.0.1

七、常见问题排查

502 Bad Gateway

# 增加超时时间
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;

# 检查后端服务是否运行

连接拒绝

# 检查防火墙
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# 检查后端服务监听地址
netstat -tlnp | grep LISTEN

请求头丢失

# 明确传递请求头
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;

八、生产环境配置模板

# /etc/nginx/conf.d/production.conf
upstream production_backend {
    least_conn;
    server backend1.internal:8080 max_fails=3 fail_timeout=30s;
    server backend2.internal:8080 max_fails=3 fail_timeout=30s;
    server backend3.internal:8080 backup;
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    location / {
        proxy_pass http://production_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      
        proxy_connect_timeout 30s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
      
        proxy_buffering on;
        proxy_buffer_size 8k;
        proxy_buffers 8 8k;
    }
}
avatar
文章
阅读
粉丝