美文网首页
记录Nginx反向代理常用配置

记录Nginx反向代理常用配置

作者: liurongming | 来源:发表于2021-08-25 15:50 被阅读0次

    Nginx 代理 websocket 关键配置

    # 代理websocket 
proxy_http_version  1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

    Nginx 代理 https关键配置

    listen  443 ssl;
#SSL-START SSL
ssl_certificate certs/server.crt; 
ssl_certificate_key certs/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
 #SSL-END
# 部分情况,需要添加以下两条配置
 add_header Content-Security-Policy upgrade-insecure-requests; #资源有问题才打开
 proxy_set_header X-Forwarded-Proto https;  # 转发时使用https协议

    子域名泛代理关键配置

    server_name  ~^(?<subdomain>.+).domain.com$;
proxy_set_header   DEFINE-REDIRECT    $subdomain;

    允许跨域关键配置

    # 允许跨域
# proxy_redirect default; # 打开视情况而定
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

    综合案例:

    server {
        listen  80;
        listen  443 ssl;
        server_name  jumpserver.domain.com;
        # server_name  ~^(?<subdomain>.+).domain.com$;
        #access_log /var/log/nginx/pro.log;

        #ssl on; # 一般不打开
        #SSL-START SSL
        ssl_certificate certs/certificate.crt;
        ssl_certificate_key certs/certificate.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        #SSL-END

        location  / {
                # add_header Content-Security-Policy upgrade-insecure-requests;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                # proxy_set_header X-Forwarded-Proto https;  # 转发时使用https协议
                proxy_set_header   DEFINE-REDIRECT    $subdomain;
                client_max_body_size    10240m;
                proxy_pass http://172.18.5.198:80;

                 # 代理websocket 
                 proxy_http_version  1.1;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";

                 # 允许跨域
                 #proxy_redirect default;
                 #add_header Access-Control-Allow-Origin *;
                 #add_header Access-Control-Allow-Headers X-Requested-With;
                 #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }

        error_page 500 502 503 504  /50x.html;
        location = /50x.html {
                root html;
        }
}

    代理websocket时

    http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}   

upstream backend {
  server 192.168.0.1:8080 weight=1 max_fails=2 fail_timeout=30s;
  server 192.168.0.2:8080 weight=1 max_fails=2 fail_timeout=30s;
  keepalive 300;
}   
server {
listen 8080 default_server;
server_name "";
location / {
proxy_pass http://backend;

proxy_connect_timeout 15;       #与upstream server的连接超时时间(没有单位,最大不可以超过75s)
proxy_read_timeout 60s;           #nginx会等待多长时间来获得请求的响应
proxy_send_timeout 12s;           #发送请求给upstream服务器的超时时间   
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}

    强制跳转https【合并一起】

    server {
        listen  80;
        listen  443 ssl;
        server_name  xxx.domain.com;
        #access_log /var/log/nginx/pro.log;

        #ssl on;
        #SSL-START SSL
        ssl_certificate certs/certificate.crt;
        ssl_certificate_key certs/certificate.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        #SSL-END

        # 强制跳转https
        if ($server_port = 80) {
                return 301 https://$server_name$request_uri;
        }
        if ($scheme = http) {
                return 301 https://$server_name$request_uri;
        }
        error_page 497 https://$server_name$request_uri;

        location  / {
                # add_header Content-Security-Policy upgrade-insecure-requests;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                # proxy_set_header   DEFINE-REDIRECT    $subdomain;
                client_max_body_size    10240m;
                proxy_pass http://172.18.5.128:80;
                 # 允许跨域
                 #proxy_redirect default;
                 #add_header Access-Control-Allow-Origin *;
                 #add_header Access-Control-Allow-Headers X-Requested-With;
                 #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }


        error_page 500 502 503 504  /50x.html;
        location = /50x.html {
                root html;
        }
}

    或者:【独立分开】

    server {  
    listen  80;
    server_name xxx.domain.com;
    rewrite ^(.*)$  https://$host$1 permanent;  
}

server {
    listen 443 ssl;
    server_name xxx.domain.com;
    #access_log /var/log/nginx/pro.log;

    ssl on;
    ssl_certificate certs/certificate.crt;
    ssl_certificate_key  certs/certificate.key;

    location  / {
                # add_header Content-Security-Policy upgrade-insecure-requests;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                # proxy_set_header   DEFINE-REDIRECT    $subdomain;
                client_max_body_size    10240m;
                proxy_pass http://172.18.5.128:80;
                 # 允许跨域
                 #proxy_redirect default;
                 #add_header Access-Control-Allow-Origin *;
                 #add_header Access-Control-Allow-Headers X-Requested-With;
                 #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }

        error_page 500 502 503 504  /50x.html;
        location = /50x.html {
                root html;
        }
}

    或者:【推荐】采用break会直接继续往下执行,而不是重新匹配,效率稍高些。

    server {
        listen  80;
        listen  443 ssl;
        server_name xxx.domain.com;
        #access_log /var/log/nginx/pro.log;

        #ssl on;
        #SSL-START SSL
        ssl_certificate certs/certificate.crt;
        ssl_certificate_key certs/certificate.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        #SSL-END
        location  / {
                # add_header Content-Security-Policy upgrade-insecure-requests;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                # proxy_set_header   DEFINE-REDIRECT    $subdomain;
                client_max_body_size    10240m;

                if ($server_port = 80) {
                        rewrite ^(.*)$  https://$host$1 break; # 推荐
                        # return 301 https://$server_name$request_uri;
                }
                if ($scheme = http) {
                        rewrite ^(.*)$  https://$host$1 break; # 推荐
                        # return 301 https://$server_name$request_uri;
                }
                proxy_pass http://172.18.5.128:80;
                 # 允许跨域
                 #proxy_redirect default;
                 #add_header Access-Control-Allow-Origin *;
                 #add_header Access-Control-Allow-Headers X-Requested-With;
                 #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        }
        
        error_page 497 https://$server_name$request_uri; # 推荐
        error_page 500 502 503 504  /50x.html;
        location = /50x.html {
                root html;
        }
}

    Nginx全局调优

    user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;
    ## 全局允许跨域
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Headers X-Requested-With;
    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

    # 调优
    client_header_buffer_size 16k;
    large_client_header_buffers 4 64k;
    client_max_body_size    10240m;
    client_body_buffer_size 256k;
    proxy_connect_timeout 1200;
    proxy_read_timeout  1200;
    proxy_send_timeout  6000;
    proxy_buffer_size  32k;
    proxy_buffers   4 64k;
    proxy_busy_buffers_size 128k;
    proxy_temp_file_write_size 10m;

    include /etc/nginx/conf.d/*.conf;
}

    【推荐】Vue.js等前端代理,http自动跳转https,分开编写效率最高。

    server {
        listen  80;
        server_name domain.com;
        rewrite ^(.*)$  https://$host$1 permanent;
}

server {
        listen  443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  domain.com;
        #access_log /var/log/nginx/pro.log;

        #ssl on;
        #SSL-START SSL
        ssl_certificate certs/domain_bundle.crt;
        ssl_certificate_key certs/domain.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 10m;
        #SSL-END

        location  / {
                # 传递真实的请求头信息
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                # 限制文件大小为1G
                client_max_body_size    10240m;

                # 允许跨域
                add_header Access-Control-Allow-Origin *;
                add_header Access-Control-Allow-Headers X-Requested-With;
                add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

                # 域名重写
                rewrite ^/(.*)$ /omo/$1 last;
        }

        location /api {
                # 传递真实的请求头信息
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                # 允许跨域
                add_header Access-Control-Allow-Origin *;
                add_header Access-Control-Allow-Headers X-Requested-With;
                add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

                rewrite ^.+api/?(.*)$ /$1 break;
                include uwsgi_params;
                proxy_pass http://172.18.5.175:9999;
        }

        location /omo/ {
                # autoindex on;
                # 不缓存html,防止程序更新后缓存继续生效
                if ($request_filename ~* .*\.(?:htm|html)$) {
                        add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
                        access_log on;
                }
                alias /srv/webapps/omo/; # 静态文件nginx处理
                index  index.html index.htm;
        }

        location  /xkw {
                # 传递真实的请求头信息
                # proxy_set_header Host $host;
                # proxy_set_header X-Real-IP $remote_addr;
                # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                # 限制文件大小为1G
                client_max_body_size    10240m;

                # 允许跨域
                #add_header Access-Control-Allow-Origin *;
                #add_header Access-Control-Allow-Headers X-Requested-With;
                #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

                rewrite ^.+xkw/?(.*)$ /$1 break;
                include uwsgi_params;
                # 指定代理服务器
                proxy_pass https://staticzujuan.xkw.com:443;
        }

        error_page 500 502 503 504  /50x.html;
        location = /50x.html {
                root   /usr/share/nginx/html;
        }
}

    相关文章

      网友评论

          本文标题:记录Nginx反向代理常用配置

          本文链接:https://www.haomeiwen.com/subject/woteiltx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|记录Nginx反向代理常用配置|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!