美文网首页
记录Nginx反向代理常用配置

记录Nginx反向代理常用配置

作者: liurongming | 来源:发表于2021-08-25 15:50 被阅读0次

    Nginx 代理 websocket 关键配置

    # 代理websocket 
    proxy_http_version  1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    

    Nginx 代理 https关键配置

    listen  443 ssl;
    #SSL-START SSL
    ssl_certificate certs/server.crt; 
    ssl_certificate_key certs/server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 10m;
     #SSL-END
    # 部分情况,需要添加以下两条配置
     add_header Content-Security-Policy upgrade-insecure-requests; #资源有问题才打开
     proxy_set_header X-Forwarded-Proto https;  # 转发时使用https协议
    

    子域名泛代理关键配置

    server_name  ~^(?<subdomain>.+).domain.com$;
    proxy_set_header   DEFINE-REDIRECT    $subdomain;
    

    允许跨域关键配置

    # 允许跨域
    # proxy_redirect default; # 打开视情况而定
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Headers X-Requested-With;
    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    

    综合案例:

    server {
            listen  80;
            listen  443 ssl;
            server_name  jumpserver.domain.com;
            # server_name  ~^(?<subdomain>.+).domain.com$;
            #access_log /var/log/nginx/pro.log;
    
            #ssl on; # 一般不打开
            #SSL-START SSL
            ssl_certificate certs/certificate.crt;
            ssl_certificate_key certs/certificate.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
            ssl_prefer_server_ciphers on;
            ssl_session_timeout 10m;
            #SSL-END
    
            location  / {
                    # add_header Content-Security-Policy upgrade-insecure-requests;
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    # proxy_set_header X-Forwarded-Proto https;  # 转发时使用https协议
                    proxy_set_header   DEFINE-REDIRECT    $subdomain;
                    client_max_body_size    10240m;
                    proxy_pass http://172.18.5.198:80;
    
                     # 代理websocket 
                     proxy_http_version  1.1;
                     proxy_set_header Upgrade $http_upgrade;
                     proxy_set_header Connection "upgrade";
    
                     # 允许跨域
                     #proxy_redirect default;
                     #add_header Access-Control-Allow-Origin *;
                     #add_header Access-Control-Allow-Headers X-Requested-With;
                     #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
            }
    
            error_page 500 502 503 504  /50x.html;
            location = /50x.html {
                    root html;
            }
    }
    

    代理websocket时

    http {
    map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
    }   
    
    upstream backend {
      server 192.168.0.1:8080 weight=1 max_fails=2 fail_timeout=30s;
      server 192.168.0.2:8080 weight=1 max_fails=2 fail_timeout=30s;
      keepalive 300;
    }   
    server {
    listen 8080 default_server;
    server_name "";
    location / {
    proxy_pass http://backend;
    
    proxy_connect_timeout 15;       #与upstream server的连接超时时间(没有单位,最大不可以超过75s)
    proxy_read_timeout 60s;           #nginx会等待多长时间来获得请求的响应
    proxy_send_timeout 12s;           #发送请求给upstream服务器的超时时间   
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    }
    }
    }
    
    

    强制跳转https【合并一起】

    server {
            listen  80;
            listen  443 ssl;
            server_name  xxx.domain.com;
            #access_log /var/log/nginx/pro.log;
    
            #ssl on;
            #SSL-START SSL
            ssl_certificate certs/certificate.crt;
            ssl_certificate_key certs/certificate.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
            ssl_prefer_server_ciphers on;
            ssl_session_timeout 10m;
            #SSL-END
    
            # 强制跳转https
            if ($server_port = 80) {
                    return 301 https://$server_name$request_uri;
            }
            if ($scheme = http) {
                    return 301 https://$server_name$request_uri;
            }
            error_page 497 https://$server_name$request_uri;
    
            location  / {
                    # add_header Content-Security-Policy upgrade-insecure-requests;
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    # proxy_set_header   DEFINE-REDIRECT    $subdomain;
                    client_max_body_size    10240m;
                    proxy_pass http://172.18.5.128:80;
                     # 允许跨域
                     #proxy_redirect default;
                     #add_header Access-Control-Allow-Origin *;
                     #add_header Access-Control-Allow-Headers X-Requested-With;
                     #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
            }
    
    
            error_page 500 502 503 504  /50x.html;
            location = /50x.html {
                    root html;
            }
    }
    

    或者:【独立分开】

    server {  
        listen  80;
        server_name xxx.domain.com;
        rewrite ^(.*)$  https://$host$1 permanent;  
    }
    
    server {
        listen 443 ssl;
        server_name xxx.domain.com;
        #access_log /var/log/nginx/pro.log;
    
        ssl on;
        ssl_certificate certs/certificate.crt;
        ssl_certificate_key  certs/certificate.key;
    
        location  / {
                    # add_header Content-Security-Policy upgrade-insecure-requests;
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    # proxy_set_header   DEFINE-REDIRECT    $subdomain;
                    client_max_body_size    10240m;
                    proxy_pass http://172.18.5.128:80;
                     # 允许跨域
                     #proxy_redirect default;
                     #add_header Access-Control-Allow-Origin *;
                     #add_header Access-Control-Allow-Headers X-Requested-With;
                     #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
            }
    
            error_page 500 502 503 504  /50x.html;
            location = /50x.html {
                    root html;
            }
    }
    

    或者:【推荐】采用break会直接继续往下执行,而不是重新匹配,效率稍高些。

    server {
            listen  80;
            listen  443 ssl;
            server_name xxx.domain.com;
            #access_log /var/log/nginx/pro.log;
    
            #ssl on;
            #SSL-START SSL
            ssl_certificate certs/certificate.crt;
            ssl_certificate_key certs/certificate.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
            ssl_prefer_server_ciphers on;
            ssl_session_timeout 10m;
            #SSL-END
            location  / {
                    # add_header Content-Security-Policy upgrade-insecure-requests;
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    # proxy_set_header   DEFINE-REDIRECT    $subdomain;
                    client_max_body_size    10240m;
    
                    if ($server_port = 80) {
                            rewrite ^(.*)$  https://$host$1 break; # 推荐
                            # return 301 https://$server_name$request_uri;
                    }
                    if ($scheme = http) {
                            rewrite ^(.*)$  https://$host$1 break; # 推荐
                            # return 301 https://$server_name$request_uri;
                    }
                    proxy_pass http://172.18.5.128:80;
                     # 允许跨域
                     #proxy_redirect default;
                     #add_header Access-Control-Allow-Origin *;
                     #add_header Access-Control-Allow-Headers X-Requested-With;
                     #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
            }
            
            error_page 497 https://$server_name$request_uri; # 推荐
            error_page 500 502 503 504  /50x.html;
            location = /50x.html {
                    root html;
            }
    }
    

    Nginx全局调优

    user  nginx;
    worker_processes  auto;
    
    error_log  /var/log/nginx/error.log notice;
    pid        /var/run/nginx.pid;
    
    
    events {
        worker_connections  1024;
    }
    
    
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log  /var/log/nginx/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        keepalive_timeout  65;
    
        gzip  on;
        ## 全局允许跨域
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Headers X-Requested-With;
        add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    
        # 调优
        client_header_buffer_size 16k;
        large_client_header_buffers 4 64k;
        client_max_body_size    10240m;
        client_body_buffer_size 256k;
        proxy_connect_timeout 1200;
        proxy_read_timeout  1200;
        proxy_send_timeout  6000;
        proxy_buffer_size  32k;
        proxy_buffers   4 64k;
        proxy_busy_buffers_size 128k;
        proxy_temp_file_write_size 10m;
    
        include /etc/nginx/conf.d/*.conf;
    }
    

    【推荐】Vue.js等前端代理,http自动跳转https,分开编写效率最高。

    server {
            listen  80;
            server_name domain.com;
            rewrite ^(.*)$  https://$host$1 permanent;
    }
    
    server {
            listen  443 ssl http2;
            listen       [::]:443 ssl http2;
            server_name  domain.com;
            #access_log /var/log/nginx/pro.log;
    
            #ssl on;
            #SSL-START SSL
            ssl_certificate certs/domain_bundle.crt;
            ssl_certificate_key certs/domain.key;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
            ssl_prefer_server_ciphers on;
            ssl_session_timeout 10m;
            #SSL-END
    
            location  / {
                    # 传递真实的请求头信息
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
                    # 限制文件大小为1G
                    client_max_body_size    10240m;
    
                    # 允许跨域
                    add_header Access-Control-Allow-Origin *;
                    add_header Access-Control-Allow-Headers X-Requested-With;
                    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    
                    # 域名重写
                    rewrite ^/(.*)$ /omo/$1 last;
            }
    
            location /api {
                    # 传递真实的请求头信息
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
                    # 允许跨域
                    add_header Access-Control-Allow-Origin *;
                    add_header Access-Control-Allow-Headers X-Requested-With;
                    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    
                    rewrite ^.+api/?(.*)$ /$1 break;
                    include uwsgi_params;
                    proxy_pass http://172.18.5.175:9999;
            }
    
            location /omo/ {
                    # autoindex on;
                    # 不缓存html,防止程序更新后缓存继续生效
                    if ($request_filename ~* .*\.(?:htm|html)$) {
                            add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
                            access_log on;
                    }
                    alias /srv/webapps/omo/; # 静态文件nginx处理
                    index  index.html index.htm;
            }
    
            location  /xkw {
                    # 传递真实的请求头信息
                    # proxy_set_header Host $host;
                    # proxy_set_header X-Real-IP $remote_addr;
                    # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
                    # 限制文件大小为1G
                    client_max_body_size    10240m;
    
                    # 允许跨域
                    #add_header Access-Control-Allow-Origin *;
                    #add_header Access-Control-Allow-Headers X-Requested-With;
                    #add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    
                    rewrite ^.+xkw/?(.*)$ /$1 break;
                    include uwsgi_params;
                    # 指定代理服务器
                    proxy_pass https://staticzujuan.xkw.com:443;
            }
    
            error_page 500 502 503 504  /50x.html;
            location = /50x.html {
                    root   /usr/share/nginx/html;
            }
    }
    

    相关文章

      网友评论

          本文标题:记录Nginx反向代理常用配置

          本文链接:https://www.haomeiwen.com/subject/woteiltx.html