Nginx反向代理教程

Nginx反向代理：从入门到实战配置指南

什么是反向代理？

在互联网架构中，代理服务器扮演着重要角色。正向代理是客户端与目标服务器之间的中介，而反向代理则恰恰相反——它是客户端与后端服务器集群之间的“守门人”。当用户访问网站时，请求首先到达反向代理服务器，由它决定将请求转发到哪台后端服务器，然后将响应返回给用户。

Nginx作为高性能的HTTP和反向代理服务器，以其卓越的并发处理能力和低内存消耗，成为构建现代Web架构的首选工具之一。

为什么选择Nginx作为反向代理？

1. 高性能：采用事件驱动架构，能够处理数万并发连接
2. 低资源消耗：内存占用少，CPU利用率高
3. 配置灵活：简洁的配置文件语法，易于理解和维护
4. 功能丰富：支持负载均衡、缓存、SSL终端、HTTP/2等
5. 稳定性强：被全球众多高流量网站验证，如Netflix、GitHub等

基础反向代理配置

安装Nginx

```bash
Ubuntu/Debian系统
sudo apt update
sudo apt install nginx

CentOS/RHEL系统
sudo yum install epel-release
sudo yum install nginx

验证安装
nginx -v
```

最小化反向代理配置

创建一个简单的反向代理配置，将访问`example.com`的请求转发到本地3000端口运行的应用：

```nginx
/etc/nginx/conf.d/reverse-proxy.conf
server {
listen 80;
server_name example.com;

location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```

配置详解

- `proxy_pass`：指定后端服务器地址
- `proxy_set_header`：修改转发给后端服务器的请求头
- `$host`：原始请求的主机头
- `$remote_addr`：客户端真实IP地址
- `$proxy_add_x_forwarded_for`：追加客户端IP到X-Forwarded-For头

高级反向代理功能

1. 负载均衡配置

Nginx支持多种负载均衡算法：

```nginx
upstream backend_servers {
默认轮询算法
server 192.168.1.101:8080;
server 192.168.1.102:8080;
server 192.168.1.103:8080;

权重分配
server 192.168.1.104:8080 weight=3;
server 192.168.1.105:8080 weight=2;

最少连接数算法
least_conn;

IP哈希算法（会话保持）
ip_hash;
}

server {
listen 80;
server_name app.example.com;

location / {
proxy_pass http://backend_servers;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
```

2. 健康检查与故障转移

```nginx
upstream backend {
server backend1.example.com:8080 max_fails=3 fail_timeout=30s;
server backend2.example.com:8080 max_fails=3 fail_timeout=30s;
server backup1.example.com:8080 backup; 备份服务器
server backup2.example.com:8080 backup;
}

server {
listen 80;

location / {
proxy_pass http://backend;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_connect_timeout 5s;
proxy_read_timeout 10s;
proxy_send_timeout 10s;
}
}
```

3. 缓存加速

```nginx
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m
max_size=1g inactive=60m use_temp_path=off;

server {
listen 80;

location / {
proxy_cache my_cache;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;

add_header X-Cache-Status $upstream_cache_status;

proxy_pass http://backend;
}
}
```

4. WebSocket代理

```nginx
server {
listen 80;

location /ws/ {
proxy_pass http://websocket_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
}
```

安全加固配置

SSL终端与HTTP/2支持

```nginx
server {
listen 443 ssl http2;
server_name secure.example.com;

ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;

安全增强配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
ssl_prefer_server_ciphers off;

HSTS头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
}
}

HTTP重定向到HTTPS
server {
listen 80;
server_name secure.example.com;
return 301 https://$server_name$request_uri;
}
```

防止DDoS攻击

```nginx
限制连接频率
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
location /api/ {
limit_req zone=one burst=20 nodelay;
proxy_pass http://api_backend;
}
}

限制并发连接数
limit_conn_zone $binary_remote_addr zone=addr:10m;

location /download/ {
limit_conn addr 5; 每个IP最多5个并发连接
proxy_pass http://download_backend;
}
```

实战场景配置示例

场景1：微服务API网关

```nginx
upstream auth_service {
server 10.0.1.10:3001;
server 10.0.1.11:3001;
}

upstream user_service {
server 10.0.1.20:3002;
server 10.0.1.21:3002;
}

upstream product_service {
server 10.0.1.30:3003;
server 10.0.1.31:3003;
}

server {
listen 80;
server_name api.company.com;

认证服务路由
location /api/auth/ {
proxy_pass http://auth_service;
proxy_set_header X-Service-Name auth;
}

用户服务路由
location /api/users/ {
proxy_pass http://user_service;
proxy_set_header X-Service-Name user;
}

产品服务路由
location /api/products/ {
proxy_pass http://product_service;
proxy_set_header X-Service-Name product;
}

API文档
location /api/docs {
proxy_pass http://docs_service:4000;
}
}
```

场景2：动静分离配置

```nginx
server {
listen 80;
server_name www.example.com;

静态资源 - 直接由Nginx处理
location ~ \\.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf)$ {
root /var/www/static;
expires 365d;
add_header Cache-Control "public, immutable";
access_log off;
}

动态请求 - 转发到应用服务器
location / {
proxy_pass http://app_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

启用gzip压缩
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}
}
```

性能优化技巧

1. 连接池优化
```nginx
upstream backend {
server backend1.example.com;
keepalive 32; 保持连接池大小
}

location / {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_pass http://backend;
}
```

2. 缓冲区优化
```nginx
location / {
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
proxy_pass http://backend;
}
```

3. 启用压缩
```nginx
gzip on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
```

监控与调试

状态监控页面

```nginx
server {
listen 8080;
server_name localhost;

location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}

location /server_status {
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
access_log off;
allow 127.0.0.1;
deny all;
}
}
```

日志配置优化

```nginx
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';

access_log /var/log/nginx/access.log main buffer=32k flush=5s;
error_log /var/log/nginx/error.log warn;
}
```

常见问题排查

1. 502 Bad Gateway错误
- 检查后端服务是否运行
- 验证防火墙设置
- 检查Nginx错误日志：`tail -f /var/log/nginx/error.log`

2. 性能问题
- 使用`nginx -t`测试配置语法
- 启用访问日志分析请求模式
- 调整缓冲区大小和连接池设置

3. 配置重载
```bash
测试配置
sudo nginx -t

重新加载配置（不中断服务）
sudo nginx -s reload

重启Nginx
sudo systemctl restart nginx
```

结语

Nginx反向代理是现代Web架构的核心组件，通过合理配置可以实现负载均衡、高可用性、安全加固和性能优化。掌握Nginx反向代理的配置技巧，能够显著提升Web服务的稳定性、安全性和扩展性。建议在生产环境部署前，充分测试配置，并根据实际流量模式持续优化参数设置。

记住，良好的Nginx配置不是一蹴而就的，而是需要根据实际业务需求不断调整和优化的过程。从基础配置开始，逐步添加高级功能，最终构建出适合自己业务场景的高性能反向代理解决方案。