nginx反向代理

1、LVS实现nat,dr

•  LVS-nat

 环境介绍：我们用172.16.1.100来当VIP， 192.168.1.100为DIP，192.168.1.1为第一台RS的RIP， 192.168.1.2为第二台RS的RIP。配置的重点有如下几个：

    1.我们的调度器因为用到了nat的网络地址转换，所以调度器得开核心转发

    2.因为RS得通过调度器来和外部的客户端通信，所以RS的网关就是DIP

    3.因为lvs工作在input链,所以为了方式iptables的干扰，就直接清空iptables了。

    4.各个服务器之间要时间同步。

　　具体配置如下：   

#RS

yum install httpd -y
vim /var/www/html/index.html
    <h1>RS1</h1>  #另一台写RS2
systemctl start httpd
route add default gw 192.168.1.100        #一定要记得网关指向DIP哟。
iptables -F （或者允许80端口进入就可）
#VS
yum install -y ipvsadm
echo 1 > /proc/sys/net/ipv4/ip_forward          #开启转发功能
ipvsadm -A -t 172.16.1.100:80 -s rr  #新建一个集群服务，VIP为172.16.1.100
ipvsadm -a -t 172.16.1.100:80 -r 192.168.1.1:80 -m  
ipvsadm -a -t 172.16.1.100:80 -r 192.168.1.2:80 -m  #增加两个个RS -m表示nat模式
iptables -F                                              

　　LVS-DR模式　　

　　RS和VS都在同一个网络中，DIP的ip地址为172.16.1.100,RS1的RIP为172.16.1.101，RS2的RIP为 172.16.1.102.模仿用户的测试客户机的ip地址为172.16.53.103.

    dr中要注意的是，VS上vip和dip在同一个接口上，RS上RIP在物理接口上，VIP在lo上，然后为了方式RS上的VIP通告自己的MAC地址，或者响应arp，我们得修改内核参数来关闭这两个功能。RS配置基本一样，配置如下：

#RS
yum install httpd -y
vim /var/www/html/index.html
    <h1>RS1</h1>  #另一台选择改成RS2
systemctl start httpd
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 172.16.1.100 netmask 255.255.255.255 broadcast 172.16.1.100 up
    #在lo环回口上设置vip地址。
route add -host 172.16.1.100 dev lo:0    #指定主机路由，让以vip为源地址的数据包从lo:0发出

#VS
yum install ipvsadm -y
ifconfig eno16777736:0 172.16.1.100 netmask 255.255.255.255 broadcast 172.16.1.100 up
在DIP所在的接口上加一个VIP
iptables -F  #记得清空防火墙规则
ipvsadm -A -t 172.16.1.100:80 -s rr  #新增一个集群，rr表示调度方法为轮询
ipvsadm -a -t 172.16.1.100:80 -r 172.16.1.101 -g    # -g表示为lvs-dr模式
ipvsadm -a -t 172.16.1.100:80 -r 172.16.1.102 -g

 

2、nginx反向代理，虚拟主机

　　nginx反向代理模块

　   ngx_http_proxy_module模块：

　　　　The ngx_http_proxy_module module allows passing requests to another server.

　　　　proxy_pass 　　URL;

　　使用方式：

　　server {
　　server_name HOSTNAME;
　　location /uri/ {
　　proxy_pass http://hos[:port];
　　}
　　}

　　注意点：proxy_pass后面的路径不带uri时，其会将location的uri传递给后端主机；

　　proxy_pass后面的路径是一个uri时，其会将location的uri替换为proxy_pass的uri；

　　例如：

　　proxy_pass http://host/new_uri/;

• 　　proxy_set_header field value;

　　设定发往后端主机的请求报文的请求首部的值；Context: http, server, location

　　proxy_set_header X-Real-IP $remote_addr;
　　proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

　　

•   proxy_cache_path

定义可用于proxy功能的缓存；Context: http

proxy_cache_path path [levels=levels] [use_temp_path=on|off] keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number] [manager_sleep=time] [manager_threshold=time] [loader_files=number] [loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number] [purger_sleep=time] [purger_threshold=time];

• proxy_cache zone | off;

指明要调用的缓存，或关闭缓存机制；Context: http, server, location

•  proxy_cache_key string;

缓存中用于“键”的内容；

默认值：proxy_cache_key $scheme$proxy_host$request_uri;

• proxy_cache_valid [code ...] time;

定义对特定响应码的响应内容的缓存时长；

定义在http{...}中；
proxy_cache_path /var/cache/nginx/proxy_cache levels=1:1:1 keys_zone=pxycache:20m max_size=1g;

定义在需要调用缓存功能的配置段，例如server{...}；
proxy_cache pxycache;
proxy_cache_key $request_uri;
proxy_cache_valid 200 302 301 1h;
proxy_cache_valid any 1m;

• proxy_cache_use_stale

proxy_cache_use_stale error | timeout | invalid_header | updating | http_500 | http_502 | http_503 | http_504 | http_403 | http_404 | off ...;

Determines in which cases a stale cached response can be used when an error occurs during communication with the proxied server.

• proxy_cache_methods GET | HEAD | POST ...;

If the client request method is listed in this directive then the response will be cached. “GET” and “HEAD” methods are always added to the list, though it is recommended to specify them explicitly.

• proxy_hide_header field;

By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed.

• proxy_connect_timeout time;

Defines a timeout for establishing a connection with a proxied server. It should be noted that this timeout cannot usually exceed 75 seconds.

默认为60s；最长为75s；

• proxy_read_timeout time;

Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response.

• proxy_send_timeout time;

Sets a timeout for transmitting a request to the proxied server. he timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed.

ngx_http_headers_module模块
The ngx_http_headers_module module allows adding the “Expires” and “Cache-Control” header fields, and arbitrary fields, to a response header.

向由代理服务器响应给客户端的响应报文添加自定义首部，或修改指定首部的值；

• add_header name value [always];

添加自定义首部；

add_header X-Via $server_addr;
add_header X-Accel $server_name;

• expires [modified] time;

expires epoch | max | off;

用于定义Expire或Cache-Control首部的值；

ngx_http_fastcgi_module模块：

The ngx_http_fastcgi_module module allows passing requests to a FastCGI server.

• fastcgi_pass address;

address为fastcgi server的地址； location, if in location；

http://www.ilinux.io/admin/index.php --> /admin/index.php (uri)
/data/application/admin/index.php

• fastcgi_index name;

fastcgi默认的主页资源;

• fastcgi_param parameter value [if_not_empty];

Sets a parameter that should be passed to the FastCGI server. The value can contain text, variables, and their combination.

举例1：
location ~* \.php$ {
root /usr/share/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
include fastcgi_params;
}
举例2：
location ~* ^/(pm_status|ping)$ {
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
}

• fastcgi_cache_path path [levels=levels] [use_temp_path=on|off] keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number] [manager_sleep=time] [manager_threshold=time] [loader_files=number] [loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number] [purger_sleep=time] [purger_threshold=time];

定义fastcgi的缓存；缓存位置为磁盘上的文件系统，由path所指定路径来定义；

levels=levels：缓存目录的层级数量，以及每一级的目录数量；levels=ONE:TWO:THREE
leves=1:2:2
keys_zone=name:size
k/v映射的内存空间的名称及大小
inactive=time
非活动时长
max_size=size
磁盘上用于缓存数据的缓存空间上限

• fastcgi_cache zone | off;

调用指定的缓存空间来缓存数据；http, server, location

• fastcgi_cache_key string;

定义用作缓存项的key的字符串；

• fastcgi_cache_methods GET | HEAD | POST ...;

为哪些请求方法使用缓存；

• fastcgi_cache_min_uses number;

缓存空间中的缓存项在inactive定义的非活动时间内至少要被访问到此处所指定的次数方可被认作活动项；

• fastcgi_cache_valid [code ...] time;

不同的响应码各自的缓存时长；

举例：
http {
...
fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2:1 keys_zone=fcgi:20m inactive=120s;
...
server {
...
location ~* \.php$ {
...
fastcgi_cache fcgi;
fastcgi_cache_key $request_uri;
fastcgi_cache_valid 200 302 10m;
fastcgi_cache_valid 301 1h;
fastcgi_cache_valid any 1m;
...
}
...
}
...
}

• fastcgi_keep_conn on | off;

By default, a FastCGI server will close a connection right after sending the response. However, when this directive is set to the value on, nginx will instruct a FastCGI server to keep connections open.

 

 

ngx_http_upstream_module模块

The ngx_http_upstream_module module is used to define groups of servers that can be referenced by the proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, and memcached_pass directives.

• upstream name { ... }

定义后端服务器组，会引入一个新的上下文；Context: http

upstream httpdsrvs {
server ...
server...
...
}

• server address [parameters];

在upstream上下文中server成员，以及相关的参数；Context: upstream

address的表示格式：
unix:/PATH/TO/SOME_SOCK_FILE
IP[:PORT]
HOSTNAME[:PORT]

parameters：
weight=number
权重，默认为1；
max_fails=number
失败尝试最大次数；超出此处指定的次数时，server将被标记为不可用；
fail_timeout=time
设置将服务器标记为不可用状态的超时时长；
max_conns
当前的服务器的最大并发连接数；
backup
将服务器标记为“备用”，即所有服务器均不可用时此服务器才启用；
down
标记为“不可用”；

• least_conn;

最少连接调度算法，当server拥有不同的权重时其为wlc;

• ip_hash;

源地址hash调度方法；

• hash key [consistent];

基于指定的key的hash表来实现对请求的调度，此处的key可以直接文本、变量或二者的组合；

作用：将请求分类，同一类请求将发往同一个upstream server；

If the consistent parameter is specified the ketama consistent hashing method will be used instead.

示例：
hash $request_uri consistent;
hash $remote_addr;

• keepalive connections;

为每个worker进程保留的空闲的长连接数量；

nginx的其它的二次发行版：
tengine
OpenResty

ngx_stream_core_module模块

模拟反代基于tcp或udp的服务连接，即工作于传输层的反代或调度器；

• stream { ... }

定义stream相关的服务；Context:main

stream {
upstream sshsrvs {
server 192.168.22.2:22;
server 192.168.22.3:22;
least_conn;
}

server {
listen 10.1.0.6:22022;
proxy_pass sshsrvs;
}
}

• listen

listen address:port [ssl] [udp] [proxy_protocol] [backlog=number] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];