nginx1.8.1反向代理、负载均衡功能的实现
nginx1.8.1 proxy 服务器192.168.8.40
web1 centos6.5 httpd2.2.15
web2 centos7.2 httpd2.4.6
1、代理功能的简单实现
nginx代理服务器:192.168.8.40
web服务器:192.168.8.101
8.40添加代理:
location /forum/ {
proxy_pass http://192.168.8.101/bbs/;
}
在被代理的web端
创建目录mkdir /web/htdocs/bbs
vim /web/htdocs/bbs/index.html
加入<h1>192.168.8.101 bbs</h1>
访问 http://192.168.8.40/forum/即可出现8.101的内容
改成正则表达式的方式:
location ~* ^/forum {
proxy_pass http://192.168.8.101;
}
此时http://192.168.8.40/forum/的方式不能访问,需要通过修改192.168.8.101的bbs目录改为forum即可访问
# mv bbs forum
2、代理上显示客户端真实IP(方便统计真实的IP访问情况)
8.101上更改显示日志的方式:
# vim /etc/httpd/conf/httpd.conf
LogFormat "%{X-Real-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
nginx服务器端8.40配置:
location ~* ^/forum {
proxy_pass http://192.168.8.101;
proxy_set_header X-Real-IP $remote_addr;
}
3.实现简单的负载均衡:
nginx proxy server:192.168.8.40
apache web1:192.168.8.39
apache web2:192.168.8.101
nginx proxy server:192.168.8.40配置:
# 定义web服务器集群:
upstream webservers {
server 192.168.8.39 weight=1;
server 192.168.8.101 weight=1;
}
server {
#location / {
# root /web/htdocs;
# index index.php index.html index.htm;
#}
#定义访问集群
location / {
proxy_pass http://webservers/;
proxy_set_header X-Real-IP $remote_addr;
}
}
通过访问http://192.168.8.40可以看到负载的效果
4、对负载均衡的服务器宕机情况进行适配
#添加错误的定义
server {
listen 8080;
server_name localhost;
root /web/errorpages;
index index.html;
}
# 创建错误页面定义
# mkdir /web/errorpages/ -pv
# vim index.html
加入
sorry,website is being repaired please wait
# 添加超时定义及错误页面定义,如果连续访问错误两次则踢掉,检测时间间隔2秒
upstream webservers {
server 192.168.8.39 weight=1 max_fails=2 fail_timeout=2;
server 192.168.8.101 weight=1 max_fails=2 fail_timeout=2;
server 127.0.0.1:8080 weight=1 backup;
}
测试,关闭web1则,只能访问到web2,关闭web2后出现错误提示
5、为反向代理启用缓存功能
proxy_cache_path /nginx/cache/first levels=1:2 keys_zone=first:20m max_size=1g;
server {
listen 80;
server_name localhost;
index index.html index.php;
add_header X-Via $server_addr;
add_header X-Cache "$upstream_cache_status from $server_addr";
location / {
proxy_pass http://webservers/;
proxy_set_header X-Real-IP $remote_addr;
proxy_cache first;
proxy_cache_valid 200 10m;
}
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "/nginx/cache/first" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@centossz008 ~]# mkdir -pv /nginx/cache/first
mkdir: created directory `/nginx'
mkdir: created directory `/nginx/cache'
mkdir: created directory `/nginx/cache/first'
add_header X-Via $server_addr;
add_header X-Cache "$upstream_cache_status from $server_addr";
提示信息如下:
6、重定向规则
location / {
#root html;
root /web/htdocs;
index index.html index.htm;
rewrite ^/bbs/(.*)$ http://192.168.8.101/forum/$1;
}
访问:http://192.168.8.40/bbs/
7、上传文件的负载均衡
可能碰到这样的业务场景,几台web app设置了主从,一个服务器负责上传,其他只能通过同步来获取
nginx配置:
location / {
proxy_pass http://192.168.8.40/;
if ($request_method = "PUT"){
proxy_pass http://192.168.8.101;
}
}
客户端配置:
# vim /etc/httpd/conf/httpd.conf
在<Directory "/web/htdocs">下面添加Dav on
<Directory "/web/htdocs">
Dav on
# curl -T /etc/fstab http://192.168.8.40
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>201 Created</title>
</head><body>
<h1>Created</h1>
<p>Resource /fstab has been created.</p>
</body></html>
在8.101上可以看到上传的文件
htdocs]# ls
forum fstab index.html
8、通过nginx统计某推广链接重写url
需求:
通过nginx统计某推广链接(如:http://www.baidu.com)的访问次数,即访问tuiguang.chinasoft.com自动跳转到www.baidu.com页面
如该服务器为1.1.1.1,带宽要足够大(要根据实际访问量来定)
步骤
①添加1.1.1.1的dns域名解析 tuiguang.chinasoft.com --> 1.1.1.1
②添加相关的配置
vim /etc/nginx/conf.d/tuiguang.conf
server {
server_name tuiguang.chinasoft.com;
rewrite_log on; # 打开重写的日志
error_log /data/logs/app_h5.log notice;
access_log /data/logs/app_error_h5.log;
location /h5/flow{
alias /data/h5;
index index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
rewrite ^(.*) http://www.baidu.com break;
}
}
9.修改http头Content-Type为application/octet-stream
upstream lvs_server{ server 10.27.13.215:8555; #hd_lvs_voice01 server 10.26.114.166:8555; #hd_lvs_voice02 server 10.27.62.9:8555; #hd_lvs_voice03 server 10.30.196.175:8555; #hd_lvs_voice04 server 10.30.196.157:8555; #hd_lvs_voice05 } server { listen 8555; location / { proxy_pass http://lvs_server; } location /index { proxy_set_header Host $http_host; proxy_set_header X-Real-Ip $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Type application/octet-stream; proxy_pass http://lvs_server; }#end index }
日志中添加响应时间,请求时间的日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$http_host" "$upstream_response_time" "$request_time"';
nginx获取不到客户端真实IP地址
upstream dxflowservers { ip_hash; server u04flow01.yaya.corp:8091 weight=1 max_fails=2 fail_timeout=3; server u04rec02.yaya.corp:8091 weight=1 max_fails=2 fail_timeout=3; } server { server_name 106.75.19.93; server_name dxacc.chinasoft.cn; location /{ root /data/chinasoft/dx_traffic/liuliang_http/liuliangsdk/; index index.html; try_files $uri $uri/ /index.html; } location /dingxiangsdk/{ proxy_set_header Host $host; proxy_set_header X-Real-Ip $remote_addr; # 经过ulb(lvs)以后无法获取客户端的真实IP地址,去掉下面这行即可 #proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://dxflowservers/; } location /ngx_status { stub_status on; access_log off; allow 127.0.0.1; #deny all; } }
简单测试反向代理upstream的健康检查功能
nginx --> apache(两台)
nginx : 192.168.3.200 (nginx 1.12.2)
apache01: 192.168.3.12
apache02:192.168.3.13
nginx的配置
upstream lvs_server{ server 192.168.3.12:8555 weight=2 max_fails=5 fail_timeout=6; server 192.168.3.13:8555 weight=2 max_fails=5 fail_timeout=6; } server { listen 8555; server_name 192.168.3.200; access_log /var/log/nginx/voice_lvs.access.log main; error_log /var/log/nginx/voice_lvs.error.log; location / { proxy_pass http://lvs_server/; } location /index { proxy_set_header Host $http_host; proxy_set_header X-Real-Ip $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Content-Type application/octet-stream; proxy_pass http://lvs_server; } location /ngx_status { stub_status on; access_log off; allow 127.0.0.1; } }
[root@centossz008 ~]# cat /var/www/html/index.html
<h1>192.168.3.12</h1>
server01
[root@node5 ~]# cat /var/www/html/index.html
<h1>192.168.3.13</h1>
server02
经过测试,当不配置以下参数,如果关掉其中一台apache,请求会全部到另外一台中,所以upstream默认就会检查后端服务器,如果配置就按照你的配置
不配置就按照默认配置
weight=2 max_fails=5 fail_timeout=6;
[root@localhost /etc/nginx/conf.d]# for i in {1..20}; do curl http://192.168.3.200:8555/index.html;done
重定向示例
# cat /usr/local/nginx/conf/vhost.d/chinasoft.com.conf map $http_origin $corsHost { default "none" ; "~https://chinasoft.com" https://chinasoft.com ; "~https://chinasoft-com.cdn.ampproject.org" https://chinasoft-com.cdn.ampproject.org ; "~https://chinasoft.com.amp.cloudflare.com" https://chinasoft.com.amp.cloudflare.com ; "~https://cdn.ampproject.org" https://cdn.ampproject.org ; "~https://images.chinasoft.com" https://images.chinasoft.com ; "~https://my.chinasoft.com" https://my.chinasoft.com ; "~https://store.chinasoft.com" https://store.chinasoft.com ; "~https://my.chinasoft.jp" https://my.chinasoft.jp ; } server { listen 80; server_name chinasoft.com www.chinasoft.com ori-www.chinasoft.com; access_log /data/www/logs/nginx_log/access/chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/chinasoft.com_error.log ; root /data/www/vhosts/chinasoft.com/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/chinasoft.com.conf ; error_page 404 403 /404.html; rewrite ^/(.*)$ https://www.chinasoft.com/$1 permanent; #跳转到Https location ~ \.php$ { fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME ; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ rewrite ^(.*)$ /index.php last; expires -1; } } } server { listen 443; ssl on; ssl_certificate cert2016/chinasoft_com.crt; ssl_certificate_key cert2016/chinasoft_com.key; ssl_dhparam cert2016/dh_2048.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-E CDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:ED H-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; # add_header Strict-Transport-Security max-age=15768000; #ssl_stapling on; #ssl_stapling_verify on; server_name chinasoft.com www.chinasoft.com ori-www.chinasoft.com ; access_log /data/www/logs/nginx_log/access/chinasoft.com_access.log main ; error_log /data/www/logs/nginx_log/error/chinasoft.com_error.log ; root /data/www/vhosts/chinasoft.com/httpdocs ; index index.html index.shtml index.php ; include rewrite.d/chinasoft.com.conf ; error_page 404 403 /404.html; #add_header 'Access-Control-Allow-Origin' '*'; add_header Access-Control-Allow-Origin $corsHost; add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization'; location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; #fastcgi_param SCRIPT_FILENAME ; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; expires -1; } location / { include proxy_params; if (!-d $request_filename){ set $flag 1$flag; } if (!-f $request_filename){ set $flag 2$flag; } if ($flag = "21"){ rewrite ^(.*)$ /index.php last ; expires -1; } } } ***************** if ($request_uri ~ ^/snapchat/snapchat-password-cracker.html) { rewrite ^ https://www.centos.net/snapchat/snapchat-password-cracker.html permanent; } if ($request_uri ~ ^/spy/index.html) { rewrite ^ https://www.chinasoft.com/topic/index.html permanent; } if ($request_uri ~ ^/telegram/index.html) { rewrite ^ https://www.chinasoft.com/topic/index.html permanent; } if ($request_uri ~ ^/track/hidden-phone-tracker-for-android-iphone.html) { rewrite ^ https://www.centos.net/track/hidden-phone-tracker-for-android-iphone.html permanent; } if ($request_uri ~ ^/viber/index.html) { rewrite ^ https://www.chinasoft.com/topic/index.html permanent; } [root@EOP_Aimersoft_web01:~]# head -30 /usr/local/nginx/conf/rewrite.d/chinasoft.com.conf if ($host ~* ^chinasoft.com$){ rewrite ^(.*)$ http://www.chinasoft.com$1 permanent;} if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1 permanent;} if ($request_uri ~ ^/(index|indice).html) { rewrite ^ / permanent;} #20170824 if ($request_uri ~ ^/install-chinasoft-spy-app-on-android-phones.html) { rewrite ^ /how-to-spy-android-phones.html permanent; }
配置列出文件列表示例
[root@web:/usr/local/nginx/conf]# more admin_vhost.d/rewrite.chinasoft.cn.conf server { listen 80; server_name rewrite.chinasoft.cn ; access_log /data/www/logs/nginx_log/access/rewrite.chinasoft.cn_access.log main ; error_log /data/www/logs/nginx_log/error/rewrite.chinasoft.cn_error.log ; root /usr/local/nginx/conf/rewrite.d ; #index index.html index.shtml index.php ; error_page 404 /404.html; autoindex on; location ~ \.php$ { proxy_pass http://php_pool; include proxy_params; access_log off; } } [root@web:/usr/local/nginx/conf]# more nginx.conf #user nobody; worker_processes 8; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; pid /data/www/logs/nginx.pid; worker_rlimit_nofile 65535; events { use epoll; worker_connections 10240; accept_mutex off; } http { include mime.types; default_type application/octet-stream; #set_real_ip_from 0.0.0.0/0; #real_ip_header X-Forwarded-For; #proxy_set_header Host $host; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header X-Forwarded-For $http_x_forwarded_for; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; ssl_session_cache shared:SSL:200m; ssl_session_timeout 15m; lua_package_path "/usr/local/nginx/conf/ngx_lua_waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/init.lua; access_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/waf.lua; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; # log_format main '[$time_local] $remote_addr $status $request_time $body_bytes_sent "$request" "$http_referer" $upstream_addr $http_x_real_ip $http_x_forwarded_for $http_user_agent $request_filename'; log_format main '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_cookie" "$request_body" "$http_user_agent" $request_time '; # log_format test '[$fastcgi_script_name] [$time_local] $remote_addr $status $request_time $body_bytes_sent "$request" "$http_referer" $upstream_addr $http_x_real_ip $http_x_forwarded_for $http_user_agent '; log_format error '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time '; #access_log logs/access.log main; sendfile on; tcp_nodelay on; keepalive_timeout 90; #----for upload file client_max_body_size 8M; client_body_buffer_size 2M; #--- for resolve 400 error client_header_buffer_size 64k; large_client_header_buffers 4 64k; proxy_connect_timeout 90s; proxy_read_timeout 90s; #60s内后端服务器需要返回成功 proxy_send_timeout 90s; proxy_buffer_size 16k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; proxy_intercept_errors on; gzip on; gzip_vary off; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 5; gzip_disable "MSIE [1-6]\."; gzip_types text/plain text/css text/javascript application/javascript application/x-javascript text/xml application/xml application/wasm; ssi on; ssi_silent_errors on; #ssi_types text/shtml; expires 60d; server_names_hash_bucket_size 20480; #if_modified_since before; #limit_req_zone $binary_remote_addr zone=all_zone:10m rate=3r/s; #limit_req zone=all_zone burst=2 nodelay; upstream php_pool{ ip_hash; #server 192.168.254.122:8080 max_fails=0 fail_timeout=30s weight=1; #server 192.168.254.123:8080 max_fails=0 fail_timeout=30s weight=1; #server 192.168.254.124:8080 max_fails=0 fail_timeout=30s weight=3; #server 192.168.254.125:8080 max_fails=0 fail_timeout=30s weight=3; server 192.168.254.11:8080 max_fails=0 fail_timeout=30s weight=3; check interval=3000 rise=2 fall=5 timeout=1000 type=tcp port=8080; check_keepalive_requests 100; # check_http_send "HEAD / HTTP/1.1\r\nConnection: keep-alive\r\n\r\n"; check_http_expect_alive http_2xx http_3xx; } include vhost.d/*.conf; include admin_vhost.d/*.conf; server { listen 80 default_server; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root /data/www/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } location /ws_status { stub_status on; access_log off; } location /status { check_status html; access_log off; allow 127.0.0.1; deny all; } } }
