使用nginx配置tcp层负载均衡
nginx配置
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 1024M;
client_body_buffer_size 4M;
proxy_buffer_size 8k; # https://bugzilla.grandstream.com/bugzilla/show_bug.cgi?id=85177
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
log_format access
'$time_local[$request_time] - $status - '
'FROM[$remote_addr][$http_x_forwarded_for] TO [$http_host] - '
'$request - '
'REFERER[$http_referer] - '
'AGENT[$http_user_agent]'
'Veryfied State[$ssl_client_verify]'
'Client Certificate[$ssl_client_cert]'
'Backend[$upstream_addr]';
upstream lb {
server 192.168.130.213:80 weight=5 max_fails=3 fail_timeout=5s;
server 192.168.220.213:80 weight=5 max_fails=3 fail_timeout=5s;
ip_hash;
}
server {
listen 0.0.0.0:80;
listen 0.0.0.0:443 ssl;
#server_name default;
keepalive_timeout 80;
ssl_certificate keys/gdms.pem;
ssl_certificate_key keys/gdms.pem;
ssl_protocols TLSv1.2 TLSv1.3;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
access_log /var/log/nginx/access.log access;
location / {
proxy_pass http://lb;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
}
前端ip透传的情况,需要再后端服务器的nginx上配置
http {
set_real_ip_from 192.168.130.99/32;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
这组Nginx配置用于获取真实客户端IP。set_real_ip_from指定可信代理IP(192.168.130.99),real_ip_header表示从X-Forwarded-For头取IP,real_ip_recursive on开启递归查找,会排除可信代理自身的IP,最终从该头中提取最右侧非代理的真实客户端IP。
浙公网安备 33010602011771号