记录Nginx反向代理常用配置
Nginx 代理 websocket 关键配置
# 代理websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Nginx 代理 https关键配置
listen 443 ssl;
#SSL-START SSL
ssl_certificate certs/server.crt;
ssl_certificate_key certs/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#SSL-END
# 部分情况,需要添加以下两条配置
add_header Content-Security-Policy upgrade-insecure-requests; #资源有问题才打开
proxy_set_header X-Forwarded-Proto https; # 转发时使用https协议
子域名泛代理关键配置
server_name ~^(?<subdomain>.+).domain.com$;
proxy_set_header DEFINE-REDIRECT $subdomain;
允许跨域关键配置
# 允许跨域
# proxy_redirect default; # 打开视情况而定
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
综合案例:
server {
listen 80;
listen 443 ssl;
server_name jumpserver.domain.com;
# server_name ~^(?<subdomain>.+).domain.com$;
#access_log /var/log/nginx/pro.log;
#ssl on; # 一般不打开
#SSL-START SSL
ssl_certificate certs/certificate.crt;
ssl_certificate_key certs/certificate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#SSL-END
location / {
# add_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto https; # 转发时使用https协议
proxy_set_header DEFINE-REDIRECT $subdomain;
client_max_body_size 10240m;
proxy_pass http://172.18.5.198:80;
# 代理websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 允许跨域
#proxy_redirect default;
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Headers X-Requested-With;
#add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
代理websocket时
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream backend {
server 192.168.0.1:8080 weight=1 max_fails=2 fail_timeout=30s;
server 192.168.0.2:8080 weight=1 max_fails=2 fail_timeout=30s;
keepalive 300;
}
server {
listen 8080 default_server;
server_name "";
location / {
proxy_pass http://backend;
proxy_connect_timeout 15; #与upstream server的连接超时时间(没有单位,最大不可以超过75s)
proxy_read_timeout 60s; #nginx会等待多长时间来获得请求的响应
proxy_send_timeout 12s; #发送请求给upstream服务器的超时时间
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
}
强制跳转https【合并一起】
server {
listen 80;
listen 443 ssl;
server_name xxx.domain.com;
#access_log /var/log/nginx/pro.log;
#ssl on;
#SSL-START SSL
ssl_certificate certs/certificate.crt;
ssl_certificate_key certs/certificate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#SSL-END
# 强制跳转https
if ($server_port = 80) {
return 301 https://$server_name$request_uri;
}
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
error_page 497 https://$server_name$request_uri;
location / {
# add_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header DEFINE-REDIRECT $subdomain;
client_max_body_size 10240m;
proxy_pass http://172.18.5.128:80;
# 允许跨域
#proxy_redirect default;
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Headers X-Requested-With;
#add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
或者:【独立分开】
server {
listen 80;
server_name xxx.domain.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name xxx.domain.com;
#access_log /var/log/nginx/pro.log;
ssl on;
ssl_certificate certs/certificate.crt;
ssl_certificate_key certs/certificate.key;
location / {
# add_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header DEFINE-REDIRECT $subdomain;
client_max_body_size 10240m;
proxy_pass http://172.18.5.128:80;
# 允许跨域
#proxy_redirect default;
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Headers X-Requested-With;
#add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
或者:【推荐】采用break会直接继续往下执行,而不是重新匹配,效率稍高些。
server {
listen 80;
listen 443 ssl;
server_name xxx.domain.com;
#access_log /var/log/nginx/pro.log;
#ssl on;
#SSL-START SSL
ssl_certificate certs/certificate.crt;
ssl_certificate_key certs/certificate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#SSL-END
location / {
# add_header Content-Security-Policy upgrade-insecure-requests;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header DEFINE-REDIRECT $subdomain;
client_max_body_size 10240m;
if ($server_port = 80) {
rewrite ^(.*)$ https://$host$1 break; # 推荐
# return 301 https://$server_name$request_uri;
}
if ($scheme = http) {
rewrite ^(.*)$ https://$host$1 break; # 推荐
# return 301 https://$server_name$request_uri;
}
proxy_pass http://172.18.5.128:80;
# 允许跨域
#proxy_redirect default;
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Headers X-Requested-With;
#add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
}
error_page 497 https://$server_name$request_uri; # 推荐
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
Nginx全局调优
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
## 全局允许跨域
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
# 调优
client_header_buffer_size 16k;
large_client_header_buffers 4 64k;
client_max_body_size 10240m;
client_body_buffer_size 256k;
proxy_connect_timeout 1200;
proxy_read_timeout 1200;
proxy_send_timeout 6000;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 10m;
include /etc/nginx/conf.d/*.conf;
}
【推荐】Vue.js等前端代理,http自动跳转https,分开编写效率最高。
server {
listen 80;
server_name domain.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com;
#access_log /var/log/nginx/pro.log;
#ssl on;
#SSL-START SSL
ssl_certificate certs/domain_bundle.crt;
ssl_certificate_key certs/domain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
#SSL-END
location / {
# 传递真实的请求头信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 限制文件大小为1G
client_max_body_size 10240m;
# 允许跨域
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
# 域名重写
rewrite ^/(.*)$ /omo/$1 last;
}
location /api {
# 传递真实的请求头信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 允许跨域
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers X-Requested-With;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
rewrite ^.+api/?(.*)$ /$1 break;
include uwsgi_params;
proxy_pass http://172.18.5.175:9999;
}
location /omo/ {
# autoindex on;
# 不缓存html,防止程序更新后缓存继续生效
if ($request_filename ~* .*\.(?:htm|html)$) {
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
access_log on;
}
alias /srv/webapps/omo/; # 静态文件nginx处理
index index.html index.htm;
}
location /xkw {
# 传递真实的请求头信息
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 限制文件大小为1G
client_max_body_size 10240m;
# 允许跨域
#add_header Access-Control-Allow-Origin *;
#add_header Access-Control-Allow-Headers X-Requested-With;
#add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
rewrite ^.+xkw/?(.*)$ /$1 break;
include uwsgi_params;
# 指定代理服务器
proxy_pass https://staticzujuan.xkw.com:443;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
本文来自博客园,作者:刘文江,转载请注明原文链接:https://www.cnblogs.com/liuwenjiang/p/18907276
浙公网安备 33010602011771号