nginx的基本使用及配置负载均衡、解决前后端分离跨域问题
1.作用:做请求转发,负载均衡,反向代理;静态文件与项目web的分离,正向代理;
2.请求过程:反向代理过程
客户端——》nginx——》tomcat服务器
tomcat服务器——》nginx——》客户端
3.场景运用:前后端分离项目,需要解决跨域,需要用https请求,需要负载均衡,需要静态文件的正向代理
比如我想访问:https://XXXX:7443/zlj_jhpt就访问到了XXXX.70:6443的项目名称位zlj_jhpt的项目
1).https请求到外网nginx服务器,外网nginx需要请求到交换平台的接口
2).外网tomcat配置 7443端口,且服务器入栈开7443端口,ecs安全组规则加入7443端口
3).交换平台ecs安全组加6443端口,服务器入栈加6443端口
4.注意点:
1).https请求时Nginx配置ssl证书和tomcat配置ssl证书,其中互联网的nginx证书必须是根证书(被所有浏览器信任的证书,通常信息中心分配或者阿里云申请)
2).被代理的tomcat服务器需要开https端口配置ssl证书,这个证书可以用jdk自带的命令生成即可,具体见上次写的:https://www.cnblogs.com/tongcc/p/15543436.html
3).阿里云服务器安全组开端口,服务器本地入栈开端口
5.重点配置分析:
upstream标签
upstream zlj_jhpt { ip_hash; //负载均衡策略:ip_hash,ip_url,轮询,权重,fails server XXXX.70:443 weight=1 max_fails=10 fail_timeout=120s; server XXXX.70:6443 weight=1 max_fails=10 fail_timeout=120s; #server XXXX.72:8080 weight=1 max_fails=10 fail_timeout=120s; keepalive 64; }
server标签
server { listen 7443 ssl;#监听的端口 server_name XXXX:7443;#监听ip及端口 ssl_certificate D:/zlj_ssl/_.XXXX_bundle.crt;#ssl证书 ssl_certificate_key D:/zlj_ssl/.XXXX_RSA.XXXX_RSA.key;#ssl证书 ssl_session_cache shared:SSL:1m; #所有工作进程之间共享缓存 ssl_session_timeout 5m; #ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; charset ISO-88509-1; #前端页面:https://XXXX:7443/zhejiang-social-assistance/zhejiang-social-assistance.html#/five-help/how-help #接口地址:https://XXXX:7443/zlj_jhpt/api/five-help/help-how-going/count #接口地址映射 location /api/ { proxy_pass https://XXXX:7443/zlj_jhpt/api/; proxy_set_header X-Real-IP $remote_addr; } #前端页面地址映射 location /zhejiang-social-assistance/ { root D:\working\yw_szzfdp\web; expires 12h; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; } #静态资源反向代理配置,比如将项目中的图片放到nginx服务器上 location /stwx/happyCode/images { alias D:\zly_cache\stwx\happlyCode\images; expires 12h; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; } #Tomcat项目映射及跨域问题解决 location /zlj_jhpt { proxy_pass https://zlj_jhpt; #写死一个的话配置:ip地址+端口号+项目名称 ;负载均衡的话就用upsteam标签 include proxy.conf; # 配置html以文件方式打开 if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } }
6.其他配置
虚拟处理器查看:
5.其他配置分析 #user nobody; #worker_processes: CPU核心数,(双核4线程,可以设置为4,但是我这台服务器还有一个tomcat所以我配置3) worker_processes 3; #debug | info | notice | warn | error | crit error_log logs/error.log warn; pid logs/nginx.pid; #worker_rlimit_nofile 65535; #单个工作进程可以允许同时建立外部连接的数量 events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; fastcgi_intercept_errors on; log_format main '"$upstream_addr" $remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; access_log off; open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m; server_names_hash_bucket_size 128; large_client_header_buffers 4 64k; client_header_buffer_size 32k; client_body_buffer_size 5120k; client_max_body_size 100m; server_tokens off; ignore_invalid_headers on; recursive_error_pages on; server_name_in_redirect off; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_requests 3000; keepalive_timeout 120; client_body_timeout 12; client_header_timeout 12; send_timeout 10; autoindex off; include gzip.conf; map_hash_bucket_size 64; #FastCGI相关参数是为了改善网站的性能:减少资源占用,提高访问速度。下面参数看字面意思都能理解。 fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 128k; fastcgi_buffers 8 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; #upstream模块:配置所映射的服务器项目地址及端口号,5种负载均衡策略:轮询(默认),权重(weight),ip_haph,ip_url,fairs upstream stwx { ip_hash; server XXXX.206:8080 weight=1 max_fails=10 fail_timeout=120s; #server XXXX.72:8080 weight=1 max_fails=10 fail_timeout=120s; keepalive 64; } upstream zlj_jhpt { ip_hash; #交换平台地址 server XXXX.70:443 weight=1 max_fails=10 fail_timeout=120s; #server XXXX.70:8088 weight=1 max_fails=10 fail_timeout=120s; #server XXXX.72:8080 weight=1 max_fails=10 fail_timeout=120s; keepalive 64; } #server模块 配置监听的端口,一个server监听一个端口,配置客户端所访问的路径 server { # 监听了7443端口号 listen 7443 ssl; # 访问项目的ip地址及端口号 server_name XXXX:7443; ssl_certificate D:/zlj_ssl/_.XXXX_bundle.crt; ssl_certificate_key D:/zlj_ssl/.XXXX_RSA.XXXX_RSA.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; #ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; charset ISO-88509-1; # 访问项目根路径 比如:https://XXXX:7443/zlj_jhpt就访问到了XXXX.70:443的项目名称位zlj_jhpt的项目 location /zlj_jhpt { proxy_pass https://zlj_jhpt; include proxy.conf; # 配置html以文件方式打开,解决跨域问题 if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } location /st { proxy_pass https://st; include proxy.conf; # 配置html以文件方式打开 if ($request_method = 'POST') { add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } if ($request_method = 'GET') { add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; } } } server { listen 80; server_name localhost XXXX; charset ISO-88509-1; location /stwx { proxy_pass http://stwx; include proxy.conf; } location /nginxstatus { stub_status on; access_log on; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } error_page 404 /404.html; } server { listen 80; server_name localhost shzz.XXXX; charset ISO-88509-1; location /switch_stshzz { proxy_pass http://switch_stshzz; include proxy.conf; } location /nginxstatus { stub_status on; access_log on; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } error_page 404 /404.html; } server { listen 8800; server_name localhost XXXX.206; return 301 http://XXXX:8089/st; } }
