企业官网建设流程全解析

网站 前端,wordpress 获取当前文章id,重生做网站小说,做的网站上更改内容改怎么办Nginx反向代理与负载均衡实战指南本文详解Nginx反向代理原理、配置技巧和负载均衡策略#xff0c;从入门到生产级实践。前言 Nginx是最流行的Web服务器和反向代理#xff1a; 全球使用率超过30%性能强悍#xff0c;10万并发轻松配置灵活#xff0c;功能丰富 今天来深入讲解…Nginx反向代理与负载均衡实战指南本文详解Nginx反向代理原理、配置技巧和负载均衡策略从入门到生产级实践。前言Nginx是最流行的Web服务器和反向代理全球使用率超过30%性能强悍10万并发轻松配置灵活功能丰富今天来深入讲解Nginx反向代理和负载均衡的实战配置。一、反向代理基础1.1 什么是反向代理正向代理代理客户端 客户端 → 代理服务器 → 目标服务器 例如翻墙工具 反向代理代理服务端 客户端 → Nginx → 后端服务器 例如网站负载均衡1.2 反向代理的作用功能说明负载均衡分发请求到多台后端SSL终结统一处理HTTPS缓存加速缓存静态资源安全隔离隐藏真实服务器统一入口多服务共用80/443端口1.3 安装Nginx# Ubuntu/Debiansudoaptupdatesudoaptinstallnginx -y# CentOSsudoyuminstallepel-release -ysudoyuminstallnginx -y# 启动sudosystemctl start nginxsudosystemctlenablenginx# 验证curlhttp://localhost二、基础反向代理配置2.1 最简配置# /etc/nginx/conf.d/proxy.conf server { listen 80; server_name example.com; location / { proxy_pass http://127.0.0.1:8080; } }2.2 完整配置模板server { listen 80; server_name example.com; # 日志 access_log /var/log/nginx/example_access.log; error_log /var/log/nginx/example_error.log; location / { proxy_pass http://127.0.0.1:8080; # 传递真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # 缓冲设置 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } }2.3 多服务代理# 不同路径代理到不同服务 server { listen 80; server_name example.com; # 前端静态文件 location / { root /var/www/html; try_files $uri $uri/ /index.html; } # API服务 location /api/ { proxy_pass http://127.0.0.1:3000/; } # 管理后台 location /admin/ { proxy_pass http://127.0.0.1:8000/; } # WebSocket location /ws/ { proxy_pass http://127.0.0.1:9000/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; } }三、负载均衡3.1 负载均衡策略策略说明适用场景轮询默认依次分发服务器配置相同加权轮询按权重分发服务器配置不同IP Hash同IP固定后端需要会话保持Least Conn最少连接优先长连接场景Fair响应时间优先需要第三方模块3.2 轮询配置upstream backend { server 192.168.1.101:8080; server 192.168.1.102:8080; server 192.168.1.103:8080; } server { listen 80; server_name example.com; location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }3.3 加权轮询upstream backend { server 192.168.1.101:8080 weight5; # 处理50%请求 server 192.168.1.102:8080 weight3; # 处理30%请求 server 192.168.1.103:8080 weight2; # 处理20%请求 }3.4 IP Hash会话保持upstream backend { ip_hash; server 192.168.1.101:8080; server 192.168.1.102:8080; server 192.168.1.103:8080; }3.5 最少连接upstream backend { least_conn; server 192.168.1.101:8080; server 192.168.1.102:8080; server 192.168.1.103:8080; }3.6 健康检查upstream backend { server 192.168.1.101:8080 max_fails3 fail_timeout30s; server 192.168.1.102:8080 max_fails3 fail_timeout30s; server 192.168.1.103:8080 backup; # 备用服务器 } # max_fails: 失败次数阈值 # fail_timeout: 标记不可用时长 # backup: 主服务器都挂了才启用四、HTTPS配置4.1 SSL证书配置server { listen 443 ssl http2; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; # SSL优化 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; } } # HTTP跳转HTTPS server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; }4.2 Let’s Encrypt自动证书# 安装certbotsudoaptinstallcertbot python3-certbot-nginx -y# 自动配置sudocertbot --nginx -d example.com# 自动续期sudocertbot renew --dry-run五、性能优化5.1 Gzip压缩http { gzip on; gzip_vary on; gzip_min_length 1024; gzip_comp_level 6; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xmlrss text/javascript; }5.2 静态文件缓存location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { expires 30d; add_header Cache-Control public, no-transform; }5.3 代理缓存http { # 定义缓存区 proxy_cache_path /var/cache/nginx levels1:2 keys_zonemy_cache:10m max_size1g inactive60m use_temp_pathoff; } server { location / { proxy_pass http://backend; # 启用缓存 proxy_cache my_cache; proxy_cache_valid 200 60m; proxy_cache_valid 404 1m; proxy_cache_key $scheme$request_method$host$request_uri; # 缓存状态头 add_header X-Cache-Status $upstream_cache_status; } }5.4 连接优化http { # 长连接 keepalive_timeout 65; keepalive_requests 1000; # upstream长连接 upstream backend { server 127.0.0.1:8080; keepalive 32; } }六、跨网络代理场景6.1 常见场景场景公司有多个机房/分支需要统一入口 ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ 总部机房 │ │ 分部A │ │ 分部B │ │ Nginx │ │ 后端服务 │ │ 后端服务 │ │ 192.168.1.1│ │192.168.2.10│ │192.168.3.10│ └─────────────┘ └─────────────┘ └─────────────┘问题各机房网络不通Nginx无法直接代理到分部服务器。6.2 组网解决方案使用组网软件如星空组网打通网络组网后 ┌─────────────┐ │ Nginx │ │ 10.10.0.1 │←─┐ └─────────────┘ │ │ 组网虚拟局域网 ┌─────────────┐ │ │ 分部A │←─┤ │ 10.10.0.2 │ │ └─────────────┘ │ │ ┌─────────────┐ │ │ 分部B │←─┘ │ 10.10.0.3 │ └─────────────┘Nginx配置upstream all_servers { server 10.10.0.1:8080; # 总部组网IP server 10.10.0.2:8080; # 分部A组网IP server 10.10.0.3:8080; # 分部B组网IP } server { listen 80; server_name example.com; location / { proxy_pass http://all_servers; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }效果多机房服务统一入口负载均衡跨机房故障自动切换无需公网暴露各分部服务6.3 按地域分流# 根据用户IP分流到最近机房 upstream beijing { server 10.10.0.1:8080; } upstream shanghai { server 10.10.0.2:8080; } upstream guangzhou { server 10.10.0.3:8080; } # 需要GeoIP模块 map $geoip_city $backend { default beijing; Shanghai shanghai; Guangzhou guangzhou; } server { location / { proxy_pass http://$backend; } }七、安全配置7.1 限流http { # 定义限流区 limit_req_zone $binary_remote_addr zoneone:10m rate10r/s; limit_conn_zone $binary_remote_addr zoneaddr:10m; } server { location /api/ { # 每秒10个请求突发20个 limit_req zoneone burst20 nodelay; # 每IP最多100连接 limit_conn addr 100; proxy_pass http://backend; } }7.2 访问控制location /admin/ { # 白名单 allow 192.168.1.0/24; allow 10.10.0.0/24; # 组网IP段 deny all; proxy_pass http://backend; }7.3 隐藏版本信息http { server_tokens off; }7.4 防盗链location ~* \.(gif|jpg|png)$ { valid_referers none blocked example.com *.example.com; if ($invalid_referer) { return 403; } }八、监控与日志8.1 自定义日志格式http { log_format main $remote_addr - $remote_user [$time_local] $request $status $body_bytes_sent $http_referer $http_user_agent $http_x_forwarded_for $upstream_addr $upstream_response_time $request_time; access_log /var/log/nginx/access.log main; }8.2 状态监控server { listen 8080; location /nginx_status { stub_status on; allow 127.0.0.1; allow 10.10.0.0/24; # 组网IP deny all; } }# 查看状态curlhttp://localhost:8080/nginx_status Active connections:42server accepts handled requests7368736812345Reading:0Writing:5Waiting:378.3 日志分析# 统计请求数awk{print$1}access.log|sort|uniq-c|sort-rn|head-20# 统计状态码awk{print$9}access.log|sort|uniq-c|sort-rn# 慢请求分析awk$NF 1 {print$0}access.log九、常见问题9.1 502 Bad Gateway# 后端服务未启动或无法连接# 检查后端服务curlhttp://127.0.0.1:8080# 检查Nginx错误日志tail-f /var/log/nginx/error.log9.2 504 Gateway Timeout# 增加超时时间 location / { proxy_pass http://backend; proxy_connect_timeout 300s; proxy_send_timeout 300s; proxy_read_timeout 300s; }9.3 配置检查# 检查配置语法nginx -t# 重载配置nginx -s reload十、总结Nginx反向代理配置要点基础代理proxy_pass 必要的header负载均衡根据场景选择策略健康检查设置失败阈值和备用服务器HTTPSLet’s Encrypt免费证书性能优化Gzip、缓存、长连接跨网络代理组网打通多机房安全加固限流、访问控制生产环境建议配置健康检查启用访问日志配置合理的超时使用HTTPS参考资料Nginx官方文档https://nginx.org/en/docs/Nginx负载均衡https://docs.nginx.com/nginx/admin-guide/load-balancer/建议先在测试环境验证配置再应用到生产。改配置前记得备份。