Appearance
Nginx 实战案例
本章通过实际案例展示Nginx在不同场景下的应用,帮助您理解如何将Nginx配置应用到实际项目中。
案例一:静态网站托管
场景描述
托管一个静态网站,包含HTML、CSS、JS和图片资源。
完整配置
server {
listen 80;
server_name example.com www.example.com;
# 站点根目录
root /var/www/html;
index index.html index.htm;
# 静态资源优化
location ~* \.(css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
gzip on;
gzip_types text/css application/javascript;
}
location ~* \.(jpg|jpeg|png|gif|ico|svg|webp)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
location ~* \.(woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# 防止访问敏感文件
location ~* \.(htaccess|htpasswd|ini|log|sh|sql|conf)$ {
deny all;
return 404;
}
# SPA应用路由支持
location / {
try_files $uri $uri/ /index.html;
}
}
案例二:Node.js应用反向代理
场景描述
将Nginx作为反向代理服务器,代理到后端的Node.js应用。
完整配置
# 后端应用服务器组
upstream nodejs_backend {
least_conn;
server localhost:3000 weight=3 max_fails=2 fail_timeout=10s;
server localhost:3001 weight=2 max_fails=2 fail_timeout=10s;
server localhost:3002 weight=1 max_fails=2 fail_timeout=10s;
# 备用服务器
server localhost:3003 backup;
}
server {
listen 80;
server_name api.example.com;
# 启用gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types
application/json
application/javascript
application/xml
text/xml
text/css
text/plain;
# 代理配置
location / {
proxy_pass http://nodejs_backend;
# 传递客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
}
# 静态资源直接由Nginx提供
location /static/ {
alias /var/www/nodejs-app/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
# 健康检查
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
案例三:Docker容器负载均衡
场景描述
使用Docker部署多个应用实例,通过Nginx进行负载均衡。
Docker Compose配置
yaml
version: '3.8'
services:
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/nginx/ssl
depends_on:
- app1
- app2
- app3
networks:
- app-network
app1:
build: .
environment:
- PORT=3000
networks:
- app-network
app2:
build: .
environment:
- PORT=3001
networks:
- app-network
app3:
build: .
environment:
- PORT=3002
networks:
- app-network
networks:
app-network:
driver: bridge
Nginx配置
upstream docker_app {
# 使用IP哈希确保会话一致性
ip_hash;
server app1:3000 max_fails=2 fail_timeout=10s;
server app2:3001 max_fails=2 fail_timeout=10s;
server app3:3002 max_fails=2 fail_timeout=10s;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://docker_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
}
案例四:API网关
场景描述
使用Nginx作为API网关,路由到不同的后端服务。
完整配置
# 用户服务
upstream user_service {
server user-svc:8080 max_fails=2 fail_timeout=10s;
}
# 订单服务
upstream order_service {
server order-svc:8080 max_fails=2 fail_timeout=10s;
}
# 产品服务
upstream product_service {
server product-svc:8080 max_fails=2 fail_timeout=10s;
}
server {
listen 80;
server_name api.example.com;
# 限制请求大小
client_max_body_size 10M;
# API限流
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
# 用户服务路由
location /api/users {
limit_req zone=api burst=20 nodelay;
proxy_pass http://user_service;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 订单服务路由
location /api/orders {
limit_req zone=api burst=20 nodelay;
proxy_pass http://order_service;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 产品服务路由
location /api/products {
limit_req zone=api burst=20 nodelay;
proxy_pass http://product_service;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 健康检查
location /health {
access_log off;
return 200 "{\"status\":\"healthy\",\"timestamp\":\"$time_iso8601\"}";
add_header Content-Type application/json;
}
}
案例五:SSL/TLS终止代理
场景描述
在Nginx上配置SSL证书,对HTTPS请求进行解密后转发到后端HTTP服务器。
完整配置
upstream backend_https {
least_conn;
server backend1.example.com:8080 max_fails=2 fail_timeout=30s;
server backend2.example.com:8080 max_fails=2 fail_timeout=30s;
server backend3.example.com:8080 max_fails=2 fail_timeout=30s;
}
server {
# HTTP重定向到HTTPS
listen 80;
server_name secure.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name secure.example.com;
# SSL证书配置
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
# 启用OCSP装订
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json;
location / {
proxy_pass http://backend_https;
# 传递HTTPS信息给后端
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
}
# 静态资源缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg)$ {
proxy_pass http://backend_https;
proxy_cache_valid 200 1y;
add_header X-Cache-Status $upstream_cache_status;
expires 1y;
add_header Cache-Control "public, immutable";
}
}
案例六:高并发场景优化
场景描述
处理高并发请求,需要对Nginx进行性能优化。
优化配置
# 全局优化
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
worker_connections 4096;
use epoll;
multi_accept on;
accept_mutex off;
}
http {
# 基础优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
keepalive_requests 1000;
# 缓冲区优化
client_header_timeout 60s;
client_body_timeout 60s;
client_max_body_size 10m;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
# 压缩优化
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json;
# 缓存配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g
inactive=60m use_temp_path=off;
upstream high_perf_backend {
least_conn;
server backend1.example.com:8080 weight=5 max_fails=3 fail_timeout=30s max_conns=1000;
server backend2.example.com:8080 weight=3 max_fails=3 fail_timeout=30s max_conns=1000;
server backend3.example.com:8080 weight=2 max_fails=3 fail_timeout=30s max_conns=1000;
# 保持连接
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server {
listen 80;
server_name highperf.example.com;
# 限制请求速率
limit_req_zone $binary_remote_addr zone=general:10m rate=50r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
location / {
limit_req zone=general burst=100 nodelay;
limit_conn conn_limit_per_ip 20;
proxy_pass http://high_perf_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 5s;
proxy_send_timeout 10s;
proxy_read_timeout 10s;
# 缓冲设置
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
# 静态资源优化
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
}
}
案例七:微服务架构网关
场景描述
在微服务架构中使用Nginx作为入口网关。
完整配置
# 服务发现 - 各微服务
upstream user_microservice {
server user-svc:8080 max_fails=2 fail_timeout=10s;
}
upstream product_microservice {
server product-svc:8080 max_fails=2 fail_timeout=10s;
}
upstream order_microservice {
server order-svc:8080 max_fails=2 fail_timeout=10s;
}
upstream auth_microservice {
server auth-svc:8080 max_fails=2 fail_timeout=10s;
}
upstream notification_microservice {
server notification-svc:8080 max_fails=2 fail_timeout=10s;
}
server {
listen 80;
server_name gateway.example.com;
# 全局安全设置
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# 认证服务 - 处理登录、注册等
location /auth/ {
proxy_pass http://auth_microservice;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 用户服务 - 需要认证
location /api/users/ {
# 可以在这里添加认证检查
proxy_pass http://user_microservice;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 产品服务
location /api/products/ {
proxy_pass http://product_microservice;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 订单服务
location /api/orders/ {
proxy_pass http://order_microservice;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 通知服务
location /api/notifications/ {
proxy_pass http://notification_microservice;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 全局健康检查
location /health {
access_log off;
return 200 "{\"status\":\"healthy\",\"services\":3}";
add_header Content-Type application/json;
}
# 指标监控
location /metrics {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 10.0.0.0/8;
deny all;
}
}
这些实战案例展示了Nginx在不同场景下的应用,您可以根据自己的实际需求进行调整和优化。