Nginx

負載平衡的反向代理的最佳設置是什麼?

  • February 19, 2021

我正在使用反向代理和負載平衡。在我的場景中,我有三台伺服器。第一台伺服器是代理。第二個和第三個是使用 swarm 的 docker 伺服器。埠 2020 用於 Apache 服務的兩個副本。2021 埠用於 Nginx 服務的兩個副本。平衡是根據副本完成的。由於我是 Nginx 的新手,我想知道以下設置是否足夠。是否有可能改進此配置?安全嗎?

proxy_config.conf:

##########
# Apache #
##########

 upstream apache {
       least_conn;

       #Container replicas
       server 192.168.0.4:2020;
       server 192.168.0.5:2020;
 }
 server {
       listen 80;
       server_name host.apache.domain.com;

       location / {
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header Host $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://apache;
       }
  }

#########
# Nginx #
#########

 upstream nginx {
       least_conn;

       #Container replicas
       server 192.168.0.4:2021;
       server 192.168.0.5:2021;
 }

 server {
       listen 80;
       server_name host.nginx.domain.com;

       location / {
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header Host $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_pass http://nginx;
       }
  }

在這種特定情況下,我使用了以下內容:

   location / {
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header Host $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass http://nginx;
   }

如果我只使用下面的配置,難道還不夠嗎?

   location / {
           proxy_pass http://nginx;
   }

我閱讀了 Nginx 文件,但我需要更多範例。

Digital Ocean 提供了一個免費的 NGINX 配置工具,帶有程式碼註釋和範例供您學習。絕對玩這個。我希望它在我學習 NGINX 的時候還存在。

訪問nginxconfig.io

下面的帶有安全標頭程式碼的 SSL 反向代理伺服器是用它生成的。您絕對可以在學習過程中對其進行自定義

# Generated by nginxconfig.io
# https://www.digitalocean.com/community/tools/nginx?domains.0.php.php=false&domains.0.reverseProxy.reverseProxy=true&domains.0.routing.index=index.html&domains.0.routing.fallbackHtml=true&global.https.ocspCloudflare=false&global.https.ocspOpenDns=false&global.tools.modularizedStructure=false

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

events {
   multi_accept       on;
   worker_connections 65535;
}

http {
   charset                utf-8;
   sendfile               on;
   tcp_nopush             on;
   tcp_nodelay            on;
   server_tokens          off;
   log_not_found          off;
   types_hash_max_size    2048;
   types_hash_bucket_size 64;
   client_max_body_size   16M;

   # MIME
   include                mime.types;
   default_type           application/octet-stream;

   # Logging
   access_log             /var/log/nginx/access.log;
   error_log              /var/log/nginx/error.log warn;

   # SSL
   ssl_session_timeout    1d;
   ssl_session_cache      shared:SSL:10m;
   ssl_session_tickets    off;

   # Diffie-Hellman parameter for DHE ciphersuites
   ssl_dhparam            /etc/nginx/dhparam.pem;

   # Mozilla Intermediate configuration
   ssl_protocols          TLSv1.2 TLSv1.3;
   ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

   # OCSP Stapling
   ssl_stapling           on;
   ssl_stapling_verify    on;
   resolver               8.8.8.8 8.8.4.4 valid=60s;
   resolver_timeout       2s;

   # Connection header for WebSocket reverse proxy
   map $http_upgrade $connection_upgrade {
       default upgrade;
       ""      close;
   }

   # Load configs
   include /etc/nginx/conf.d/*.conf;

   # example.com
   server {
       listen                               443 ssl http2;
       listen                               [::]:443 ssl http2;
       server_name                          example.com;
       root                                 /var/www/example.com/public;

       # SSL
       ssl_certificate                      /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key                  /etc/letsencrypt/live/example.com/privkey.pem;
       ssl_trusted_certificate              /etc/letsencrypt/live/example.com/chain.pem;

       # security headers
       add_header X-Frame-Options           "SAMEORIGIN" always;
       add_header X-XSS-Protection          "1; mode=block" always;
       add_header X-Content-Type-Options    "nosniff" always;
       add_header Referrer-Policy           "no-referrer-when-downgrade" always;
       add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
       add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

       # . files
       location ~ /\.(?!well-known) {
           deny all;
       }

       # index.php fallback
       location ~ ^/api/ {
           try_files $uri $uri/ /index.php?$query_string;
       }

       # reverse proxy
       location / {
           proxy_pass                         http://127.0.0.1:3000;
           proxy_http_version                 1.1;
           proxy_cache_bypass                 $http_upgrade;

           # Proxy headers
           proxy_set_header Upgrade           $http_upgrade;
           proxy_set_header Connection        $connection_upgrade;
           proxy_set_header Host              $host;
           proxy_set_header X-Real-IP         $remote_addr;
           proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Forwarded-Host  $host;
           proxy_set_header X-Forwarded-Port  $server_port;

           # Proxy timeouts
           proxy_connect_timeout              60s;
           proxy_send_timeout                 60s;
           proxy_read_timeout                 60s;
       }

       # favicon.ico
       location = /favicon.ico {
           log_not_found off;
           access_log    off;
       }

       # robots.txt
       location = /robots.txt {
           log_not_found off;
           access_log    off;
       }

       # assets, media
       location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
           expires    7d;
           access_log off;
       }

       # svg, fonts
       location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
           add_header Access-Control-Allow-Origin "*";
           expires    7d;
           access_log off;
       }

       # gzip
       gzip            on;
       gzip_vary       on;
       gzip_proxied    any;
       gzip_comp_level 6;
       gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
   }

   # subdomains redirect
   server {
       listen                  443 ssl http2;
       listen                  [::]:443 ssl http2;
       server_name             *.example.com;

       # SSL
       ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
       ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
       return                  301 https://example.com$request_uri;
   }

   # HTTP redirect
   server {
       listen      80;
       listen      [::]:80;
       server_name .example.com;

       # ACME-challenge
       location ^~ /.well-known/acme-challenge/ {
           root /var/www/_letsencrypt;
       }

       location / {
           return 301 https://example.com$request_uri;
       }
   }
}

引用自:https://serverfault.com/questions/1054065