Nginx 反向代理与负载均衡实战:从入门到高可用配置 原创
温馨提示:
本文最后更新于 2026-06-15,已超过 0 天没有更新。
若文章内的图片失效(无法正常加载),请留言反馈或直接 联系我。
一、引言
Nginx 是当今最流行的 Web 服务器和反向代理软件,全球超过 30% 的网站使用 Nginx。无论是单站点部署还是大规模微服务架构,Nginx 的反向代理和负载均衡功能都是基础设施的核心。
本文从零开始,逐步搭建一个完整的 Nginx 反向代理与负载均衡体系。
二、Nginx 安装与基础配置
2.1 安装 Nginx
# Ubuntu/Debian
sudo apt update
sudo apt install nginx -y
# CentOS/RHEL
sudo yum install epel-release -y
sudo yum install nginx -y
# 验证安装
nginx -v
# nginx version: nginx/1.26.x
# 启动并设置开机自启
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl status nginx2.2 基础配置结构
# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
# 基础设置
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# MIME 类型
include /etc/nginx/mime.types;
default_type application/octet-stream;
# SSL 配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log warn;
# 引入站点配置
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}三、反向代理配置
3.1 基本反向代理
# /etc/nginx/sites-available/api-proxy
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}3.2 高级反向代理配置
server {
listen 443 ssl http2;
server_name app.example.com;
ssl_certificate /etc/ssl/certs/example.com.pem;
ssl_certificate_key /etc/ssl/private/example.com.key;
# 安全头部
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 超时配置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲配置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
# 缓存静态资源
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}
}
}四、负载均衡配置
4.1 upstream 模块
Nginx 的 upstream 模块是实现负载均衡的核心:
upstream backend {
# 负载均衡算法
# 默认: 轮询 (round-robin)
# least_conn: 最少连接
# ip_hash: IP 哈希(会话保持)
# random: 随机
least_conn;
# 后端服务器列表
server 10.0.1.10:3000 weight=3 max_fails=3 fail_timeout=30s;
server 10.0.1.11:3000 weight=2 max_fails=3 fail_timeout=30s;
server 10.0.1.12:3000 weight=1 backup; # 备用服务器
# 健康检查(需要 nginx-plus 或商业版)
# health_check interval=5s fails=3 passes=2;
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}4.2 负载均衡算法详解
| 算法 | 指令 | 适用场景 |
|---|---|---|
| 轮询 | 默认 | 服务器配置相同,请求处理时间相近 |
| 最少连接 | least_conn | 请求处理时间差异大 |
| IP 哈希 | ip_hash | 需要会话保持的应用 |
| 权重 | weight=N | 服务器性能不同 |
| 随机 | random | 测试和分流场景 |
五、高可用架构
5.1 Keepalived + Nginx 主备
# /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER # BACKUP 为备用节点
interface eth0
virtual_router_id 51
priority 100 # 备用节点设为 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1234
}
virtual_ipaddress {
192.168.1.100/24 # 虚拟 IP
}
track_script {
chk_nginx
}
}
# 健康检查脚本
vrrp_script chk_nginx {
script "/usr/local/bin/check_nginx.sh"
interval 2
weight -20
}#!/bin/bash
# /usr/local/bin/check_nginx.sh
if systemctl is-active --quiet nginx; then
exit 0
else
systemctl restart nginx
sleep 2
if systemctl is-active --quiet nginx; then
exit 0
else
exit 1
fi
fi六、性能优化
6.1 工作进程优化
# 根据 CPU 核心数设置
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}6.2 静态资源缓存
# 代理缓存配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m
max_size=1g inactive=60m use_temp_path=off;
server {
location /api/ {
proxy_cache my_cache;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503;
# 缓存绕过
proxy_cache_bypass $http_cache_control;
add_header X-Cache-Status $upstream_cache_status;
proxy_pass http://backend;
}
}6.3 限流配置
# 限流区域定义
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=addr_limit:10m;
server {
location /api/ {
# 请求限流:每秒最多 10 个请求,突发 20 个
limit_req zone=api_limit burst=20 nodelay;
# 连接限流:每个 IP 最多 10 个并发连接
limit_conn addr_limit 10;
# 限流响应
limit_req_status 429;
limit_conn_status 503;
proxy_pass http://backend;
}
}七、安全加固
7.1 隐藏版本信息
http {
server_tokens off; # 隐藏 Nginx 版本号
}7.2 防止 DDoS
# 限制请求体大小
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1m;
large_client_header_buffers 2 1k;
# 超时限制
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s;7.3 HTTPS 最佳实践
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# 使用 Let's Encrypt 自动续期
# certbot --nginx -d example.com -d www.example.com
# 现代 SSL 配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
}八、监控与日志
8.1 访问日志分析
# 使用 GoAccess 实时分析
sudo apt install goaccess
goaccess /var/log/nginx/access.log -o /var/www/html/report.html --log-format=COMBINED
# 日志切割(logrotate)
# /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
if [ -f /var/run/nginx.pid ]; then
kill -USR1 `cat /var/run/nginx.pid`
fi
endscript
}8.2 状态监控
# 启用 Nginx 状态页
server {
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
# 输出示例:
# Active connections: 291
# server accepts handled requests
# 16630948 16630948 31070465
# Reading: 6 Writing: 179 Waiting: 106九、总结
本文从安装配置到高可用架构,完整覆盖了 Nginx 反向代理与负载均衡的核心知识点:
- 基础反向代理配置和 HTTP 头部传递
- 多种负载均衡算法及其适用场景
- Keepalived 实现的高可用主备方案
- 性能优化(工作进程、缓存、限流)
- 安全加固(HTTPS、DDoS 防护、版本隐藏)
- 监控与日志分析
掌握这些配置后,你可以轻松应对从单站点部署到大规模微服务架构的各种场景。
