Nginx反向proxytutorial

反向proxyoverview

what is 反向proxy？

反向proxy is aserverconfiguration, 它接收客户端 request, 然 after 将request转发给 after 端server, 最 after 将 after 端server response返回给客户端. and 正向proxy不同, 反向proxy for 客户端 is 透明 , 客户端不知道自己 request被转发 to 了 after 端server.

反向proxy working principles

客户端向反向proxyserver发送request
反向proxyserver接收request并根据configuration转发给 after 端server
after 端serverprocessingrequest并生成response
反向proxyserver接收 after 端server response
反向proxyserver将response返回给客户端

反向proxy 优势

improvingsecurity性: after 端server不需要直接暴露 in 公网in
load balancing: 可以将request分发 to many 个 after 端server
cache静态 in 容: reducing after 端server 负担
SSL终结: in 反向proxyserver on processingSSL/TLSencryption and decryption
统一authentication: in 反向proxyserver on 集inprocessingauthentication
URL重写 and 重定向: in 反向proxyserver on processingURL转换

basic反向proxyconfiguration

usingNginx proxy_pass指令可以configuration反向proxy.

simple 反向proxyconfiguration

server {
    listen 80;
    server_name example.com;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

常用 proxy指令

proxy_pass

指定 after 端server 地址, 可以 is IP地址, 域名 or Unix套接字

proxy_pass http://localhost:8080;

proxy_set_header

设置传递给 after 端server HTTP头

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_buffers

设置proxy缓冲区 big small

proxy_buffers 8 16k;
proxy_buffer_size 32k;

proxy_connect_timeout

设置 and after 端server建立连接超时时间

proxy_connect_timeout 60s;

proxy_read_timeout

设置 from after 端server读取response 超时时间

proxy_read_timeout 60s;

反向proxy application场景

1. applicationserverproxy

将客户端requestproxy to after 端 applicationserver, such asTomcat, Node.js, Djangoetc..

server {
    listen 80;
    server_name app.example.com;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

2. APIgateway

serving asAPIgateway, 将requestrouting to 不同 after 端APIservice.

server {
    listen 80;
    server_name api.example.com;
    
    location /user/ {
        proxy_pass http://localhost:8080/user/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    location /product/ {
        proxy_pass http://localhost:8081/product/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    location /order/ {
        proxy_pass http://localhost:8082/order/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

3. 静态file and 动态 in 容分离

usingNginxprocessing静态file, 将动态requestproxy to after 端server.

server {
    listen 80;
    server_name example.com;
    
    root /var/www/example.com;
    index index.html;
    
    # processing静态file
    location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg)$ {
        expires 30d;
        add_header Cache-Control "public, max-age=2592000";
    }
    
    # proxy动态request
    location /api/ {
        proxy_pass http://localhost:8080/api/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    # proxyother动态 in 容
    location /app/ {
        proxy_pass http://localhost:8080/app/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

4. SSL终结

in Nginx on processingSSL/TLSencryption and decryption, after 端serverusingHTTP.

server {
    listen 443 ssl http2;
    server_name example.com;
    
    # SSLconfiguration
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# 重定向HTTP to HTTPS
server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

实践case: configurationNode.jsapplication 反向proxy

fake设我们 has 一个run in 3000端口 Node.jsapplication, 需要throughNginx反向proxy使其可以through80端口访问:

server {
    listen 80;
    server_name nodeapp.example.com;
    
    # 访问log and errorlog
    access_log /var/log/nginx/nodeapp.access.log main;
    error_log /var/log/nginx/nodeapp.error.log warn;
    
    # 反向proxyconfiguration
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # proxy缓冲区设置
        proxy_buffers 16 16k;
        proxy_buffer_size 32k;
        
        # 超时设置
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
    }
    
    # processing静态file (such as果Node.jsapplication也providing静态file) 
    location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg)$ {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        expires 30d;
        add_header Cache-Control "public, max-age=2592000";
    }
}

这个configuration会将所 has for nodeapp.example.com requestproxy to 本地run in 3000端口 Node.jsapplication, 并设置了适当 HTTP头, 缓冲区 and 超时parameter.

advanced反向proxyconfiguration

URL重写 and 重定向

in 反向proxy时, 可以usingrewrite指令modifyURL.

server {
    listen 80;
    server_name example.com;
    
    location /old-path/ {
        rewrite ^/old-path/(.*)$ /new-path/$1 break;
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
    }
}

proxy to Unix套接字

可以将requestproxy to Unix套接字, 这通常比TCP连接更 high 效.

server {
    listen 80;
    server_name example.com;
    
    location / {
        proxy_pass http://unix:/var/run/app.sock;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

healthycheck

可以configurationhealthycheck, 确保只向healthy after 端server发送request.

upstream backend {
    server localhost:8080 max_fails=3 fail_timeout=30s;
    server localhost:8081 max_fails=3 fail_timeout=30s;
}

server {
    listen 80;
    server_name example.com;
    
    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    
    # healthycheck端点
    location /health {
        proxy_pass http://backend/health;
        proxy_set_header Host $host;
    }
}

互动练习

1. 反向proxy 主要优势 is what？ ( many 选)

A. improvingsecurity性

B. load balancing

C. cache静态 in 容

D. SSL终结

E. 统一authentication

2. 以 under 哪个指令用于configuration反向proxy after 端server地址？

A. proxy_pass

B. proxy_set_header

C. proxy_buffers

D. proxy_connect_timeout

3. 实践练习: configuration反向proxy

请configuration一个Nginx反向proxy, 将 for api.example.com requestproxy to run in localhost:8080 after 端APIservice. 要求:

设置适当 HTTP头 (Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto)
configuration访问log and errorlog
设置合理超时parameter
for 静态file设置cache (such as果APIservice也providing静态file)

summarized and 展望

through本tutorial, 您已经Learning了Nginx反向proxy configurationmethod and application场景. 反向proxy is Nginx important functions, 它可以:

improving网站 security性, 保护 after 端server
implementationload balancing, improvingsystem availability and performance
cache静态 in 容, reducing after 端server 负担
processingSSL/TLSencryption and decryption, 减轻 after 端server 负担
serving asAPIgateway, 统一management and routingAPIrequest
implementation静态file and 动态 in 容分离

in after 续 tutorialin, 我们将深入LearningNginx load balancing, 静态fileservice, securityconfiguration, performanceoptimizationetc.advanced features, helping您全面MasterNginx usingtechniques.