nginx1.8.1反向代理、负载均衡功能的实现

nginx1.8.1 proxy 服务器192.168.8.40

web1 centos6.5 httpd2.2.15

web2 centos7.2 httpd2.4.6

1、代理功能的简单实现

nginx代理服务器：192.168.8.40
web服务器：192.168.8.101

8.40添加代理：
location /forum/ {
    proxy_pass http://192.168.8.101/bbs/;
}


在被代理的web端
创建目录mkdir /web/htdocs/bbs
vim /web/htdocs/bbs/index.html
加入<h1>192.168.8.101 bbs</h1>
访问 http://192.168.8.40/forum/即可出现8.101的内容


改成正则表达式的方式：
location ~* ^/forum {
    proxy_pass http://192.168.8.101;
}


此时http://192.168.8.40/forum/的方式不能访问，需要通过修改192.168.8.101的bbs目录改为forum即可访问
# mv bbs forum

2、代理上显示客户端真实IP(方便统计真实的IP访问情况)

8.101上更改显示日志的方式：
# vim /etc/httpd/conf/httpd.conf


LogFormat "%{X-Real-IP}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined

nginx服务器端8.40配置：
location ~* ^/forum {
    proxy_pass http://192.168.8.101;
    proxy_set_header X-Real-IP $remote_addr;
}

3.实现简单的负载均衡：

nginx proxy server:192.168.8.40
apache web1:192.168.8.39
apache web2:192.168.8.101


nginx proxy server:192.168.8.40配置：


# 定义web服务器集群：
upstream webservers {
        server 192.168.8.39 weight=1;
        server 192.168.8.101 weight=1;
    }


server {


#location / {
#    root   /web/htdocs;
#    index  index.php index.html index.htm;
#}

#定义访问集群
location / {
   proxy_pass http://webservers/;
   proxy_set_header X-Real-IP $remote_addr;
}
}

通过访问http://192.168.8.40可以看到负载的效果

4、对负载均衡的服务器宕机情况进行适配

#添加错误的定义
server {
listen 8080;
server_name localhost;
root /web/errorpages;
index index.html;
}
# 创建错误页面定义
# mkdir /web/errorpages/ -pv
# vim index.html
加入
sorry,website is being repaired please wait


# 添加超时定义及错误页面定义，如果连续访问错误两次则踢掉，检测时间间隔2秒
upstream webservers {
        server 192.168.8.39 weight=1 max_fails=2 fail_timeout=2;
        server 192.168.8.101 weight=1 max_fails=2 fail_timeout=2;
        server 127.0.0.1:8080 weight=1 backup;
    }


测试，关闭web1则，只能访问到web2，关闭web2后出现错误提示

5、为反向代理启用缓存功能

proxy_cache_path /nginx/cache/first levels=1:2 keys_zone=first:20m max_size=1g;


    server {
        listen       80;
        server_name  localhost;
        index index.html index.php;


        add_header X-Via $server_addr;
        add_header X-Cache "$upstream_cache_status from $server_addr";


        location / {
            proxy_pass http://webservers/;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_cache first;
            proxy_cache_valid 200 10m;
        }


# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] mkdir() "/nginx/cache/first" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
[root@centossz008 ~]# mkdir -pv /nginx/cache/first
mkdir: created directory `/nginx'
mkdir: created directory `/nginx/cache'
mkdir: created directory `/nginx/cache/first'


add_header X-Via $server_addr;
add_header X-Cache "$upstream_cache_status from $server_addr";
提示信息如下：

6、重定向规则

location / {
            #root   html;
            root   /web/htdocs;
            index  index.html index.htm;
            rewrite ^/bbs/(.*)$ http://192.168.8.101/forum/$1;
        }


访问：http://192.168.8.40/bbs/

7、上传文件的负载均衡

可能碰到这样的业务场景，几台web app设置了主从，一个服务器负责上传，其他只能通过同步来获取

nginx配置：
location / {           
            proxy_pass http://192.168.8.40/;
            if ($request_method = "PUT"){
                proxy_pass http://192.168.8.101;
            }
        }


客户端配置：
# vim /etc/httpd/conf/httpd.conf 
在<Directory "/web/htdocs">下面添加Dav on
<Directory "/web/htdocs">
Dav on


# curl -T /etc/fstab http://192.168.8.40
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>201 Created</title>
</head><body>
<h1>Created</h1>
<p>Resource /fstab has been created.</p>
</body></html>


在8.101上可以看到上传的文件
htdocs]# ls
forum  fstab  index.html

8、通过nginx统计某推广链接重写url

需求：
通过nginx统计某推广链接(如：http://www.baidu.com)的访问次数，即访问tuiguang.chinasoft.com自动跳转到www.baidu.com页面

如该服务器为1.1.1.1，带宽要足够大(要根据实际访问量来定)


步骤
①添加1.1.1.1的dns域名解析 tuiguang.chinasoft.com --> 1.1.1.1


②添加相关的配置
vim /etc/nginx/conf.d/tuiguang.conf


server {  
    server_name   tuiguang.chinasoft.com;  
    rewrite_log on; # 打开重写的日志
    error_log  /data/logs/app_h5.log notice;
    access_log /data/logs/app_error_h5.log;
  
    location /h5/flow{  
        alias  /data/h5;  
        index  index.html;  
proxy_set_header Host $host;
        proxy_set_header X-Real-Ip $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        rewrite ^(.*) http://www.baidu.com break;
    }  
  
} 

9.修改http头Content-Type为application/octet-stream

upstream  lvs_server{
        server 10.27.13.215:8555;   #hd_lvs_voice01
        server 10.26.114.166:8555;  #hd_lvs_voice02
        server 10.27.62.9:8555;     #hd_lvs_voice03
        server 10.30.196.175:8555;  #hd_lvs_voice04
        server 10.30.196.157:8555;  #hd_lvs_voice05
    }


server {
    listen       8555;    

    location / {
     proxy_pass http://lvs_server;
    }

    location /index {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-Ip $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr; 
            proxy_set_header Content-Type application/octet-stream;
            proxy_pass http://lvs_server;
    
    }#end index

}

 日志中添加响应时间，请求时间的日志格式

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
             '$status $body_bytes_sent "$http_referer" '
             '"$http_user_agent" "$http_x_forwarded_for" "$http_host" "$upstream_response_time" "$request_time"';

 nginx获取不到客户端真实IP地址

upstream dxflowservers {
    ip_hash;
    server u04flow01.yaya.corp:8091 weight=1 max_fails=2 fail_timeout=3;
    server u04rec02.yaya.corp:8091 weight=1 max_fails=2 fail_timeout=3;
}
server { 
    server_name 106.75.19.93;
    server_name dxacc.chinasoft.cn;
    location /{
        root /data/chinasoft/dx_traffic/liuliang_http/liuliangsdk/;
        index index.html;
        try_files $uri $uri/ /index.html;
    }

    location /dingxiangsdk/{
        proxy_set_header Host $host;
        proxy_set_header X-Real-Ip $remote_addr;
        # 经过ulb(lvs)以后无法获取客户端的真实IP地址,去掉下面这行即可
        #proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://dxflowservers/;
    }    
    location /ngx_status {
            stub_status on;
            access_log off;
            allow 127.0.0.1;
            #deny all;
    }
}

 简单测试反向代理upstream的健康检查功能

nginx --> apache(两台)

nginx : 192.168.3.200 (nginx 1.12.2)

apache01: 192.168.3.12

apache02:192.168.3.13

nginx的配置

upstream  lvs_server{
        server 192.168.3.12:8555 weight=2 max_fails=5 fail_timeout=6;
        server 192.168.3.13:8555 weight=2 max_fails=5 fail_timeout=6;
}


server {
    listen       8555;
    server_name 192.168.3.200;
    access_log  /var/log/nginx/voice_lvs.access.log main;
    error_log  /var/log/nginx/voice_lvs.error.log;
    

    location / {
     proxy_pass http://lvs_server/;
    }

    location /index {
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-Ip $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr; 
            proxy_set_header Content-Type application/octet-stream;
            proxy_pass http://lvs_server;
    
    }
    location /ngx_status {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
    }

}

[root@centossz008 ~]# cat /var/www/html/index.html
<h1>192.168.3.12</h1>
server01

[root@node5 ~]# cat /var/www/html/index.html
<h1>192.168.3.13</h1>
server02

经过测试，当不配置以下参数，如果关掉其中一台apache，请求会全部到另外一台中，所以upstream默认就会检查后端服务器，如果配置就按照你的配置
不配置就按照默认配置

 weight=2 max_fails=5 fail_timeout=6;

[root@localhost /etc/nginx/conf.d]# for i in {1..20}; do curl http://192.168.3.200:8555/index.html;done

重定向示例

# cat /usr/local/nginx/conf/vhost.d/chinasoft.com.conf 
map $http_origin $corsHost {  
default "none" ; 
"~https://chinasoft.com" https://chinasoft.com ;
"~https://chinasoft-com.cdn.ampproject.org" https://chinasoft-com.cdn.ampproject.org ;
"~https://chinasoft.com.amp.cloudflare.com" https://chinasoft.com.amp.cloudflare.com ;
"~https://cdn.ampproject.org" https://cdn.ampproject.org ;
"~https://images.chinasoft.com" https://images.chinasoft.com ;
"~https://my.chinasoft.com" https://my.chinasoft.com ;
"~https://store.chinasoft.com" https://store.chinasoft.com ;
"~https://my.chinasoft.jp" https://my.chinasoft.jp ;
}

server {
        listen 80;
        server_name     chinasoft.com  www.chinasoft.com ori-www.chinasoft.com;
        access_log      /data/www/logs/nginx_log/access/chinasoft.com_access.log main ;
        error_log       /data/www/logs/nginx_log/error/chinasoft.com_error.log ;
        root            /data/www/vhosts/chinasoft.com/httpdocs ;
        index           index.html index.shtml index.php ;
    include        rewrite.d/chinasoft.com.conf ;
    error_page  404 403             /404.html;    
        rewrite ^/(.*)$ https://www.chinasoft.com/$1 permanent;    #跳转到Https

        location ~ .php$ {
                fastcgi_pass unix:/tmp/php-cgi.sock;
                fastcgi_index index.php;
                #fastcgi_param SCRIPT_FILENAME ;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                expires -1;
        }

        location / {
            include proxy_params;
        if (!-d $request_filename){
            set $flag 1$flag;
        }
        if (!-f $request_filename){
            set $flag 2$flag;
        }
        if ($flag = "21"){
                    rewrite ^(.*)$ /index.php last;
            expires -1;    
        }
        
        }

}

server {
        listen 443;
        ssl on;

        ssl_certificate         cert2016/chinasoft_com.crt;
        ssl_certificate_key     cert2016/chinasoft_com.key;
        ssl_dhparam     cert2016/dh_2048.pem;

        ssl_session_timeout     5m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;


        ssl_ciphers     "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-E
CDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-S
HA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:ED
H-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";


        ssl_prefer_server_ciphers       on;
#       add_header Strict-Transport-Security max-age=15768000;

        #ssl_stapling        on;
        #ssl_stapling_verify        on;


        server_name     chinasoft.com www.chinasoft.com ori-www.chinasoft.com ;
        access_log      /data/www/logs/nginx_log/access/chinasoft.com_access.log main ;
        error_log       /data/www/logs/nginx_log/error/chinasoft.com_error.log ;

        root            /data/www/vhosts/chinasoft.com/httpdocs ;
        index           index.html index.shtml index.php ;
        include         rewrite.d/chinasoft.com.conf ;
        
    error_page  404 403             /404.html;

        #add_header 'Access-Control-Allow-Origin' '*';

    add_header Access-Control-Allow-Origin $corsHost;
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
    add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

        location ~ .php$ {
        try_files $uri =404;
                fastcgi_pass unix:/tmp/php-cgi.sock;
                fastcgi_index index.php;
                #fastcgi_param SCRIPT_FILENAME ;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
                expires -1;
        }

        location / {
                include proxy_params;
                if (!-d $request_filename){
                        set $flag 1$flag;
                }
                if (!-f $request_filename){
                        set $flag 2$flag;
                }
                if ($flag = "21"){
                        rewrite ^(.*)$ /index.php last ;
                        expires -1;
                }
        }

}

*****************

if ($request_uri ~ ^/snapchat/snapchat-password-cracker.html) { rewrite ^ https://www.centos.net/snapchat/snapchat-password-cracker.html permanent; }
if ($request_uri ~ ^/spy/index.html) { rewrite ^ https://www.chinasoft.com/topic/index.html permanent; }
if ($request_uri ~ ^/telegram/index.html) { rewrite ^ https://www.chinasoft.com/topic/index.html permanent; }
if ($request_uri ~ ^/track/hidden-phone-tracker-for-android-iphone.html) { rewrite ^ https://www.centos.net/track/hidden-phone-tracker-for-android-iphone.html permanent; }
if ($request_uri ~ ^/viber/index.html) { rewrite ^ https://www.chinasoft.com/topic/index.html permanent; }
[root@EOP_Aimersoft_web01:~]# head -30 /usr/local/nginx/conf/rewrite.d/chinasoft.com.conf 
if ($host ~* ^chinasoft.com$){ rewrite ^(.*)$ http://www.chinasoft.com$1 permanent;}
if ($request_uri ~ ^/(.*)/(index|indice).(html)) { rewrite ^/(.*)/(index|indice).(html) /$1   permanent;}
if ($request_uri ~ ^/(index|indice).html) { rewrite    ^       / permanent;}
#20170824
if ($request_uri ~ ^/install-chinasoft-spy-app-on-android-phones.html) { rewrite ^ /how-to-spy-android-phones.html permanent; }

 配置列出文件列表示例

[root@web:/usr/local/nginx/conf]# more admin_vhost.d/rewrite.chinasoft.cn.conf 
server {
        listen 80;
        server_name     rewrite.chinasoft.cn ;
        access_log      /data/www/logs/nginx_log/access/rewrite.chinasoft.cn_access.log main ;
        error_log       /data/www/logs/nginx_log/error/rewrite.chinasoft.cn_error.log ;
        root            /usr/local/nginx/conf/rewrite.d ;
        #index           index.html index.shtml index.php ;

        error_page  404              /404.html;
        autoindex on;
        location ~ .php$ {
                        proxy_pass http://php_pool;
                        include proxy_params;
                        access_log off;
        }

}


[root@web:/usr/local/nginx/conf]# more nginx.conf
#user  nobody;
worker_processes  8;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;
pid        /data/www/logs/nginx.pid;

worker_rlimit_nofile  65535;

events {
        use epoll;    
        worker_connections  10240;
        accept_mutex    off;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    #set_real_ip_from   0.0.0.0/0;
    #real_ip_header     X-Forwarded-For;

    #proxy_set_header   Host    $host;  
    #proxy_set_header   X-Real-IP       $remote_addr;  
    #proxy_set_header   X-Forwarded-For $http_x_forwarded_for;  
    #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; 

    proxy_headers_hash_max_size 51200;
    proxy_headers_hash_bucket_size      6400;

    ssl_session_cache    shared:SSL:200m;
    ssl_session_timeout  15m;

    lua_package_path "/usr/local/nginx/conf/ngx_lua_waf/?.lua";
    lua_shared_dict limit 10m;
    init_by_lua_file  /usr/local/nginx/conf/ngx_lua_waf/init.lua; 
    access_by_lua_file /usr/local/nginx/conf/ngx_lua_waf/waf.lua; 

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    #    log_format main '[$time_local] $remote_addr $status $request_time $body_bytes_sent "$request" "$http_referer" $upstream_addr $http_x_real_ip $http_x_forwarded_for $http_user_agent  $request_filename';
    log_format main  '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_cookie" "$request_body" "$http_user_agent" $request_time '; 
    #   log_format test '[$fastcgi_script_name] [$time_local] $remote_addr $status $request_time $body_bytes_sent "$request" "$http_referer" $upstream_addr $http_x_real_ip $http_x_forwarded_for $http_user_agent ';
    log_format error  '$remote_addr - - [$time_local] - - "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time '; 
    #access_log  logs/access.log  main;

    sendfile        on;
    tcp_nodelay    on;

    keepalive_timeout  90;
    #----for upload file
    client_max_body_size    8M;
    client_body_buffer_size 2M;
    #--- for resolve 400 error
    client_header_buffer_size 64k;
    large_client_header_buffers 4 64k;
    proxy_connect_timeout 90s;
    proxy_read_timeout 90s;
    #60s内后端服务器需要返回成功
    proxy_send_timeout 90s; 
    proxy_buffer_size 16k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    proxy_ignore_client_abort on;    
    proxy_intercept_errors on;
    gzip  on;
    gzip_vary off;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.0;
    gzip_comp_level  5;
    gzip_disable     "MSIE [1-6].";
    gzip_types text/plain text/css text/javascript application/javascript application/x-javascript text/xml application/xml application/wasm;

    ssi on;
    ssi_silent_errors on;
    #ssi_types text/shtml;
    expires 60d;
    server_names_hash_bucket_size 20480;
    #if_modified_since before;
    #limit_req_zone $binary_remote_addr zone=all_zone:10m rate=3r/s;
    #limit_req zone=all_zone burst=2 nodelay;

    upstream php_pool{
        ip_hash;
        #server 192.168.254.122:8080 max_fails=0 fail_timeout=30s weight=1;
        #server 192.168.254.123:8080 max_fails=0 fail_timeout=30s weight=1;
        #server 192.168.254.124:8080 max_fails=0 fail_timeout=30s weight=3;
        #server 192.168.254.125:8080 max_fails=0 fail_timeout=30s weight=3;
        server 192.168.254.11:8080 max_fails=0 fail_timeout=30s weight=3;
        
    check interval=3000 rise=2 fall=5 timeout=1000 type=tcp port=8080;
        check_keepalive_requests 100;
       # check_http_send "HEAD / HTTP/1.1
Connection: keep-alive

";
        check_http_expect_alive http_2xx http_3xx;    
    }


        include vhost.d/*.conf;
    include admin_vhost.d/*.conf;


        server {
        listen       80  default_server;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /data/www/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        location /ws_status {
                stub_status on;
                access_log off;
        }

        location /status {
            check_status html;
           
            access_log   off;
        allow 127.0.0.1;
            deny all;
        }    

    }
}