2026年Ubuntu服务器Nginx反向代理完全指南:从基础到负载均衡(2026)

发表评论

一、什么是Nginx反向代理

反向代理(Reverse Proxy)是位于客户端和后端服务器之间的中间层。客户端不直接访问后端服务器,而是请求Nginx,由Nginx转发给后端处理。

反向代理的核心价值

功能 说明 应用场景
负载均衡 分发请求到多台后端服务器 高并发Web应用
SSL卸载 在代理层处理HTTPS加密 统一证书管理
安全防护 隐藏后端真实IP,过滤恶意请求 防DDoS、WAF
缓存加速 缓存后端响应,减少重复计算 静态化API、CMS
统一入口 多个服务共享同一域名和端口 微服务架构
访问控制 基于IP、Header等条件限制访问 内部API保护

二、安装Nginx

sudo apt update
sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx

# 验证
nginx -v
sudo systemctl status nginx

三、基础反向代理配置

3.1 代理HTTP服务

# /etc/nginx/sites-available/proxy
server {
    listen 80;
    server_name api.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:3000;

        # 传递客户端真实信息
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

3.2 代理HTTPS服务

server {
    listen 443 ssl http2;
    server_name app.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/app.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8080;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

3.3 代理WebSocket

server {
    listen 80;
    server_name ws.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:9000;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        # WebSocket超时设置
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}

四、多路径代理(多服务共用一个域名)

server {
    listen 80;
    server_name yourdomain.com;

    # 前端应用(React/Vue)
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # 后端API
    location /api/ {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # WebSocket服务
    location /ws/ {
        proxy_pass http://127.0.0.1:9090/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400s;
    }

    # 静态文件直接由Nginx服务
    location /static/ {
        alias /var/www/static/;
        expires 30d;
        access_log off;
    }
}

五、负载均衡配置

5.1 轮询策略(默认)

upstream backend_cluster {
    server 192.168.1.101:8080;
    server 192.168.1.102:8080;
    server 192.168.1.103:8080;
}

server {
    listen 80;
    server_name yourdomain.com;

    location / {
        proxy_pass http://backend_cluster;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

5.2 加权轮询

upstream backend_cluster {
    server 192.168.1.101:8080 weight=5;   # 50%流量
    server 192.168.1.102:8080 weight=3;   # 30%流量
    server 192.168.1.103:8080 weight=2;   # 20%流量
}

5.3 最少连接

upstream backend_cluster {
    least_conn;
    server 192.168.1.101:8080;
    server 192.168.1.102:8080;
    server 192.168.1.103:8080;
}

5.4 IP哈希(会话保持)

upstream backend_cluster {
    ip_hash;
    server 192.168.1.101:8080;
    server 192.168.1.102:8080;
}

5.5 健康检查与故障转移

upstream backend_cluster {
    server 192.168.1.101:8080 max_fails=3 fail_timeout=30s;
    server 192.168.1.102:8080 max_fails=3 fail_timeout=30s;
    server 192.168.1.103:8080 backup;  # 备用节点

    keepalive 32;
}
参数 说明
max_fails 连续失败次数达到此值后标记节点不可用
fail_timeout 节点被标记不可用后的暂停时间
backup 仅当所有主节点不可用时才使用
keepalive 保持与上游的长连接数

六、代理缓存配置

# 在http块中定义缓存区域
proxy_cache_path /var/cache/nginx/proxy levels=1:2
    keys_zone=proxy_cache:10m
    max_size=5g
    inactive=60m
    use_temp_path=off;

server {
    listen 80;
    server_name api.yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_cache proxy_cache;

        # 缓存规则
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 301 1h;
        proxy_cache_valid 404 1m;
        proxy_cache_valid any 1m;

        # 缓存Key
        proxy_cache_key $scheme$proxy_host$request_uri;

        # 绕过缓存
        proxy_cache_bypass $http_cache_control $arg_nocache;
        proxy_no_cache $http_cache_control $arg_nocache;

        # 缓存锁
        proxy_cache_lock on;
        proxy_cache_lock_timeout 5s;

        # 添加缓存状态头
        add_header X-Cache-Status $upstream_cache_status;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

七、访问控制与安全

7.1 IP白名单

location /admin/ {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;

    proxy_pass http://127.0.0.1:8080;
}

7.2 基础认证

# 安装htpasswd工具
sudo apt install -y apache2-utils

# 创建用户
sudo htpasswd -c /etc/nginx/.htpasswd admin

location /internal/ {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;

    proxy_pass http://127.0.0.1:8080;
}

7.3 限流配置

# 在http块中定义限流区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

server {
    location /api/ {
        # 请求限流(每秒10个请求,突发20个)
        limit_req zone=api_limit burst=20 nodelay;
        # 连接数限制
        limit_conn conn_limit 100;

        limit_req_status 429;

        proxy_pass http://127.0.0.1:8080;
    }
}

7.4 请求头过滤

server {
    # 禁止特定User-Agent
    if ($http_user_agent ~* (bot|crawl|spider|scraper)) {
        return 403;
    }

    # 阻止特定Referer(防图片盗链)
    location ~* \.(jpg|jpeg|png|gif|svg)$ {
        valid_referers none blocked yourdomain.com *.yourdomain.com;
        if ($invalid_referer) {
            return 403;
        }
        proxy_pass http://127.0.0.1:8080;
    }
}

八、超时与缓冲优化

server {
    listen 80;
    server_name yourdomain.com;

    location / {
        proxy_pass http://backend_cluster;

        # 连接超时
        proxy_connect_timeout 5s;

        # 读取超时(后端响应时间)
        proxy_read_timeout 60s;

        # 发送超时(请求发送到后端的时间)
        proxy_send_timeout 60s;

        # 缓冲设置
        proxy_buffering on;
        proxy_buffer_size 16k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;

        # 大文件下载(禁用缓冲,流式传输)
        proxy_max_temp_file_size 0;
    }

    # 适用于大文件上传的路径
    location /upload/ {
        proxy_pass http://backend_cluster;

        client_max_body_size 100M;
        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }
}

九、日志配置

# 自定义代理日志格式
log_format proxy_log '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent" '
                      'upstream=$upstream_addr '
                      'response_time=$upstream_response_time '
                      'cache=$upstream_cache_status';

server {
    access_log /var/log/nginx/proxy_access.log proxy_log;
    error_log /var/log/nginx/proxy_error.log warn;

    # 减少健康检查日志
    location /health {
        access_log off;
        return 200 "OK";
    }
}

十、完整配置示例

# /etc/nginx/sites-available/complete-proxy
# 定义上游集群
upstream app_backend {
    least_conn;
    server 192.168.1.101:8080 weight=5 max_fails=3 fail_timeout=30s;
    server 192.168.1.102:8080 weight=5 max_fails=3 fail_timeout=30s;
    keepalive 32;
}

upstream api_backend {
    server 127.0.0.1:3000 max_fails=3 fail_timeout=10s;
}

# HTTP重定向
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

# HTTPS主配置
server {
    listen 443 ssl http2;
    server_name yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    # Gzip压缩
    gzip on;
    gzip_types text/plain text/css application/json application/javascript;

    # 安全头
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Strict-Transport-Security "max-age=31536000" always;

    # 限流
    limit_req_zone $binary_remote_addr zone=limit:10m rate=20r/s;
    limit_req zone=limit burst=50 nodelay;

    # 静态资源
    location /static/ {
        alias /var/www/static/;
        expires 30d;
        access_log off;
    }

    # 前端应用
    location / {
        proxy_pass http://app_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache proxycache;
        add_header X-Cache $upstream_cache_status;
    }

    # API
    location /api/ {
        proxy_pass http://api_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_cache off;
    }
}

十一、常用运维命令

# 测试配置
sudo nginx -t

# 重载配置(不中断服务)
sudo systemctl reload nginx

# 查看当前连接数
ss -s

# 查看Nginx进程
ps aux | grep nginx

# 查看实时访问日志
sudo tail -f /var/log/nginx/proxy_access.log

# 查看上游服务器状态
curl -I http://yourdomain.com | grep -i "x-cache"

# 重新生成DH参数
sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048

总结

Nginx反向代理是现代Web架构的核心组件,掌握其配置对于构建高性能、高可用的服务至关重要。

场景 关键配置
单服务代理 proxy_pass + proxy_set_header
负载均衡 upstream + least_conn/weight
WebSocket Upgrade + Connection头
缓存加速 proxy_cache + proxy_cache_valid
安全防护 IP白名单 + 限流 + 基础认证
SSL卸载 ssl_certificate + ssl_protocols

注:本文基于Nginx 1.24+、Ubuntu 22.04/24.04编写。

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注