)
05-Nginx-LB配置详解
本文档详细介绍Nginx负载均衡器的配置,是整个架构中接收客户端请求的入口点。
架构位置
客户端 │ ▼ ┌─────────────────┐ │ VIP 172.20.1.100│ ← Keepalived浮动IP └────────┬────────┘ │ ▼ ┌─────────────────┐ │ Nginx-LB │ ← 负载均衡层 │ 172.20.1.11/12/13 │ └────────┬────────┘ │ ▼ ┌─────────────────┐ │ PHP服务集群 │ ← 3个PHP服务节点 │ 172.20.2.11/12/13│ └─────────────────┘
配置组件
Nginx-LB使用3个配置文件:
nginx.conf- 主配置文件,包含upstream定义conf.d/upstream.conf- 服务器块配置ssl.conf- SSL/TLS配置
完整配置
nginx.conf
user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; use epoll; multi_accept on; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'upstream: $upstream_addr ' 'upstream_status: $upstream_status ' 'request_time: $request_time ' 'upstream_response_time: $upstream_response_time'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; client_max_body_size 100M; gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; upstream web_backend { least_conn; server 172.20.2.11:80 max_fails=3 fail_timeout=30s; server 172.20.2.12:80 max_fails=3 fail_timeout=30s; server 172.20.2.13:80 max_fails=3 fail_timeout=30s; } include /etc/nginx/conf.d/*.conf; }conf.d/upstream.conf
server { listen 80; server_name localhost; location / { proxy_pass http://web_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 30s; } location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } }ssl.conf
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d;
配置项详解
1. worker_processes
worker_processes auto;
auto:让Nginx自动检测CPU核心数并启动相应数量的worker进程推荐值:CPU核心数或
auto
2. worker_connections
worker_connections 1024;
每个worker进程允许的最大并发连接数
1024是保守值,可根据需要调大
3. use epoll
use epoll;
使用epoll事件模型(Linux高性能I/O复用)
适用于高并发场景
4. multi_accept
multi_accept on;
一次accept尽可能多的连接
提升并发处理能力
5. sendfile
sendfile on; tcp_nopush on; tcp_nodelay on;
sendfile:使用内核级文件传输,减少上下文切换tcp_nopush:在响应头后立即发送数据包tcp_nodelay:禁用Nagle算法,降低延迟
6. 日志格式
log_format main '...upstream: $upstream_addr...upstream_status: $upstream_status...';
记录upstream地址和状态,便于排查问题
包含请求时间、响应时间等关键指标
7. Gzip压缩
gzip on; gzip_types text/plain application/json...;
启用gzip压缩减少传输量
针对文本类内容压缩
8. upstream配置
upstream web_backend { least_conn; server 172.20.2.11:80 max_fails=3 fail_timeout=30s; server 172.20.2.12:80 max_fails=3 fail_timeout=30s; server 172.20.2.13:80 max_fails=3 fail_timeout=30s; }负载均衡算法:
least_conn:最少连接数优先其他可选:
ip_hash、hash、round_robin(默认)
健康检查参数:
max_fails=3:连续3次失败后认为服务器不可用fail_timeout=30s:失败后30秒内不再尝试
9. 代理配置
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
传递真实客户端IP到后端PHP服务
保留原始请求协议(HTTP/HTTPS)
10. 健康检查端点
location /health { access_log off; return 200 "healthy\n"; }用于Keepalived检测Nginx状态
关闭访问日志减少磁盘IO
服务IP分配
| 节点 | nginx-lb IP |
|---|---|
| Node1 | 172.20.1.11 |
| Node2 | 172.20.1.12 |
| Node3 | 172.20.1.13 |
Docker Compose配置
nginx-lb: image: nginx:alpine container_name: nginx-lb networks: frontend-net: ipv4_address: 172.20.1.11 # Node1 # 172.20.1.12 (Node2) # 172.20.1.13 (Node3) backend-net: ipv4_address: 172.20.2.100 # Node1 # 172.20.2.101 (Node2) # 172.20.2.102 (Node3) volumes: - ./config/nginx-lb/nginx.conf:/etc/nginx/nginx.conf:ro - ./config/nginx-lb/conf.d:/etc/nginx/conf.d:ro - ./config/nginx-lb/ssl.conf:/etc/nginx/ssl.conf:ro restart: unless-stopped healthcheck: test: ["CMD-SHELL", "curl -f http://localhost/health > /dev/null 2>&1 || exit 1"] interval: 10s timeout: 5s retries: 3
常见问题
Q1: upstream返回502 Bad Gateway
检查PHP服务是否运行:
docker ps | grep php检查网络连通性:
ping 172.20.2.11查看Nginx错误日志:
docker logs nginx-lb
Q2: 所有upstream都失败
确认3个PHP服务的healthcheck状态
检查后端网络配置
Q3: 日志不记录upstream信息
确认log_format包含
$upstream_addr和$upstream_status重载配置:
docker exec nginx-lb nginx -s reload
下一步
06-Keepalived配置详解.md - 了解VIP高可用
07-PHP服务配置详解.md - 了解PHP服务配置
