Nginx 高级配置:负载均衡、限流、缓存、SSL
| 负载均衡、限流、缓存、SSL 优化。
负载均衡
基础配置
upstream backend { server 192.168.1.10:8080; server 192.168.1.11:8080; server 192.168.1.12:8080; } server { listen 80; server_name example.com; location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }负载均衡策略
upstream backend { # 轮询(默认) server 192.168.1.10:8080; server 192.168.1.11:8080; # 权重 server 192.168.1.10:8080 weight=3; server 192.168.1.11:8080 weight=1; # IP 哈希(同一 IP 固定到同一台) ip_hash; server 192.168.1.10:8080; server 192.168.1.11:8080; # 最少连接 least_conn; server 192.168.1.10:8080; server 192.168.1.11:8080; }健康检查
upstream backend { server 192.168.1.10:8080 max_fails=3 fail_timeout=30s; server 192.168.1.11:8080 max_fails=3 fail_timeout=30s; }max_fails:失败多少次标记为不可用fail_timeout:不可用后多久再尝试
限流
基础限流
http { # 定义限流区域 limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=mylimit burst=20 nodelay; proxy_pass http://backend; } } }参数说明:
| 参数 | 含义 |
|---|---|
zone=mylimit:10m | 区域名和大小(10M 能存 16 万 IP) |
rate=10r/s | 每秒 10 个请求 |
burst=20 | 允许突发 20 个请求 |
nodelay | 不延迟处理,直接拒绝 |
按路径限流
location /api/ { limit_req zone=mylimit burst=10; proxy_pass http://backend; } location /static/ { # 静态资源不限流 proxy_pass http://backend; }限制连接数
http { limit_conn_zone $binary_remote_addr zone=connlimit:10m; server { location / { limit_conn connlimit 10; proxy_pass http://backend; } } }限制带宽
location /download/ { limit_rate 1m; # 每秒 1MB proxy_pass http://backend; }缓存
代理缓存
http { # 定义缓存路径 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mycache:10m max_size=1g inactive=60m; server { location / { proxy_cache mycache; proxy_cache_valid 200 302 10m; proxy_cache_valid 404 1m; proxy_cache_key "$scheme$request_method$host$request_uri"; proxy_pass http://backend; } } }参数说明:
| 参数 | 含义 |
|---|---|
levels=1:2 | 缓存目录层级 |
keys_zone=mycache:10m | 缓存区域名和大小 |
max_size=1g | 最大缓存大小 |
inactive=60m | 60 分钟没访问就删除 |
proxy_cache_valid | 不同状态码的缓存时间 |
静态资源缓存
location ~* \.(jpg|jpeg|png|gif|css|js|svg|woff2)$ { expires 30d; add_header Cache-Control "public, immutable"; }禁止缓存
location /api/ { add_header Cache-Control "no-cache, no-store, must-revalidate"; proxy_pass http://backend; }SSL 优化
基础配置
server { listen 443 ssl http2; server_name example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://backend; } }SSL 会话缓存
ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;OCSP Stapling
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;HTTP 自动跳转 HTTPS
server { listen 80; server_name example.com; return 301 https://$host$request_uri; }其他高级配置
压缩
gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css application/json application/javascript text/xml application/xml;超时设置
proxy_connect_timeout 10s; proxy_send_timeout 60s; proxy_read_timeout 300s;日志格式
log_format detailed '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time upstream=$upstream_response_time'; access_log /var/log/nginx/access.log detailed;隐藏版本号
server_tokens off;常见问题
负载均衡不均衡
# 检查后端服务状态curlhttp://192.168.1.10:8080/healthcurlhttp://192.168.1.11:8080/health# 检查 Nginx 日志tail-f/var/log/nginx/access.log限流不生效
# 检查限流状态curlhttp://localhost/api/status缓存不生效
# 检查缓存目录ls-la/var/cache/nginx/# 检查缓存日志tail-f/var/log/nginx/cache.logSSL 证书过期
# 检查证书过期时间openssl x509-in/etc/letsencrypt/live/example.com/cert.pem-noout-dates# 自动续期certbot renew总结
| 功能 | 配置 |
|---|---|
| 负载均衡 | upstream+proxy_pass |
| 限流 | limit_req_zone+limit_req |
| 缓存 | proxy_cache_path+proxy_cache |
| SSL | ssl_certificate+ssl_protocols |
| 压缩 | gzip on |
| 超时 | proxy_*_timeout |
记住:配置改完要nginx -t检查语法,systemctl reload nginx重载。
)
