具有负载平衡的反向代理的最佳设置是什么?

具有负载平衡的反向代理的最佳设置是什么?

我正在使用反向代理和负载平衡。在我的场景中,我有三台服务器。第一台服务器是代理。第二台和第三台是使用 Swarm 的 Docker 服务器。端口 2020 用于 Apache 服务的两个副本。端口 2021 用于 Nginx 服务的两个副本。平衡是根据副本完成的。由于我是 Nginx 的新手,我想知道以下设置是否足够。是否可以改进此配置?它安全吗?

代理配置.conf:

##########
# Apache #
##########

  upstream apache {
        least_conn;

        #Container replicas
        server 192.168.0.4:2020;
        server 192.168.0.5:2020;
  }
  server {
        listen 80;
        server_name host.apache.domain.com;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://apache;
        }
   }

#########
# Nginx #
#########

  upstream nginx {
        least_conn;

        #Container replicas
        server 192.168.0.4:2021;
        server 192.168.0.5:2021;
  }

  server {
        listen 80;
        server_name host.nginx.domain.com;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://nginx;
        }
   }

在这个特定的例子中,我使用了以下内容:

    location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://nginx;
    }

如果我仅使用以下配置,还不够吗?

    location / {
            proxy_pass http://nginx;
    }

我阅读了 Nginx 文档,但我需要更多示例。

答案1

Digital Ocean 提供了一个免费的 NGINX 配置工具,其中包含代码注释和示例供您学习。一定要试试这个。我希望在我学习 NGINX 的时候它就存在。

访问nginx配置工具

下面的带安全标头的 SSL 反向代理服务器代码就是用它生成的。你可以在学习过程中对其进行自定义

# Generated by nginxconfig.io
# https://www.digitalocean.com/community/tools/nginx?domains.0.php.php=false&domains.0.reverseProxy.reverseProxy=true&domains.0.routing.index=index.html&domains.0.routing.fallbackHtml=true&global.https.ocspCloudflare=false&global.https.ocspOpenDns=false&global.tools.modularizedStructure=false

user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    client_max_body_size   16M;

    # MIME
    include                mime.types;
    default_type           application/octet-stream;

    # Logging
    access_log             /var/log/nginx/access.log;
    error_log              /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout    1d;
    ssl_session_cache      shared:SSL:10m;
    ssl_session_tickets    off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam            /etc/nginx/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols          TLSv1.2 TLSv1.3;
    ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # OCSP Stapling
    ssl_stapling           on;
    ssl_stapling_verify    on;
    resolver               8.8.8.8 8.8.4.4 valid=60s;
    resolver_timeout       2s;

    # Connection header for WebSocket reverse proxy
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ""      close;
    }

    # Load configs
    include /etc/nginx/conf.d/*.conf;

    # example.com
    server {
        listen                               443 ssl http2;
        listen                               [::]:443 ssl http2;
        server_name                          example.com;
        root                                 /var/www/example.com/public;

        # SSL
        ssl_certificate                      /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key                  /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_trusted_certificate              /etc/letsencrypt/live/example.com/chain.pem;

        # security headers
        add_header X-Frame-Options           "SAMEORIGIN" always;
        add_header X-XSS-Protection          "1; mode=block" always;
        add_header X-Content-Type-Options    "nosniff" always;
        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # . files
        location ~ /\.(?!well-known) {
            deny all;
        }

        # index.php fallback
        location ~ ^/api/ {
            try_files $uri $uri/ /index.php?$query_string;
        }

        # reverse proxy
        location / {
            proxy_pass                         http://127.0.0.1:3000;
            proxy_http_version                 1.1;
            proxy_cache_bypass                 $http_upgrade;

            # Proxy headers
            proxy_set_header Upgrade           $http_upgrade;
            proxy_set_header Connection        $connection_upgrade;
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Host  $host;
            proxy_set_header X-Forwarded-Port  $server_port;

            # Proxy timeouts
            proxy_connect_timeout              60s;
            proxy_send_timeout                 60s;
            proxy_read_timeout                 60s;
        }

        # favicon.ico
        location = /favicon.ico {
            log_not_found off;
            access_log    off;
        }

        # robots.txt
        location = /robots.txt {
            log_not_found off;
            access_log    off;
        }

        # assets, media
        location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
            expires    7d;
            access_log off;
        }

        # svg, fonts
        location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
            add_header Access-Control-Allow-Origin "*";
            expires    7d;
            access_log off;
        }

        # gzip
        gzip            on;
        gzip_vary       on;
        gzip_proxied    any;
        gzip_comp_level 6;
        gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
    }

    # subdomains redirect
    server {
        listen                  443 ssl http2;
        listen                  [::]:443 ssl http2;
        server_name             *.example.com;

        # SSL
        ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
        return                  301 https://example.com$request_uri;
    }

    # HTTP redirect
    server {
        listen      80;
        listen      [::]:80;
        server_name .example.com;

        # ACME-challenge
        location ^~ /.well-known/acme-challenge/ {
            root /var/www/_letsencrypt;
        }

        location / {
            return 301 https://example.com$request_uri;
        }
    }
}

相关内容