0%

Nginx 反向代理

Nginx 配置文件位置

Nginx 的配置文件默认在 /usr/local/nginx/conf/nginx.conf,打开这个文件,可以看到:

1
2
3
4
5
6
7
8
9
http {
......
##
# Virtual Host Configs
##

include /usr/local/nginx/conf/conf.d/*.conf;
include /usr/local/nginx/conf/sites-enabled/*;
}

这表明默认情况下 nginx 会自动包含 /usr/local/nginx/conf/conf.d/*.conf/usr/local/nginx/conf/sites-enabled/*

默认情况下,在 /usr/local/nginx/conf/sites-enabled/ 下有一个默认站点,这个站点也就是 nginx 安装之后的默认站点:

1
2
3
4
$ cd /usr/local/nginx/conf/sites-enabled/sites-enabled
$ ls -l
total 0
lrwxrwxrwx 1 root root 34 Oct 6 02:19 default -> /usr/local/nginx/conf/sites-enabled/sites-available/default

打开 /usr/local/nginx/conf/sites-enabled/default 可以看到如下内容:

1
2
3
4
5
6
7
8
9
10
11
server {
listen 80 default_server;
listen [::]:80 default_server;

root /var/www/html;
index index.html index.htm index.nginx-debian.html;

server_name _;
location / {
try_files $uri $uri/ =404;
}

按照这个文档的建议:

1
In most cases, administrators will remove this file from sites-enabled/ and leave it as reference inside of sites-available where it will continue to be updated by the nginx packaging team.

最好是在 /usr/local/nginx/conf/sites-enabled/sites-available/ 下建立站点的配置文件,这些站点就是所谓的"可用站点"。然后在 link 到 /usr/local/nginx/conf/sites-enabled/sites-enabled 下开启站点,这些开启的站点就是所谓"启用站点"。

通过建立链接来控制可用站点的启用。

虚拟主机

反向代理

在实际使用中,由于web服务器启动于不同进程,因此需要指定不同的端口,也就意味着必然有web应用要使用80之外的端口,这样在地址栏中就必须出现端口号,非常影响用户体验。

比较好的方式,通过使用不同的域名或者二级域名,然后通过nginx反向代理的方式转发请求给到实际负责处理的服务器。

创建虚拟主机 frp.zhouyuqian.com

目标:http://frp.zhouyuqian.com 应该指向当前机器上运行于 7500 端口的 frps 服务。

/usr/local/nginx/conf/sites-enabled/sites-available/ 下新建 frp.zhouyuqian.com 文件,内容如下:

http

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
listen 80;

server_name frp.zhouyuqian.com;

location /
{
proxy_pass http://127.0.0.1:7500; # 转发规则
proxy_set_header Host $proxy_host; # 修改转发请求头,让8080端口的应用可以受到真实的请求
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Server;
proxy_connect_timeout 3s;
proxy_read_timeout 10s;
}
}

https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
server {
listen 443 ssl;

server_name frp.zhouyuqian.com;

ssl_certificate /usr/local/nginx/conf/cert/1_frp.zhouyuqian.com_bundle.crt;
ssl_certificate_key /usr/local/nginx/conf/cert/2_frp.zhouyuqian.com.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

location / {
proxy_pass http://127.0.0.1:7500/; # 转发规则
proxy_set_header Host $proxy_host; # 修改转发请求头,让8080端口的应用可以受到真实的请求
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Server;
proxy_connect_timeout 3s;
proxy_read_timeout 10s;
index index.html index.htm;
}
}

server {
listen *:80;
listen [::]:80;
server_name frp.zhouyuqian.com;
return 301 https://frp.zhouyuqian.com$request_uri;
}

frp.zhouyuqian.com 站点文件链接到 /usr/local/nginx/conf/sites-enabled/sites-enabled/ 目录:

1
sudo ln -s /usr/local/nginx/conf/sites-enabled/sites-available/frp.zhouyuqian.com /usr/local/nginx/conf/sites-enabled/sites-enabled/frp.zhouyuqian.com

修改完成之后,使用命令检测配置修改结果并重新装载配置:

1
2
sudo nginx -t
sudo nginx -s reload

/ 与不加 /

在配置proxy_pass代理转发时,如果后面的url加 /,表示绝对根路径;如果没有 /,表示相对路径

例如

  1. /
1
2
3
4
server_name shaochenfeng.com
location /data/ {
proxy_pass http://127.0.0.1/;
}

访问 http://shaochenfeng.com/data/index.html 会转发到 http://127.0.0.1/index.html

  1. 不加 /
1
2
3
4
server_name shaochenfeng.com
location /data/ {
proxy_pass http://127.0.0.1;
}

访问 http://shaochenfeng.com/data/index.html 会转发到 http://127.0.0.1/data/index.html

WSS

在 nodered 的服务中用到了 wss 服务,如果 nginx 代理没有启用 wss,就会一直出现 “丢失与服务器的连接,重新连接...”。

WSS表示WebSocket + Https,通俗点说,就是安全的WebSocket。

支持WSS请求核心 (加在 server - location 中)

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Remote_addr $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Reference

[1] https://skyao.gitbooks.io/learning-nginx/content/configure/reverse/action_no_port.html

[2] https://www.bioinfo-scrounger.com/archives/Nginx_configure/

[3] https://www.cnblogs.com/binghe001/p/14752404.html

[4] https://blog.csdn.net/qq_40650378/article/details/119676781

-------The end of this article  Thank you for your reading-------