五:Nginx http 反向代理
Nginx 反向代理功能涉及的模块:
- ngx_http_proxy_module: 将客⼾端的请求以http协议转发⾄指定服务器进⾏处理。
- ngx_stream_proxy_module:将客⼾端的请求以tcp协议转发⾄指定服务器处理。
- ngx_http_fastcgi_module:将客⼾端对php的请求以fastcgi协议转发⾄指定服务器助理。
- ngx_http_uwsgi_module:将客⼾端对Python的请求以uwsgi协议转发⾄指定服务器处理。
5.1:准备后端 Web 服务器
后端 Web 服务采用 httpd;
- 安装 httpd:
~]# yum install httpd -y
- 启动 httpd 并设置为开机启动
~]# systemctl start httpd
~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
- 准备测试页面:
[root@node107 ~]# echo "node107 httpd page" > /var/www/html/index.html
[root@node108 ~]# echo "node108 httpd page" > /var/www/html/index.html
- 访问测试:
[root@node105 ~]# curl http://192.168.1.107
node107 httpd page
[root@node105 ~]# curl http://192.168.1.108
node108 httpd page
5.2:proxy_pass
5.2.1:代理单台 Web 服务器
将 www.yqc.com 和 www.yqc.com/images 代理至后端 web 服务器 node107;
注意 proxy_pass 后指定的 URL,末尾代
/
和不代/
的区别:
- 代
/
,表示无论 location 指定的是哪个 URI,都直接跳转至后端服务器的根/
(即指向 httpd 服务器的 /var/www/html,在此目录下要有指定的资源);- 不代
/
,表示访问 location 指定 URI 在后端服务器中对应的相同路径(后端 web 服务器要存在相应的资源目录);
- 编辑 nginx 配置文件:
location / {
proxy_pass http://192.168.1.107:80;
}
location /images {
proxy_pass http://192.168.1.107:80;
}
- 后端 web 服务器准备相应资源目录:
[root@node107 ~]# mkdir /var/www/html/images
[root@node107 ~]# scp 192.168.1.106:/data/nginx/yqc/www/images/ironman.jpg /var/www/html/images/
-
删除 nginx 服务器的对应资源:
测试确实是从httpd返回的访问资源;
[root@node106 ~]# mv /data/nginx/yqc/www/images/ironman.jpg /root
- 重置nginx后访问测试:
[root@node105 ~]# curl www.yqc.com
node107 httpd page
http://www.yqc.com/images/ironman.jpg
- 日志:
{"@timestamp":"2020-12-04T16:54:52+08:00","host":"192.168.1.106","clientip":"192.168.1.105","size":19,"responsetime":0.002,"upstreamtime":"0.002","upstreamhost":"192.168.1.107:80","http_host":"www.yqc.com","uri":"/","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"curl/7.29.0","status":"200"}
{"@timestamp":"2020-12-04T17:09:16+08:00","host":"192.168.1.106","clientip":"192.168.1.9","size":249054,"responsetime":0.029,"upstreamtime":"0.021","upstreamhost":"192.168.1.107:80","http_host":"www.yqc.com","uri":"/images/ironman.jpg","domain":"www.yqc.com","xff":"-","referer":"-","tcp_xff":"-","http_user_agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36","status":"200"}
- 测试 proxy_pass 指定的 URL 代
/
的效果:
location /images {
proxy_pass http://192.168.1.107:80/;
}
[root@node106 ~]# nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@node106 ~]# !sys
systemctl reload nginx
[root@node105 ~]# curl www.yqc.com/images/ironman.jpg
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /ironman.jpg was not found on this server.</p>
</body></html>
You have new mail in /var/spool/mail/root
[root@node105 ~]# curl www.yqc.com/images
node107 httpd page
访问 www.yqc.com/images/ironman.jpg,被代理至后端 web 服务器后,实际的URL为 http://192.168.1.107/ironman.jpg,这个资源路径是不存在的;
访问 www.yqc.com/images,实际URL 为后端 web 服务器的根路径 http://192.168.1.107;所以一般建议不要代
/
去指定后端服务器,这样可以保证前后端资源路径的一致性;
5.3:proxy_cache* 代理缓存
5.3.1:非缓存场景下的压测
- node107 准备测试页面:
[root@node107 ~]# ll -h /var/log/messages
-rw-------. 1 root root 305K Dec 4 17:30 /var/log/messages
You have new mail in /var/spool/mail/root
[root@node107 ~]# cp /var/log/messages /var/www/html/messages.html
- 安装 httpd-tools:
[root@node105 ~]# yum provides */bin/ab
httpd-tools-2.4.6-95.el7.centos.x86_64 : Tools for use with the Apache HTTP Server
Repo : base
Matched from:
Filename : /usr/bin/ab
[root@node105 ~]# yum install httpd-tools -y
-
进行压测:
以对比后续配置代理缓存后的压测结果;
[root@node105 ~]# ab -c 500 -n 5000 http://www.yqc.com/messages.html
Concurrency Level: 500
Time taken for tests: 14.377 seconds
Complete requests: 5000
Failed requests: 0
Write errors: 0
Total transferred: 1560810000 bytes
HTML transferred: 1559405000 bytes
Requests per second: 347.79 [#/sec] (mean)
Time per request: 1437.663 [ms] (mean)
Time per request: 2.875 [ms] (mean, across all concurrent requests)
Transfer rate: 106021.26 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 3 8.2 0 53
Processing: 69 1363 237.0 1422 1538
Waiting: 5 1355 238.2 1415 1495
Total: 76 1366 229.1 1423 1539
5.3.2:代理缓存配置
定义缓存路径及参数
-
在 http 配置段定义代理缓存:
配置:
- 定义缓存路径为 /data/nginx/proxycache;
- 缓存目录结构为 1:1:1,即三层目录结构,每层目录名均由一位十六进制数字表示,即每层可以有2^4个目录,总共可以有 16×16×16=4096 个缓存目录;
- 指定缓存名称为 proxycache,大小为 20m;
- 缓存有效时间为 120s,120s 内未被命中的缓存将被删除;
- 缓存占用的最大磁盘空间为 1g;
[root@node106 ~]# vim /apps/nginx/conf/nginx.conf
http {
……
proxy_cache_path /data/nginx/proxycache levels=1:1:1 keys_zone=proxycache:20m inactive=120s max_size=1g;
}
调用缓存
-
在 location / 中调用缓存,并设置相关参数:
配置:
- 调用缓存 proxycache;
- 向后端 web 服务器转发请求时,在报文头部添加 client,值为 $remote_addr,将客户端 ip 传送给后端服务器;
- 指定要缓存的内容为 $request_uri(即缓存用户请求的完整 URI);
- 定义状态码为 301 时,缓存时长为 1h(因为 301 永久重定向一般不会修改);
- 定义状态码为 200、302 时,缓存时长为 10m(因为 200 和 302 表示成功的访问,短时间不会产生大的变动);
- 定义其它状态码的缓存时长为 1m(这其中可能包括错误的访问缓存,故障一般会尽快处理,所以缓存不能过长,以让用户及时访问到恢复了的页面);
location / {
proxy_pass http://192.168.1.107:80;
proxy_cache proxycache;
proxy_set_header clientip $remote_addr;
proxy_cache_key $request_uri;
proxy_cache_valid 301 1h;
proxy_cache_valid 200 302 10m;
proxy_cache_valid any 1m;
}
- 检查配置文件并重载 nginx:
[root@node106 ~]# nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@node106 ~]# !sys
systemctl reload nginx
验证缓存效果
-
重新进行压测,对比未配置缓存时的数据(需要先访问一次压测资源,以生成缓存):
配置缓存前,每秒处理的请求数量为:347.79 个
配置缓存后,每秒处理的请求数量为:720.92 个
[root@node105 ~]# curl http://www.yqc.com/messages.html
[root@node105 ~]# ab -c 500 -n 5000 http://www.yqc.com/messages.html
Concurrency Level: 500
Time taken for tests: 6.936 seconds
Complete requests: 5000
Failed requests: 0
Write errors: 0
Total transferred: 1560810000 bytes
HTML transferred: 1559405000 bytes
Requests per second: 720.92 [#/sec] (mean)
Time per request: 693.557 [ms] (mean)
Time per request: 1.387 [ms] (mean, across all concurrent requests)
Transfer rate: 219769.85 [Kbytes/sec] received
- 查看缓存目录及文件:
[root@node106 ~]# tree /data/nginx/proxycache/
/data/nginx/proxycache/
└── 9
└── 5
└── 3
└── 478ab3190259513b48f079a5b5d8f359
3 directories, 1 file
[root@node106 ~]# ll -h /data/nginx/proxycache/9/5/3/478ab3190259513b48f079a5b5d8f359
-rw------- 1 nginx nginx 306K Dec 4 18:24 /data/nginx/proxycache/9/5/3/478ab3190259513b48f079a5b5d8f359
[root@node107 ~]# ll -h /var/www/html/messages.html
-rwxrwxrwx 1 root root 305K Dec 4 17:39 /var/www/html/messages.html
- 缓存文件头部会添加访问的响应码(用于确定此缓存文件的缓存时长):
[root@node106 ~]# head -n10 /data/nginx/proxycache/9/5/3/478ab3190259513b48f079a5b5d8f359
KEY: /messages.html
HTTP/1.1 200 OK
Date: Fri, 04 Dec 2020 10:31:13 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Fri, 04 Dec 2020 09:39:50 GMT
ETag: "4c249-5b5a04207e0f1"
Accept-Ranges: bytes
Content-Length: 311881
Connection: close
5.4:add_header 添加报文头部信息
- 编辑配置文件,添加头部信息:
location / {
proxy_pass http://192.168.1.107:80;
proxy_set_header clientip $remote_addr;
proxy_cache proxycache;
proxy_cache_key $request_uri;
proxy_cache_valid 301 1h;
proxy_cache_valid 200 302 10m;
proxy_cache_valid any 1m;
add_header X-Via $server_addr;
add_header X-Cache $upstream_cache_status;
add_header X-Accel $server_name;
}
-
重载 nginx 并测试访问,查看响应头部:
第一次访问的缓存状态为 MISS,未命中缓存,因为还未生成缓存;
第二次访问的缓存状态为 HIT,表示命中缓存;
[root@node105 ~]# curl -I http://www.yqc.com/messages.html
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 04 Dec 2020 10:54:04 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 311881
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Fri, 04 Dec 2020 09:39:50 GMT
ETag: "4c249-5b5a04207e0f1"
X-Via: 192.168.1.106
X-Cache: MISS
X-Accel: www.yqc.com
Accept-Ranges: bytes
[root@node105 ~]# curl -I http://www.yqc.com/messages.html
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Fri, 04 Dec 2020 10:54:07 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 311881
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Fri, 04 Dec 2020 09:39:50 GMT
ETag: "4c249-5b5a04207e0f1"
X-Via: 192.168.1.106
X-Cache: HIT
X-Accel: www.yqc.com
Accept-Ranges: bytes
5.5:upstream 添加后端服务器组
5.5.1:实现七层负载均衡
-
定义后端服务器组(upstream 应用于 http 配置段,与 server 配置段平级):
定义一个 upstream 后端服务器组,添加两台后端 web 服务器;
upstream webserver {
server 192.168.1.107:80 weight=1 fail_timeout=5s max_fails=3;
server 192.168.1.108:80 weight=1 fail_timeout=5s max_fails=3;
}
-
www.yqc.com 的 location / 调用 webserver 服务器组:
并向后端服务器透传客户端 IP 地址;
注释代理缓存配置,以验证负载均衡效果;
location / {
proxy_pass http://webserver/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_cache proxycache;
#proxy_cache_key $request_uri;
#proxy_cache_valid 301 1h;
#proxy_cache_valid 200 302 10m;
#proxy_cache_valid any 1m;
add_header X-Via $server_addr;
add_header X-Cache $upstream_cache_status;
add_header X-Accel $server_name;
}
- 重载 nginx 并访问测试:
[root@node105 ~]# curl http://www.yqc.com
node107 httpd page
[root@node105 ~]# curl http://www.yqc.com
node108 httpd page
[root@node105 ~]# curl http://www.yqc.com
node107 httpd page
[root@node105 ~]# curl http://www.yqc.com
node108 httpd page
5.5.2:查看客户端 IP 透传日志
-
更改后端httpd 的日志格式:
combined 日志格式中添加 X-Forwarded-For;
[root@node107 ~]# vim /etc/httpd/conf/httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
[root@node107 ~]# systemctl restart httpd
- 访问并查看后端httpd日志,验证客户端 IP 透传效果:
[root@node107 ~]# tail -f /var/log/httpd/access_log
# 从 192.168.1.105 用curl访问的日志:
192.168.1.105 192.168.1.106 - - [05/Dec/2020:11:03:54 +0800] "GET / HTTP/1.0" 200 19 "-" "curl/7.29.0"
# 从 192.168.1.9 用chrome访问的日志:
192.168.1.9 192.168.1.106 - - [05/Dec/2020:11:20:24 +0800] "GET / HTTP/1.0" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
- 如果后端 web 服务是 nginx,则main配置格式默认就有 $http_x_forwarded_for,其中同样记录了请求中的X-Forwarded-For信息:
log_format main '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
- 将 node108 的web服务改为 nginx:
[root@node108 ~]# yum install epel-release -y
[root@node108 ~]# yum install nginx -y
[root@node108 ~]# systemctl stop httpd
[root@node108 ~]# systemctl start nginx
[root@node108 ~]# cp /var/www/html/index.html /usr/share/nginx/html/index.html
- 访问并查看nginx日志,验证客户端 IP 透传效果:
[root@node108 ~]# tail -f /var/log/nginx/access.log
# 从 192.168.1.105 用curl访问的日志:
192.168.1.106 - - [05/Dec/2020:11:50:32 +0800] "GET / HTTP/1.0" 200 19 "-" "curl/7.29.0" "192.168.1.105"
# 从 192.168.1.9 用chrome访问的日志:
192.168.1.106 - - [05/Dec/2020:11:50:46 +0800] "GET / HTTP/1.0" 200 19 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36" "192.168.1.9"