前提:
系统:centos7
nginx版本:nginx/1.16.1
涉及内容:nginx ip过滤、nginx http模块配置、nginx stream模块配置、websocket配置、http负载均衡
1、http配置
http配置了http请求的代理、websocket代理(websocket第一次请求为http,请求成功后发起升级请求,升级为websocket,这块配置可以写到stream里面,因为不管是http还是wocket都遵循tcp协议,但是缺点是stream模块不能配置http请求头,代理过后的ip为配置的固定ip,而非请求方ip)。以下是http模块配置
http {
include mime.types;
default_type application/octet-stream;sendfile on;
tcp_nodelay on;
tcp_nopush off;
server_tokens off;ssl_session_timeout 5m;
client_header_timeout 300s;
client_body_timeout 300s;proxy_connect_timeout 300s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;client_header_buffer_size 16k;
client_body_buffer_size 256k;
client_max_body_size 256m;proxy_busy_buffers_size 16k;
proxy_buffer_size 16k;
ssl_buffer_size 16k;max_size=10g;
access_log off;
error_log logs/http_error.log error; #配置日志# 定义后端服务器
#添加负载均衡(可选)
upstream myapp1 {
server 192.168.1.98:8080 weight=3; #设置权重 权重越大 访问几率越大,此处98访问的概率比99大三倍,默认权重为1
server 192.168.1.99:8080;
server 192.168.1.100:8080 down; # 标记为不可用
server 192.168.1.101:8080 backup; # 备份服务器
}
# 定义变量,兼容HTTP和WebSocket两种请求协议
map $http_upgrade $connection_upgrade {
default keep-alive;
'websocket' upgrade;
}server {
listen 0.0.0.0:8080 reuseport backlog=2048 so_keepalive=on ipv6only=off;
#定义websocket请求路径
location /websocket {
proxy_pass http://127.0.0.1:8080; #改为服务ip:端口 如果是负载均衡此处需要替换成 http://myapp1;
proxy_read_timeout 20s; # 设置超时时间,默认是60s
proxy_http_version 1.1;
proxy_set_header Host $host; #将客户端请求中的Host头部信息转发给后端服务器
proxy_set_header Upgrade $http_upgrade; #将客户端请求中的Upgrade
头部信息转发给后端服务器
proxy_set_header Connection $connection_upgrade;
}#定义/请求路径
location / {
proxy_set_header real_ip $remote_addr;
proxy_pass http://127.0.0.1:8080; #需要替换具体ip:端口 如果是负载均衡此处需要替换成 http://myapp1;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #增加客户端ip到X-Forwarded-For
proxy_set_header X-Forwarded-Proto $scheme; #提供客户端请求使用的协议
proxy_set_header X-Forwarded-Port $server_port; #获取nginx监听端口
proxy_pass_header Set-Cookie;
client_max_body_size 5120m;
}
}
}
2、stream配置
stream {
tcp_nodelay on;ssl_handshake_timeout 300s;
proxy_timeout 10m;proxy_connect_timeout 300s;
proxy_buffer_size 256k;preread_timeout 300s;
preread_buffer_size 256k;log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log logs/tcp_access.log proxy;
error_log logs/tcp_error.log debug;
server {
include IP.conf; # 需要过滤的ip
listen 0.0.0.0:7788 reuseport backlog=2048 so_keepalive=on ipv6only=off;
proxy_pass 127.0.0.1:7788;
}
}
stream简单很多,IP.conf设置如下
allow 1.1.1.1; #允许1.1.1.1 通过 其他拒绝
deny all;
也可以这样设置
deny 1.1.1.1; #不允许1.1.1.1访问 其他默认允许