实验目的
通过nginx实现反向代理的功能,类似apache反向代理和haproxy反向代理
工作中用nginx做反向代理和负载均衡的也越来越多了
有些公司从web服务器到反向代理,都使用nginx。nginx在1.9版本加入了tcp的反向代理功能
甚至安全策略:nginx+lua 完全可以搞定。
打开nginx官网
nginx做反向代理,安装命令如下,使用www用户运行nginx
useradd -s /sbin/noglogin -M www
wget http://nginx.org/download/nginx-1.9.12.tar.gz
tar zxf nginx-1.9.12.tar.gz
cd nginx-1.9.12
./configure --prefix=/usr/local/nginx-1.9.12 \
--user=www --group=www --with-http_ssl_module \
--with-http_stub_status_module --with-file-aio
make && make install
ln -s /usr/local/nginx-1.9.12/ /usr/local/nginx
检查语法
[root@linux-node2 nginx-1.9.12]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx-1.9.12/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx-1.9.12/conf/nginx.conf test is successful
[root@linux-node2 nginx-1.9.12]#
检查服务器有无其它服务占用80端口,可以关闭了。
[root@linux-node1 ~]# /usr/local/httpd/bin/apachectl -k stop
配置nginx反向代理,修改主配置文件
gzip是默认关闭的
长连接默认打开的
sendfile 默认打开的
[root@linux-node1 conf]# cat nginx.conf #user nobody;
worker_processes 1; #error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info; #pid logs/nginx.pid; events {
worker_connections 10240;
} http {
include mime.types;
default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on;
#tcp_nopush on; #keepalive_timeout 0;
keepalive_timeout 65; #gzip on; upstream backend {
server 10.0.1.105:8080 weight=1 max_fails=3 fail_timeout=30s;
server 10.0.1.106:8080 weight=2 max_fails=3 fail_timeout=30s;
} server {
listen 80;
server_name www.nginx-nmap.com; #charset koi8-r; #access_log logs/host.access.log main; location / {
root html;
index index.html index.htm;
proxy_pass http://backend;
} #error_page 404 /404.html; # redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
} # proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#} # deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
} # another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias; # location / {
# root html;
# index index.html index.htm;
# }
#} # HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost; # ssl_certificate cert.pem;
# ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on; # location / {
# root html;
# index index.html index.htm;
# }
#} }
[root@linux-node1 conf]#
上面设置虚拟主机名www.nginx-nmap.com,以及后端集群组backend,设置了location把任何请求都发给后端backend
上面配置文件里也设置了后端web集群
负载均衡配置时的2个参数:fail_timeout和max_fails
这2个参数一起配合,来控制nginx怎样认为upstream中的某个server是失效的当在fail_timeout的时间内,某个server连接失败了max_fails次,则nginx会认为该server不工作了。
同时,在接下来的 fail_timeout时间内,nginx不再将请求分发给失效的server。
比如失败3次,那么接下来10秒不会之内不会把请求发个这个认为失败的机器。然后过了30秒后,这个机器继续收到探测请求.一般生产中设置为30秒
upstream backend {
server 10.0.1.105:8080 weight=1 max_fails=3 fail_timeout=30s;
server 10.0.1.106:8080 weight=2 max_fails=3 fail_timeout=30s;
}
关于nginx反向代理功能由下面模块提供
可以参照下官方个的配置例子
官方文档做的挺好
检测语法,启动或者reload。查看监听状态
[root@linux-node1 conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx-1.9.12/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx-1.9.12/conf/nginx.conf test is successful
[root@linux-node1 conf]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-node1 conf]# netstat -lntp | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 27141/nginx: master
tcp6 0 0 :::8080 :::* LISTEN 20130/httpd
[root@linux-node1 conf]#
客户端windows的hosts文件里配置如下
10.0.1.105 www.nginx-nmap.com
浏览器测试
停止node2的httpd。nginx会自动把请求发送给node1,前端无感知
[root@linux-node2 nginx-1.9.12]# systemctl stop httpd
[root@linux-node2 nginx-1.9.12]# systemctl start httpd
[root@linux-node2 nginx-1.9.12]#
启动node2的httpd之后,刷30秒,node2才出现,也就是我们设置的fail_timeout=30的缘故
关于会话保持
会话保持,有基于ip的有ip_hash
直接添加这一行即可
重启
[root@linux-node1 conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx-1.9.12/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx-1.9.12/conf/nginx.conf test is successful
[root@linux-node1 conf]# /usr/local/nginx/sbin/nginx -s reload
[root@linux-node1 conf]#
再次访问就只有node2了
关于nginx的负载均衡算法有很多,自行百度