Nginx反向代理配置详解与性能优化指南

一、Nginx反向代理基础配置

1. 基本反向代理配置

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_pass http://backend_server;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

2. 关键配置参数说明

• proxy_pass: 指定后端服务器地址
• proxy_set_header: 设置转发给后端服务器的HTTP头
• $host: 原始请求的主机名
• $remote_addr: 客户端真实IP
• $proxy_add_x_forwarded_for: 包含客户端IP的X-Forwarded-For头

二、性能优化配置

1. 连接池优化

upstream backend {
    server 10.0.0.1:8080;
    server 10.0.0.2:8080;

    keepalive 32;      # 每个worker保持的连接数
    keepalive_timeout 60s; # 连接保持时间
}

2. 缓冲区优化

location / {
    proxy_buffering on;
    proxy_buffer_size 4k;
    proxy_buffers 8 16k;
    proxy_busy_buffers_size 24k;
    proxy_max_temp_file_size 0;
}

3. 超时设置优化

location / {
    proxy_connect_timeout 5s;  # 连接后端超时
    proxy_send_timeout 10s;    # 发送请求超时
    proxy_read_timeout 30s;    # 读取响应超时
}

4. 缓存优化

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m use_temp_path=off;

server {
    location / {
        proxy_cache my_cache;
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    }
}

三、高级优化技巧

1. TCP优化

http {
    tcp_nopush on;
    tcp_nodelay on;
    sendfile on;

    # 调整这些值根据服务器性能
    worker_connections 10240;
    multi_accept on;
}

2. Gzip压缩

gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
    application/javascript
    application/json
    application/xml
    text/css
    text/plain
    text/xml;

3. SSL优化

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';

4. 负载均衡策略

upstream backend {
    least_conn;    # 最少连接数策略
    server 10.0.0.1:8080 weight=3;
    server 10.0.0.2:8080;
    server 10.0.0.3:8080 backup; # 备用服务器
}

四、监控与调优

1. 启用状态模块:

location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
}

2. 日志优化:

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for" '
                '$request_time $upstream_response_time';

access_log /var/log/nginx/access.log main buffer=32k flush=5m;

3. 性能监控指标:
   • 活跃连接数
   • 请求处理速率
   • 上游服务器响应时间
   • 缓存命中率

五、安全配置

# 隐藏Nginx版本号
server_tokens off;

# 限制HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

# 防止点击劫持
add_header X-Frame-Options "SAMEORIGIN";

# XSS保护
add_header X-XSS-Protection "1; mode=block";

# 内容安全策略
add_header Content-Security-Policy "default-src 'self'";

通过以上配置和优化，可以显著提升Nginx反向代理的性能和安全性。实际应用中应根据具体业务需求和服务器资源进行调整，并通过监控工具持续观察性能表现。