WebSocket是一种在单个TCP连接上进行全双工通信的协议,常用于实时应用如聊天、游戏和实时数据更新。本教程将详细介绍如何使用Nginx作为反向代理来配置WebSocket服务。
以下是Nginx配置WebSocket反向代理的基本设置:
server {
listen 80;
server_name yourdomain.com;
location /ws/ {
proxy_pass http://backend_server;
# WebSocket必需的头信息
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 可选:设置客户端IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
# 可选:设置超时时间
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
}
proxy_http_version 1.1: WebSocket需要HTTP/1.1协议proxy_set_header Upgrade $http_upgrade: 告诉后端服务器客户端想要升级协议proxy_set_header Connection "upgrade": 确认协议升级server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location /ws/ {
proxy_pass http://backend_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}
upstream websocket_servers {
server backend1.example.com;
server backend2.example.com;
server backend3.example.com;
# 可选:配置负载均衡策略
# least_conn; # 最少连接
# ip_hash; # 基于IP的哈希
}
server {
location /ws/ {
proxy_pass http://websocket_servers;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
如果WebSocket连接频繁断开,可以调整超时设置:
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
如果需要支持跨域:
location /ws/ {
# ...其他配置...
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
如果需要重写WebSocket路径:
location /custom-path/ {
proxy_pass http://backend_server/actual-ws-path/;
# ...其他WebSocket配置...
}
upstream websocket_backend {
server 127.0.0.1:8080;
server 127.0.0.1:8081;
keepalive 64;
}
server {
listen 80;
server_name ws.example.com;
# 重定向HTTP到HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name ws.example.com;
ssl_certificate /etc/letsencrypt/live/ws.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ws.example.com/privkey.pem;
# SSL优化配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# WebSocket配置
location /ws/ {
proxy_pass http://websocket_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 超时设置
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
# 静态文件服务
location / {
root /var/www/html;
index index.html;
}
}
检查Nginx配置语法:
sudo nginx -t
重新加载Nginx配置:
sudo systemctl reload nginx
测试WebSocket连接:
wscat等工具测试连接:
bash
wscat -c wss://yourdomain.com/ws/调整缓冲区大小:
proxy_buffers 8 32k;
proxy_buffer_size 64k;
启用TCP keepalive:
proxy_set_header Connection "Keep-Alive, Upgrade";
限制连接数(防止滥用):
limit_conn_zone $binary_remote_addr zone=wslimit:10m;
location /ws/ {
limit_conn wslimit 100;
# ...其他配置...
}
通过以上配置,Nginx可以高效地作为WebSocket的反向代理,提供安全、稳定的实时通信服务。