nginx / Web Service

16.4 nginx:ngx_http_proxy_module & ngx_http_realip_module

luciferLeave a comment

 

The ngx_http_proxy_module module allows passing requests to another server.
=======================================================================

proxy_pass:

Syntax: 	proxy_pass URL;
Default: 	—
Context: 	location, if in location, limit_except

举例:

server {
  listen 80;
  server_name 192.168.199.188 192.168.206.88;
  root /data;
  index index.html index.htm;
  
  location / {
    proxy_pass http://192.168.206.66;
  }
  
  location /admin/ {
    proxy_pass http://192.168.206.99/;
  }
  
  location ~* .*\.(jpg|png) {
    proxy_pass http://192.168.206.99;
  }
}

关于location定义中的说明:

1>’proxy_pass’后面的路径不带’uri’时(也就是说其路径尾端不是以’/’为结束符),其会将’location’的’uri’传递给后端主机;
比如:

location /admin/ {
  proxy_pass http://192.168.206.99;
}

2>’proxy_pass’后面的路径是一个’uri’时(也就是说其路径尾端以’/’为结束符),其会将’location’的’uri’替换为’proxy_pass’的’uri’;
如上面举例的第2个’location’定义;

3>如果’location’中是以正则表达式匹配模式出现,则’proxy_pass’中不能使用’uri’;
用户请求时传递的’uri’将直接附加在’proxy_pass’定义的路径后面;如上面举例的第3个’location’定义;

4>在’if’语句中,或在’limt_execept’中使用’proxy_pass’指令时,’proxy_pass’中也不能使用’uri’;

*************************************************************************

proxy_set_header:

Syntax: 	proxy_set_header field value;
Default: 	proxy_set_header Host $proxy_host;
                proxy_set_header Connection close;
Context: 	http, server, location

设定发往后端主机的请求报文的请求首部的值;

proxy_set_header   Host             $host;
proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

核心参数解释:

Host:客户端主机名;
X-Real-IP:客户端IP;
X-Forwarded-For:多级IP,从客户端IP开始,中间可经由多个代理服务器的IP,各个IP之间用逗号隔开;

proxy_redirect:

Syntax: 	proxy_redirect default;
                proxy_redirect off;
                proxy_redirect redirect replacement;
Default: 	proxy_redirect default;
Context: 	http, server, location

指定修改从后端真实服务器返回的响应报文中的location头部信息和refresh头部信息;
此信息会发送到客户端,所以可以在代理服务器上进行限制;

proxy_headers_hash_max_size:

Syntax: 	proxy_headers_hash_max_size size;
Default: 	proxy_headers_hash_max_size 512;
Context: 	http, server, location

在代理服务器上设置哈希表的最大值;

proxy_headers_hash_bucket_size:

Syntax: 	proxy_headers_hash_bucket_size size;
Default: 	proxy_headers_hash_bucket_size 64;
Context: 	http, server, location

Sets the bucket size for hash tables;

**********************

前端nginx做反向代理,后端是httpd服务,如果要在httpd的日志文件记录源客户端的IP地址,则:
1>在httpd主配置文件中,把

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

改成:

LogFormat "%{X-Real-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

2>在nginx反向代理服务器本机配置:

proxy_set_header X-Real-IP $remote_addr

 

前端nginx做反向代理,后端是nginx服务,如果要在httpd的日志文件记录源客户端的IP地址,则:
1>在后端nginx(web)服务器中配置:

location / {
  .....
        set_real_ip_from 192.168.206.88;
      	real_ip_header  X-Real-IP;
      	real_ip_recursive on;
      ......
}

2>在nginx反向代理服务器上配置:
在中心主机或虚拟主机中定义一个location,或者放在已存在的,定义’/’的location中添加:

location /admin/ {
  proxy_pass http://192.168.206.99/;
  proxy_set_header X-Real-IP $remote_addr; 
  proxy_set_header X-Forwarded-For $remote_addr; 
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
  proxy_set_header Host $Host; 
  proxy_redirect off;
}

在nginx.conf主配置文件的http段内添加如下:

proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 640;

**********************

proxy_cache_path:

Syntax: 	proxy_cache_path path [levels=levels] [use_temp_path=on|off] keys_zone=name:size [inactive=time] [max_size=size] [manager_files=number] [manager_sleep=time] [manager_threshold=time] [loader_files=number] [loader_sleep=time] [loader_threshold=time] [purger=on|off] [purger_files=number] [purger_sleep=time] [purger_threshold=time];
Default: 	—
Context: 	http

定义可用于'proxy'功能的缓存;

proxy_cache:

Syntax: 	proxy_cache zone | off;
Default: 	proxy_cache off;
Context: 	http, server, location

指明要调用的缓存,或关闭缓存机制;

proxy_cache_key:

Syntax: 	proxy_cache_key string;
Default: 	proxy_cache_key $scheme$proxy_host$request_uri;
Context: 	http, server, location

官方说明:Defines a key for caching;By default, the directive’s value is close to the string;
指定需要缓存的字段;

举例:proxy_cache_key "$host$request_uri $cookie_user";

proxy_cache_methods:

Syntax: 	proxy_cache_methods GET | HEAD | POST ...;
Default: 	proxy_cache_methods GET HEAD;
Context: 	http, server, location

This directive appeared in version 0.7.59. 

官方说明:If the client request method is listed in this directive then the response will be cached;

proxy_cache_min_uses:

Syntax: 	proxy_cache_min_uses number;
Default: 	proxy_cache_min_uses 1;
Context: 	http, server, location

官方说明:Sets the number of requests after which the response will be cached;

proxy_cache_valid:

Syntax: 	proxy_cache_valid [code ...] time;
Default: 	—
Context: 	http, server, location

官方说明:Sets caching time for different response codes;

举例:
proxy_cache_valid 200 302 10m;
proxy_cache_valid 301      1h;
proxy_cache_valid any      1m;

proxy_cache_use_stale:

Syntax: 	proxy_cache_use_stale error | timeout | invalid_header | updating | http_500 | http_502 | http_503 | http_504 | http_403 | http_404 | http_429 | off ...;
Default: 	proxy_cache_use_stale off;
Context: 	http, server, location

官方说明:Determines in which cases a stale cached response can be used during communication with the proxied server;

后端服务器处于哪种状态时,才使用代理服务器本地的缓存;"off"表示禁用将请求传递给后端服务器,且不启用缓存来应答客户端;

 

在理解下面列出的3个超时时间的意义之前,首先要理解从client、nginx_proxy、upstream_server之间数据传输过程;
1> client与nginx_proxy经过三次握手建立连接,随后client发送请求报文;
2> nginx_proxy接收到client的请求报文后,重新封装报文首部,首先经过三次握手与后端upstream_server建立连接;
3> nginx_proxy与upstream_server建立连接后,nginx_proxy发出请求报文;
4> upstream_server接收到从nginx_proxy发来的请求报文后,进行资源查找整合,随后发送响应报文给nginx_proxy;
5> nginx_proxy接收uptream_server发来的响应报文;
6> nginx_proxy发送响应报文给client;

proxy_connect_timeout:

Syntax: 	proxy_connect_timeout time;
Default: 	proxy_connect_timeout 60s;
Context: 	http, server, location

官方说明:Defines a timeout for establishing a connection with a proxied server. 
It should be noted that this timeout cannot usually exceed 75 seconds. 

nginx_proxy与upstream_server之间的三次握手的超时时间,默认是60秒,最长可设置75秒;

proxy_send_timeout:

Syntax: 	proxy_send_timeout time;
Default: 	proxy_send_timeout 60s;
Context: 	http, server, location

官方说明:Sets a timeout for transmitting a request to the proxied server. 
The timeout is set only between two successive write operations, not for the transmission of the whole request. 
If the proxied server does not receive anything within this time, the connection is closed. 

nginx_proxy接收uptream_server发来的响应报文的超时时间;
也就是说nginx_proxy与uptream_server已经建立连接,并且uptream_server已经接收nginx_proxy发来的请求报文,
但uptream_server却迟迟不发送响应报文给nginx_proxy;<官方解释理解起来有点晕,这是我的理解>

proxy_read_timeout:

Syntax: 	proxy_read_timeout time;
Default: 	proxy_read_timeout 60s;
Context: 	http, server, location

官方说明:Defines a timeout for reading a response from the proxied server. 
The timeout is set only between two successive read operations, not for the transmission of the whole response. 
If the proxied server does not transmit anything within this time, the connection is closed. 

nginx_proxy与uptream_server经过三次握手建立连接之后,uptream_server由于一些原因迟迟未接收nginx_proxy发来的请求报文;
<官方解释理解起来有点晕,这是我的理解>

 

ngx_http_realip_module(应用在后端真实服务器)
==============================================

set_real_ip_from:

Syntax: 	set_real_ip_from address | CIDR | unix:;
Default: 	—
Context: 	http, server, location

官方说明:Defines trusted addresses that are known to send correct replacement addresses.
真实服务器上一级代理(代理服务器、CDN等)的IP地址或者IP段,可以写多行

real_ip_header:

Syntax: 	real_ip_header field | X-Real-IP | X-Forwarded-For | proxy_protocol;
Default: 	real_ip_header X-Real-IP;
Context: 	http, server, location

官方说明:Defines the request header field whose value will be used to replace the client address. 
设置需要使用哪个请求报文头部来确定替换的IP地址;

real_ip_recursive:

Syntax: 	real_ip_recursive on | off;
Default: 	real_ip_recursive off;
Context: 	http, server, location

This directive appeared in versions 1.3.0 and 1.2.1. 

官方说明:If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the real_ip_header directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. 

递归排除IP地址,ip串从右到左开始排除'set_real_ip_from'里面出现的IP,如果出现了未在其中的IP,那么这个IP将被认为是用户的客户端的真实IP;

 

配置nginx代理服务器:
=========================

定义在http段中:

proxy_cache_path /data/nginx/cache levels=1:1:1 keys_zone=pcache:10m max_size=1g; 

proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 640;

在server段或者location段中调用:

proxy_set_header X-Real-IP "$remote_addr"; 
proxy_set_header X-Forwarded-For $remote_addr; 
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
proxy_set_header Host $Host; 
proxy_redirect off;

proxy_cache pcache;
proxy_cache_key $request_uri;
proxy_cache_methods GET HEAD;
proxy_cache_min_uses 1;

proxy_cache_valid 200 302 10m;
proxy_cache_valid 301      1h;
proxy_cache_use_stale http_502;
add_header    Cache-Control "max-age=3600";

 

Leave a Reply

Your email address will not be published. Required fields are marked *