nginx負載均衡配置實戰
一、配置基于域名虛拟主機的web節點
web02和web01做同樣的操作,nginx配置檔案如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
access_log logs/access.log main;
}
}
接下來建立站點目錄及對應測試檔案并把域名加入到hosts解析并進行測試
二、nginx負載均衡反向代理實踐
LB01 nginx配置檔案如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream www_server_pools {
server 192.168.100.107:80 weight=1;
server 192.168.100.108:80 weight=1;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
proxy_pass http://www_server_pools;
}
}
}
之後配置hosts解析到代理的IP或VIP上,重新加載服務即可
[[email protected] conf]# tail -1 /etc/hosts
192.168.100.105 www.dmtest.com
[[email protected] conf]# systemctl restart nginx
[[email protected] conf]# curl www.dmtest.com
192.168.100.107
[[email protected] conf]# curl www.dmtest.com
192.168.100.108
反向代理虛拟主機節點伺服器案例
在代理向後端伺服器發送的http請求頭中加入host字段資訊後,若後端伺服器配置有多個虛拟主機,他就可以識别代理的是哪個虛拟主機。這是節點伺服器多虛拟主機時的關鍵配置,整個nginx代理配置為:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream www_server_pools {
server 192.168.100.107:80 weight=1;
server 192.168.100.108:80 weight=1;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
proxy_pass http://www_server_pools;
proxy_set_header Host $host; #在代理向後端伺服器發送的http請求頭中加入host字段資訊後,若後端伺服器配置有多個虛拟主機,他就可以識别代理的是哪個虛拟主機。這是節點伺服器多虛拟主機時的關鍵配置.
}
}
}
經過反向代理後的節點伺服器記錄使用者IP案例
在反向代理中節點伺服器對站點的通路日志的第一個字段記錄的并不是用戶端的IP,而是反向代理伺服器的IP,最後一個字段也是"-",日志如下:
[[email protected] conf]# tail -2 ../logs/access.log
192.168.100.105 - - [14/Sep/2018:13:41:02 +0800] "GET / HTTP/1.0" 200 16 "-" "curl/7.29.0" "-"
192.168.100.105 - - [16/Sep/2018:13:57:45 +0800] "GET / HTTP/1.0" 200 16 "-" "curl/7.29.0" "-"
在反向代理請求後端伺服器節點的請求頭中增加擷取的用戶端IP的字段資訊,然後節點後端可以通過程式或相關的配置接受X-Forwarded-For傳過來的使用者真實IP資訊。
在LB01上配置如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream www_server_pools {
server 192.168.100.107:80 weight=1;
server 192.168.100.108:80 weight=1;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
proxy_pass http://www_server_pools;
proxy_set_header X-Forwarded-For $remote_addr; #在代理向後端伺服器發送的http請求頭中加入X-Forwarded-For字段資訊,用于後端伺服器程式、日志等接收記錄真實使用者的IP,而不是代理伺服器上的IP;
}
}
}
注意,節點伺服器上需要的讓問日志,如果要記錄使用者的真實IP,還必須進行日志格式配置,這樣才能把代理傳過來的X-Forwarded_For頭資訊記錄下來,具體配置為:
在web01 上操作
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#"$http_x_forwarded_for",如果希望在第一行顯示,可以替換掉第一行的'$remote_addr變量
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
access_log logs/access.log main;
}
}
再次檢視站點日志效果如下:
[[email protected] conf]# tail -5 ../logs/access.log
192.168.100.105 - - [16/Sep/2018:14:24:28 +0800] "GET / HTTP/1.0" 200 16 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "192.168.100.1"
192.168.100.105 - - [16/Sep/2018:14:24:30 +0800] "GET / HTTP/1.0" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "192.168.100.1"
192.168.100.105 - - [16/Sep/2018:14:24:30 +0800] "GET / HTTP/1.0" 200 16 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "192.168.100.1"
192.168.100.105 - - [16/Sep/2018:14:24:31 +0800] "GET / HTTP/1.0" 200 16 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "192.168.100.1"
192.168.100.105 - - [16/Sep/2018:14:24:32 +0800] "GET / HTTP/1.0" 200 16 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36" "192.168.100.1"
nginx反向代理相關重要基礎參數如下:
proxy_pass http://blog_server_pools; 用于指定反向代理的伺服器池。
proxy_set_header Host $host; 當後端Web伺服器上也配置有多個虛拟主機時,需要用該 Header來區分反向代理哪個主機名。
proxy_ set_ header X-Forwarded-For $remote_addr; 如果後端Web伺服器上的程式需要擷取使用者P,從該Heard頭擷取。
也可以把這些代理參數單獨儲存在一個檔案中,通過include proxy.conf引入進來。
vim proxy.conf
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k;
在nginx主配置檔案中引入
vim nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream web_pools {
server 10.0.0.7:80 weight=5 max_fails=10 fail_timeout=10s;
server 10.0.0.8:80 weight=5;
#server 10.0.0.10:80 weight=5 backup;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
root html;
index index.html index.htm;
proxy_pass http://web_pools;
}
include proxy.conf;
}
}
三、根據URL中的目錄位址實作代理轉發
說明:通過nginx實作動靜分離,即通過nginx反向代理配置規則實作讓動态資源和靜态資源及其他業務分别由不同的伺服器解析,以解決網站性能、安全、使用者體驗等重要問題。
需求:
當使用者請求www.dmtets.com/upload/xx 位址時,實作由upload上傳伺服器池處理請求。
當使用者請求www.dmtest.com/static/xx位址時,實作由靜态伺服器池處理請求。
除此以外,對于其他通路請求,全部由預設的動态伺服器池處理請求。
了解需求後,就可以進行upstream子產品伺服器池的配置了。static_pools為靜态伺服器池,有一個伺服器,位址為192.168.100.107,端口為80
upstream static_pools {
server 192.168.100.107:80 weight=1;
}
upload_pools為上傳伺服器池,有一個伺服器,位址為192.168.10.108,端口為80
upstream upload_pools {
server 192.168.100.108:80 weight=1;
}
default_pools 為預設的伺服器池,即動态伺服器池,有一個伺服器,位址為192.168.100.109,端口為80
upstream default_pools {
server 192.168.100.109:80 weight=1;
}
下面利用location或if語句把不同的URI(路徑)請求,分給不同的伺服器池處理,具體配置如下:
方案1:以location方案實作
将符合static的請求交給靜态伺服器池static_pools,配置如下:
location /static/ {
proxy_pass http://static_pools;
include proxy.conf
}
将符合upload的請求交給上傳伺服器池upload_pools,配置如下:
location /upload/ {
proxy_pass http://upload_pools;
include proxy.conf
}
不符合上述規則的請求,預設全部交給動态伺服器池default_pools,配置如下:
location / {
proxy_pass http://default_pools;
include proxy.conf
}
方案2:以if語句實作
if ($request_uri ~* "^/static/(.*)$")
{
proxy_pass http://static_pools/$1;
}
if ($request_uri ~* "^/upload/(.*)$")
{
proxy_pass http://upload_pools/$1;
}
location / {
proxy_pass http://default_polls;
include proxy.conf;
}
方案1,nginx反向代理完整配置如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream static_pools {
server 192.168.100.107:80 weight=1;
}
upstream upload_pools {
server 192.168.100.108:80 weight=1;
}
upstream default_pools {
server 192.168.100.109:80 weight=1;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
proxy_pass http://default_pools;
include proxy_pass;
}
location /static/ {
proxy_pass http://static_pools;
include proxy_pass;
}
location /upload/ {
proxy_pass http://upload_pools;
include proxy_pass;
}
}
}
方案二完整配置如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream static_pools {
server 192.168.100.107:80 weight=1;
}
upstream upload_pools {
server 192.168.100.108:80 weight=1;
}
upstream default_pools {
server 192.168.100.109:80 weight=1;
}
server {
listen 80;
server_name www.dmtest.com;
if ($request_uri ~* "^/static/(.*)$")
{
proxy_pass http://static_pools/$1;
include proxy.conf;
}
if ($request_uri ~* "^/upload/(.*)$")
{
proxy_pass http://upload_pools/$1;
include proxy.conf;
}
location / {
proxy_pass http://default_polls;
include proxy.conf;
}
}
}
proxy.conf配置如下:
vim proxy.conf
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k;
在3台web伺服器上做測試配置
web01 為static靜态服務,位址端口為:192.168.100.107:80,配置如下:
cd /application/nginx/html/
mkdir static
echo static_pools >sttic/index.html
curl http://www.dmtest.com/static/index.html
web02 為upload上傳服務,位址端口為:192.168.100.108:80,配置如下:
cd /application/nginx/html/
mkdir upload
echo upload_pools >sttic/index.html
curl http://www.dmtest.com/upload/index.html
web03 為動态伺服器節點,位址端口為:192.168.100.109:80,配置如下:
cd /application/nginx/html/
mkdir default
echo default_pools >sttic/index.html
curl http://www.dmtest.com/deault/index.html
四、根據用戶端的裝置(user_agent)轉發實踐
根據用戶端的裝置(user_agent)轉發實踐需求
根據計算機用戶端浏覽器的不同設定對應的比對規則如下:
location / {
if ($http_user_agent ~* "MSIE")
#如果請求的浏覽器為IE(MSIE),則讓請求有static_pools池處理;
{
proxy_pass http://static_pools;
}
if ($http_user_agent ~* "Chrome")
#如果請求的為谷歌浏覽器(Chrome),則讓請求有upload_pools池處理;
{
proxy_pass http://upload_pools;
}
proxy_pass http://default_pools;
#其他用戶端,有default_pools處理;
include proxy.conf;
}
完整的配置檔案如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream static_pools {
server 192.168.100.107:80 weight=1;
}
upstream upload_pools {
server 192.168.100.108:80 weight=1;
}
upstream default_pools {
server 192.168.100.109:80 weight=1;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
if ($http_user_agent ~* "MSIE")
#如果請求的浏覽器為IE(MSIE),則讓請求有static_pools池處理;
{
proxy_pass http://static_pools;
}
if ($http_user_agent ~* "Chrome")
#如果請求的為谷歌浏覽器(Chrome),則讓請求有upload_pools池處理;
{
proxy_pass http://upload_pools;
}
proxy_pass http://default_pools;
#其他用戶端,有default_pools處理;
include proxy.conf;
}
access_log off;
}
}
除了針對浏覽器外,上述"$http_user_agent"變量也可以針對移動端,比如安卓、蘋果、Ipad裝置進行比對,去請求指定的伺服器,具體配置如下:
location / {
if ($http_user_agent ~* "android")
{
proxy_pass http://android_pools; #這個是Android伺服器池,需要提前定義upstream
}
if ($http_user_agent ~* "iphone") #這個是IPhone伺服器池,需要提前定義upstream
{
proxy_pass http://iphone_pools;
}
proxy_pass http://pc_pools;
include extra/proxy.conf;
}
五、根據檔案擴充名實作代理轉發
除了根據URI路徑及user_agent轉發外,還可以實作根據檔案擴充名進行轉發
相關server配置
location方法的比對規則如下:
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|css|js)$ {
prooxy_pass http://static_pools;
include proxy.conf;
}
下面是if語句方法的比對規則:
if ($request_uri ~* ".*\.(php|php5)$")
{
proxy_pass http://php_server_pools;
}
if ($request_uri ~* ".*\.(jsp|jsp*|do|do*)$")
{
proxy_pass http://java_server_pools;
}
根據擴充名轉發的應用場景
可以根據擴充名實作資源動靜分離通路,如圖檔、視訊等請求靜态伺服器池,PHP、JSP等請求動态伺服器池,示例如下:
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|css|js)$ {
prooxy_pass http://static_pools;
include proxy.conf;
}
location ~ .*.(php|php3|php5)$ {
proxy_pass http://dynameic_pools;
include proxy.conf;
}
六、nginx負載均衡檢測檢點狀态
淘寶技術團隊開發了一個 Tengine( Nginx的分支)子產品 nginx_upstream_check_module,用于提供主動式後端伺服器健康檢査。通過它可以檢測後端 realserver的健康狀态,如果後端 realserver不可用,則所有的請求就不會轉發到該節點上。
Tengine原生支援這個子產品,而 Nginx則需要通過打更新檔的方式将該子產品添加到Nginx中。更新檔下載下傳位址:https:/github.com/yaoweibin/nginx_upstream_check_module下面介紹如何使用這個子產品。
upstream_check_module介紹:
該子產品可以為Tengine提供主動式後端伺服器健康檢查的功能。
該子產品在Tengine-1.4.0版本以前沒有預設開啟,它可以在配置編譯選項的時候開啟:./configure--with-http_upstream_check_module
upstream_check_module官方文檔
http://tengine.taobao.org/document_cn/http_upstream_check_cn.html
upstream_check_module下載下傳位址
https://github.com/yaoweibin/nginx_upstream_check_module 給nginx打上更新檔的安裝
[[email protected] ~]# cd /home/dm/tools/
wget https://github.com/yaoweibin/nginx_upstream_check_module/archive/master.zip
[[email protected] tools]# unzip master.zip
[[email protected] tools]# cd nginx-1.8.1/
[[email protected] nginx-1.8.1]# yum install -y patch
[[email protected] nginx-1.8.1]# patch -p1 < ../nginx_upstream_check_module-master/check_1.7.2+.patch
patching file src/http/modules/ngx_http_upstream_ip_hash_module.c
patching file src/http/modules/ngx_http_upstream_least_conn_module.c
patching file src/http/ngx_http_upstream_round_robin.c
Hunk #1 succeeded at 9 with fuzz 2.
Hunk #2 FAILED at 88.
Hunk #3 FAILED at 142.
Hunk #4 FAILED at 199.
Hunk #5 FAILED at 305.
Hunk #6 FAILED at 345.
Hunk #7 succeeded at 418 (offset 16 lines).
Hunk #8 succeeded at 516 (offset 9 lines).
5 out of 8 hunks FAILED -- saving rejects to file src/http/ngx_http_upstream_round_robin.c.rej
patching file src/http/ngx_http_upstream_round_robin.h
Hunk #1 succeeded at 31 (offset 1 line).
[[email protected] nginx-1.8.1]# ./configure --user=www --group=www --prefix=/application/nginx-1.8.1 --with-http_stub_status_module --with-http_ssl_module --with-http_stub_status_module --add-module=../nginx_upstream_check_module-master/
[[email protected] nginx-1.8.1]# make
[[email protected] nginx-1.8.1]# mv /application/nginx/sbin/nginx{,.ori}
[[email protected] nginx-1.8.1]# cp ./objs/nginx /application/nginx/sbin/
[[email protected] nginx-1.8.1]# /application/nginx/sbin/nginx -t
nginx: the configuration file /application/nginx-1.8.1/conf/nginx.conf syntax is ok
nginx: configuration file /application/nginx-1.8.1/conf/nginx.conf test is successful
[[email protected] nginx-1.8.1]# /application/nginx/sbin/nginx -V
nginx version: nginx/1.8.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/application/nginx-1.8.1 --with-http_stub_status_module --with-http_ssl_module --with-http_stub_status_module --add-module=../nginx_upstream_check_module-master/
patch參數說明:
-p0 選項要從目前目錄查找目的檔案(夾)
-p1 選項要忽略掉第一層目錄,從目前目錄開始查找。
在這裡以執行個體說明:
old/modules/pcitable
如果使用參數-p0,那就表示從目前目錄找一個叫做old的檔案夾,在它下面尋找modules下的pcitable檔案來執行patch操作。
如果使用參數-p1,那就表示忽略第一層目錄(即不管old),從目前目錄尋找modules的檔案夾,在它下面找pcitable。這樣的前提是目前目錄必須為modules所在的目錄。
upstream_check_module文法
Syntax: checkinterval=milliseconds [fall=count] [rise=count] [timeout=milliseconds][default_down=true|false] [type=tcp|http|ssl_hello|mysql|ajp] [port=check_port]
Default: 如果沒有配置參數,預設值是:interval=30000 fall=5rise=2 timeout=1000 default_down=true type=tcp
Context: upstream
指令後面的參數意義是:
interval:向後端發送的健康檢查包的間隔。機關是毫秒。
fall(fall_count): 如果連續失敗次數達到fall_count,伺服器就被認為是down。
rise(rise_count): 如果連續成功次數達到rise_count,伺服器就被認為是up。
timeout: 後端健康請求的逾時時間。機關是毫秒。
default_down: 設定初始時伺服器的狀态,如果是true,就說明預設是down的,如果是false,就是up的。預設值是true,也就是一開始伺服器認為是不可用,要等健康檢查包達到一定成功次數以後才會被認為是健康的。
type:健康檢查包的類型,現在支援以下多種類型
tcp:簡單的tcp連接配接,如果連接配接成功,就說明後端正常。
ssl_hello:發送一個初始的SSL hello包并接受伺服器的SSL hello包。
http:發送HTTP請求,通過後端的回複包的狀态來判斷後端是否存活。
mysql: 向mysql伺服器連接配接,通過接收伺服器的greeting包來判斷後端是否存活。
ajp:向後端發送AJP協定的Cping包,通過接收Cpong包來判斷後端是否存活。
port: 指定後端伺服器的檢查端口。你可以指定不同于真實服務的後端伺服器的端口,比如後端提供的是443端口的應用,你可以去檢查80端口的狀态來判斷後端健康狀況。預設是0,表示跟後端server提供真實服務的端口一樣。該選項出現于Tengine-1.4.0。
配置nginx健康檢查如下:
[[email protected] conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
upstream www_server_pools {
server 192.168.100.107:80 weight=1;
server 192.168.100.108:80 weight=1;
check interval=3000 rise=2 fall=5 timeout=1000 type=http;
check_http_send "HEAD /HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xxhttp_3xx;
}
server {
listen 80;
server_name www.dmtest.com;
location / {
proxy_pass http://www_server_pools;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /status {
check_status;
access_log off;
allow SOME.IP.ADD.RESS;
deny all;
}
}
}
上面的配置意思是對www_server_pools這個負載均衡條目中的所有節點,每隔3秒監測一次請求2次正常則标記realserver狀态為up,如果檢測5次都失敗,則标記realserver的狀态為down,逾時時間為1秒,檢查的協定是HTTP。
結果如下圖:
七、proxy_next_upstream參數補充
當nginx接收後端伺服器proxy_next_upstream參數定義的狀态碼時,會将這個請求轉發給正常工作的後端伺服器,例如500、502、503、504,此參數可以提升使用者的通路體驗,具體配置如下:
server {
listen 80;
server_name www.dmtest.com
location / {
proxy_pass http://www_server_pools;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
include proxy.conf;
}
}
轉載于:https://www.cnblogs.com/Mr-Ding/p/9656104.html