通常情况下我们在一个.conf 承载好多服务代理的配置,使用.conf 文件过大,过长,以至于管理难,有时修改某个小配置,由于重起或重截配置文件,使用服务受影响。因此使用多配置组合的方式进行管理很有必要。

注意:本文中配置的文件和影射的目录文件,因为我用的是docker 镜像挂载,所以目录要注意宿主的还是容器的目录。

举例:如在一个conf 下的样例


#############################################################
#
#           fengsh998 
#           nginx 反向代理设置,统一集管处,机器不够的话开集群。
#         包括:
#             SSL,限流,跨域,集群,黑名单,白名单,负载均衡
#
#         $PWD = /opt/nginx
#         docker run -p 443:443 -p 80:80 -p 18883:1883 -p 33060:3306 -p 38066:8066 --name nginx
#         -v $PWD/www:/www
#         -v $PWD/conf/nginx.conf:/etc/nginx/nginx.conf
#         -v $PWD/conf/modules:/usr/share/nginx
#         -v $PWD/logs:/wwwlogs
#         -v $PWD/cert:/opt/nginx/cert
#         -d nginx
#############################################################

user nginx;

#指定进程数
worker_processes auto;

#错误日志
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

#动态加载外部配置文件【inclue 路径 + *.conf 】
include /usr/share/nginx/modules/*.conf;

#每个进程的最大连接数 
events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;
    access_log  /wwwlogs/httpproxy.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    # 加载配置
    include /etc/nginx/conf.d/*.conf;

    #################################################
    #
    #               wiki 服务 
    #   可以设多个server进行负载均衡
    #   IP绑定 ip_hash每个请求按访问ip的hash结果分配,这样
    #   每个访客固定访问一个后端服务器,可以解决session的问题。
    #
    ################################################# 
    upstream jira_server {
       server 172.xx.206.109:8080;
    }

    upstream wiki_server {
       server 172.xx.206.109:8090;
    }

    upstream git_server {
       server 172.xx.206.109:8999;
    }

    upstream kibana_server {
       server 172.xx.188.21:5601;
    }

    upstream nexus_admin { server 47.xxx.xx.126:18888 ; }
    upstream nexus_registry { server 47.xxx.xx.126:18888 ; }

    #########################以下是服务配置以上是负载均衡############################
    
    #############################################################################
    #
    #                   使用重定向方式,来把http转为ssl
    #
    #    .company.com 等效于 company.com wwww.company.com *.company.com
    #
    #############################################################################

    server {
       listen 80;
       server_name advert.company.com;
       location / {
          proxy_pass http://advert.igaicloud.cn:8000;
       }
    }

        #dashboard
   server {

           listen 80;
          
           server_name  dashboard.company.com;

           location / {
                root      /www/dashboard;
                index   index.html  index.htm;
           }

           error_page  404 403 500 502 503 504 /404.html;
           location = /404.html {
                root  /www;
           }

    }


#    server { 
#    	listen 80;
#    	server_name .company.com;       #使用通配的方式
#	rewrite ^(.*)$ https://$http_host$request_uri? permanent;
#    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        #访问的域名
        server_name  .company.com;
   
        #ssl 证书配置
        ssl_certificate "/opt/nginx/cert/company.com.pem";
        ssl_certificate_key "/opt/nginx/cert/company.com.key";

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # 泛域名开始配置 subdomain.domain.com的格式
        if ( $host ~* (.*)\.(.*)\.(.*) ) {
            set $domain_pix $1; #获取当前的域名前缀 eg wiki.company.com则domain被设置为wiki
        }

        #jira
        if ($domain_pix = jira) {
            set $goserver jira_server; 
        }

        if ($domain_pix = wiki2) {
            set $goserver wiki_server;
        }
        
         #gitlab 映射
        if ($domain_pix = gitlab) {
            set $goserver git_server;
        }

        #代理配置
        location / {

                #############################################################
		#
		#    跨域配置
		#
		#############################################################

                #开启代理错误拦截功能
                proxy_intercept_errors on;
  
                proxy_pass  http://$goserver;
                
                proxy_set_header Host $host;
                #缓存key规则,自动清除缓存
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forward-Proto https;

                proxy_buffering off;
                proxy_request_buffering off;

                client_max_body_size 1G;
                proxy_connect_timeout 3000;
                proxy_send_timeout 3000;
                proxy_read_timeout 3000;

                tcp_nodelay        on;  
                
        }

        location /localwebsite {
            root  /www/mobile;
       	}

        location ^~ /kibana {
                proxy_pass  http://kibana_server;

                proxy_set_header Host $host;
                #缓存key规则,自动清除缓存
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forward-Proto https;

        }

        #屏蔽wiki直接输入访问,所以做了个重定向
        location /browsepeople.action {
            rewrite ^(.*)$ https://wiki.company.com permanent;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }   ###end server ssl
 
    #dashboard
#   server {
#           listen       443 ssl;
#           listen       [::]:443 ssl;
           #正式环境的站点
#           server_name  dashboard.company.com;

           #ssl 证书配置
#           ssl_certificate "/opt/nginx/cert/company.com.pem";
#           ssl_certificate_key "/opt/nginx/cert/company.com.key";

#           ssl_session_cache shared:SSL:1m;
#           ssl_session_timeout  10m;
#           ssl_ciphers HIGH:!aNULL:!MD5;
#           ssl_prefer_server_ciphers on;
#           ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

#           location / {
#                root      /www/dashboard;
#                index   index.html  index.htm;
#           }

#           error_page  404 403 500 502 503 504 /404.html;
#           location = /404.html {
#                root  /www;
#           }

#    }
    

 
}

stream {
    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /wwwlogs/tcp-access.log proxy;
    open_log_file_cache off;

    upstream mysql_server {
        server 172.xx.218.228:33060;
        server 172.xx.218.229:33060;
    }
 
    server {
        listen     3306;
        proxy_connect_timeout 10s;
        proxy_timeout 525600m;
        proxy_pass mysql_server;  
    }
}

进行多文件管理,做多文件管理之前做好目录结构管理,以便于自己管理起来方便。都放一起也行,看个人。

 

分别来看单个配置文件的内容:

总配置文件 

nginx.conf


#############################################################
#
#           fengsh998 
#           nginx 反向代理设置,统一集管处,机器不够的话开集群。
#         包括:
#             SSL,限流,跨域,集群,黑名单,白名单,负载均衡
#
#         $PWD = /opt/nginx
#         docker run -p 443:443 -p 80:80 -p 18883:1883 -p 33060:3306 -p 38066:8066 --name nginx
#         -v $PWD/www:/www
#         -v $PWD/conf/nginx.conf:/etc/nginx/nginx.conf
#         -v $PWD/conf/modules:/usr/share/nginx
#         -v $PWD/logs:/wwwlogs
#         -v $PWD/cert:/opt/nginx/cert
#         -d nginx
#############################################################

user nginx;

#指定进程数
worker_processes auto;

#错误日志
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

#动态加载外部配置文件【inclue 路径 + *.conf 】
include /usr/share/nginx/modules/*.conf;

#每个进程的最大连接数 
events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;
    access_log  /wwwlogs/httpproxy.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    # 加载配置
    include /etc/nginx/conf.d/*.conf;
    #加载upstream模块
    include /usr/share/nginx/ups_modules_http.conf;
    #加载http server 模块
    include /usr/share/nginx/http_servers/*.conf;    
 
}

stream {
    log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /wwwlogs/tcp-access.log proxy;
    open_log_file_cache off;

    #挂载盘opt/nginx/conf/modules
    include /usr/share/nginx/stream_servers/*.conf;
}

ups_modules_http.conf

    ################################################ 
    #   可以设多个server进行负载均衡
    #   IP绑定 ip_hash每个请求按访问ip的hash结果分配,这样
    #   每个访客固定访问一个后端服务器,可以解决session的问题。
    #
    ################################################# 
    upstream jira_server {
       server 172.xx.206.109:8080;
    }

    upstream wiki_server {
       server 172.xx.206.109:8090;
    }

    upstream git_server {
       server 172.xx.206.109:8999;
    }

    upstream hostapi_arm2_server {
       server 172.xx.206.111:32000;
    }

    upstream kibana_server {
       #server 172.xx.188.21:5601;
       #server 172.xx.206.112:5601;
       server 172.xx.218.227:5601;
    }

    #测试用
    upstream eureka_server {
       #server 172.xx.188.23:8761;
       server 172.xx.188.28:8001;
    }

    upstream nexus_admin { server 47.xxx.xx.126:18888 ; }
    upstream nexus_registry { server 47.xxx.xx.126:18888 ; }

mysql.conf


    upstream mysql_server {
        server 172.xx.xxx.228:33060;
        server 172.xx.xxx.229:33060;
    }
 
    server {
        listen     3306;
        proxy_connect_timeout 10s;
        proxy_timeout 525600m;
        proxy_pass mysql_server;  
    }

match.conf 当一个顶级通配域名时,可以通过规则进行匹配处理。


    #将所有来自http的都自动跳转为https;
    server { 
       listen 80;
       server_name .company.com;       #使用通配的方式
       rewrite ^(.*)$ https://$http_host$request_uri? permanent;
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;

        #访问的域名
        server_name  .company.com;
   
        #ssl 证书配置
        ssl_certificate "/opt/nginx/cert/company.com.pem";
        ssl_certificate_key "/opt/nginx/cert/company.com.key";

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # 泛域名开始配置 subdomain.domain.com的格式
        if ( $host ~* (.*)\.(.*)\.(.*) ) {
            set $domain_pix $1; #获取当前的域名前缀 eg wiki.company.com则domain被设置为wiki
        }

        if ( $host ~* (.*)\.(.*)\.(.*)\.(.*) ) {
           set $subdomain_pix $1;
        }

        if ($subdomain_pix = eureka) {
          set $goserver eureka_server;
        }

        #jira
        if ($domain_pix = jira) {
            set $goserver jira_server;
           # set $goserver kibana_server; 
        }

        if ($domain_pix = wiki2) {
            set $goserver wiki_server;
        }

        if ($domain_pix = arm2api) {
            set $goserver hostapi_arm2_server;
        }

        #gitlab 映射
        if ($domain_pix = gitlab) {
            set $goserver git_server;
        }

        #kibana
        #if ($domain_pix = kibana) {
        #   set $goserver kibana_server;
        #}

        #代理配置
        location / {

                #开启代理错误拦截功能
                proxy_intercept_errors on;
  
                proxy_pass  http://$goserver;
                proxy_set_header Host $host;
                #缓存key规则,自动清除缓存
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forward-Proto https;

                proxy_buffering off;
                proxy_request_buffering off;

                client_max_body_size 1G;
                proxy_connect_timeout 3000;
                proxy_send_timeout 3000;
                proxy_read_timeout 3000;

                tcp_nodelay        on;  
                
        }
 
        location /localwebsite {
            root  /www/mobile;
        }

        location /kibana/ {
           auth_basic "请输入用户密码"; #这里是验证时的提示信息
           auth_basic_user_file /opt/nginx/cert/passwd/fkibana;

           proxy_pass http://kibana_server/;
           rewrite ^/kibabna/(.*)$ /$1 break;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header Host $host:$server_port;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_http_version 1.1;
        }

        #屏蔽wiki直接输入访问,所以做了个重定向
        location /browsepeople.action {
            rewrite ^(.*)$ https://wiki.company.com permanent;
        }
        
        error_page 404 /404.html;
        location = /40x.html {

        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }   ###end server ssl

dashbroad.conf


    server {

           listen 80;
          
           server_name  dashboard.company.com;

           location / {
                root      /www/dashboard;
                index   index.html  index.htm;
           }

           location ^~ /visitor/ {
                root /www/;
                try_files $uri $uri/ /index.html last;
                index   index.html  index.htm;
           }

#           location / {
 #            	 proxy_set_header Host $host;
  #     		 proxy_set_header  X-Real-IP        $remote_addr;
   #    		 proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    #   		 proxy_set_header X-NginX-Proxy true;
     #            proxy_pass http://172.xx.xxx.112:18900;
#	   }

           error_page  404 403 500 502 503 504 /404.html;
           location = /404.html {
                root  /www;
           }

    }

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐