1. nginx
1.1 nginx安装
step1:查询当前可用版本
apt-cache madison nginx-full
step2:安装nginx
apt install -y nginx-full
1.2 配置nginx
步骤:
- 修改
nginx的主配置文件/etc/nginx/nginx.conf - 将
worker_connections修改为 4096 - 在
http模块,增加real_ip相关设置 - 去掉
server_names_hash_bucket_size、server_tokens、gzip_buffers、gzip_types等行首原来的#注释 - 增加
log_format配置。
nginx.conf示例如下:
user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 4096; # multi_accept on; } http { ## # Basic Settings ## real_ip_header proxy_protocol; set_real_ip_from 10.0.0.0/8; set_real_ip_from 127.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 169.254.0.0/16; set_real_ip_from 192.168.0.0/16; set_real_ip_from 224.0.0.0/4; set_real_ip_from 240.0.0.0/4; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## log_format main '$http_host $remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; gzip_buffers 16 8k; # gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript ; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
1.3 验证重启
保存上述配置文件并退出编辑,测试配置的正确性,确认没有问题后,重载Nginx服务:
① .测试nginx配置文件:
nginx -t
② .若上一步结果显示 successful ,则重载nginx服务件:
systemctl reload nginx.service
1.4 配置默认路由
步骤:
- 进入
/etc/nginx/sites-enabled/目录 - 删除
default文件 - 重新创建
default404文件
default404 文件内容如下:
server{ listen 80 default_server; server_name _; return 404; } server{ listen 443 ssl default_server; server_name _; return 404; ssl_certificate /var/http-ssl/xxx.crt; ssl_certificate_key /var/http-ssl/xxx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; }
执行测试配置:
nginx -t
1.5 配置状态监听
在 /etc/nginx/sites-enabled/目录,创建 status 文件,内容如下:
server { listen 127.0.0.1:18080 default_server; access_log off; location / {return 404;} location /nginx_status { stub_status on; } }
执行测试配置:
nginx -t
1.6 配置域名、证书和业务路由
在/etc/nginx/sites-enabled/目录,创建 demo.xxx.cn 文件,内容如下:
server { listen 80; server_name demo.xxx.cn; location ^~ /{ return 301 https://demo.xxx.cn$uri; } } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 443 ssl http2; server_name demo.xxx.cn; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; client_max_body_size 100M; ssl_certificate /var/http-ssl/1_demo.xxx.cn_bundle.crt; ssl_certificate_key /var/http-ssl/2_demo.xxx.cn.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { return 301 /project-pc/; #default_type text/plain; #return 403 ; } # 静态验证 location /MP_verify_fxxx.txt { return 200 "fxxx"; } location /MP_verify_lxxx.txt { return 200 "lxxx"; } location /WW_verify_Axxx.txt { default_type text/plain; return 200 "Axxx"; } location /rbac/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:39401; } location /idm/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:39402; } location /sso/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:39974; } # 普通静态,转发到根路径 location /idm-web/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:39403/; } location /rbac-web/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:39404/; } # api转发 location ~ ^/api-[a-z\-]*/ { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto https; proxy_pass http://127.0.0.1:40001; } #web-basic location /basic/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_pass http://127.0.0.1:40017/; } }
02 haproxy安装配置
2.1 安装haproxy
查询当前可用版本:
apt-cache madison haproxy
安装nginx:
apt install -y haproxy
2.2 配置haproxy
修改haproxy配置文件 /etc/haproxy/haproxy.cfg ,示例如下:
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats socket 127.0.0.1:14567 stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults option dontlognull timeout connect 5s timeout client 120s timeout server 120s listen stats bind 0.0.0.0:8181 mode http stats enable stats hide-version stats uri / listen swarm-dashboard bind 127.0.0.1:8080 mode tcp option tcp-check balance roundrobin server swarm-dashboard_b_1 172.16.3.8:8080 check inter 2000 rise 2 fall 3 server swarm-dashboard_b_2 172.16.3.9:8080 check inter 2000 rise 2 fall 3 server swarm-dashboard_b_3 172.16.3.10:8080 check inter 2000 rise 2 fall 3 listen nacos bind 127.0.0.1:8848 mode tcp option tcp-check balance roundrobin server nacos_b_1 172.16.3.8:8848 check inter 2000 rise 2 fall 3 server nacos_b_2 172.16.3.9:8848 check inter 2000 rise 2 fall 3 server nacos_b_3 172.16.3.10:8848 check inter 2000 rise 2 fall 3 listen idm bind 127.0.0.1:39402 mode tcp option tcp-check balance roundrobin server idm_1 172.16.3.8:39402 check inter 2000 rise 2 fall 3 server idm_2 172.16.3.9:39402 check inter 2000 rise 2 fall 3 server idm_3 172.16.3.10:39402 check inter 2000 rise 2 fall 3 listen iam-web bind 127.0.0.1:39403 mode tcp option tcp-check balance roundrobin server iam-web_1 172.16.3.8:39403 check inter 2000 rise 2 fall 3 server iam-web_2 172.16.3.9:39403 check inter 2000 rise 2 fall 3 server iam-web_3 172.16.3.10:39403 check inter 2000 rise 2 fall 3 listen rbac bind 127.0.0.1:39401 mode tcp option tcp-check balance roundrobin server rbac_1 172.16.3.8:39401 check inter 2000 rise 2 fall 3 server rbac_2 172.16.3.9:39401 check inter 2000 rise 2 fall 3 server rbac_3 172.16.3.10:39401 check inter 2000 rise 2 fall 3 listen rbac-web bind 127.0.0.1:39404 mode tcp option tcp-check balance roundrobin server rbac-web_1 172.16.3.8:39404 check inter 2000 rise 2 fall 3 server rbac-web_2 172.16.3.9:39404 check inter 2000 rise 2 fall 3 server rbac-web_3 172.16.3.10:39404 check inter 2000 rise 2 fall 3 listen sso bind 127.0.0.1:39974 mode tcp option tcp-check balance roundrobin server sso_b_1 172.16.3.8:39974 check inter 2000 rise 2 fall 3 server sso_b_2 172.16.3.9:39974 check inter 2000 rise 2 fall 3 server sso_b_3 172.16.3.10:39974 check inter 2000 rise 2 fall 3
2.3 验证haproxy
保存上述配置文件并退出编辑,测试配置的正确性,确认没有问题后,重启服务:
测试配置文件是否有问题:
haproxy -c -f /etc/haproxy/haproxy.cfg
若上一步结果显示Configuration file is valid ,则重启服务:
systemctl restart haproxy.service
