系列文章索引：

第一篇：《Nginx入门与安装详解：从零开始搭建高性能Web服务器》
第二篇：《Nginx基础配置详解：nginx.conf核心配置与虚拟主机实战》
第三篇：《Nginx代理配置详解：正向代理与反向代理完全指南》
第四篇：《Nginx性能优化与安全配置：打造高性能Web服务器》
第五篇：《Nginx负载均衡配置详解：多种负载均衡策略实战》
第六篇：《Nginx高可用方案实战：Keepalived+双机热备部署》

前言

在现代网络架构中，代理服务器扮演着至关重要的角色。Nginx作为一款高性能的Web服务器，其代理功能被广泛应用于各种场景，从企业内网访问控制到大型网站负载均衡。本文将深入探讨Nginx的正向代理和反向代理配置，通过实际案例帮助你掌握代理配置的核心技能。

代理服务器本质上是一个中间人，负责在客户端和服务器之间传递请求和响应。根据代理的方向不同，可以分为正向代理和反向代理，它们在应用场景和工作原理上有着本质的区别。

一、代理服务器基础概念

1.1 什么是代理服务器

代理服务器（Proxy Server）是位于客户端和目标服务器之间的中间服务器，它接收客户端的请求，然后转发给目标服务器，并将服务器的响应返回给客户端。

代理服务器的基本功能：

请求转发：将客户端请求转发到目标服务器
响应缓存：缓存服务器响应，提高访问速度
访问控制：控制客户端对特定资源的访问
内容过滤：过滤不合适的内容
安全防护：隐藏真实IP地址，提供安全屏障

1.2 正向代理 vs 反向代理

正向代理（Forward Proxy）

工作原理：

客户端明确知道代理服务器的存在
客户端配置代理服务器地址
代理服务器代表客户端访问外部网络
服务器不知道真实客户端的IP地址

应用场景：

企业内网访问外网
突破网络访问限制
访问控制与审计
缓存加速

工作流程：

客户端 → 代理服务器 → 目标服务器

反向代理（Reverse Proxy）

工作原理：

客户端不知道代理服务器的存在
客户端直接访问代理服务器
代理服务器代表服务器接收客户端请求
客户端不知道真实服务器的IP地址

应用场景：

负载均衡
安全防护
SSL卸载
缓存加速

工作流程：

客户端 ← 代理服务器 ← 目标服务器

对比总结

特性	正向代理	反向代理
服务对象	客户端	服务器
配置位置	客户端	服务器端
隐藏对象	客户端IP	服务器IP
典型应用	翻墙、访问控制	负载均衡、安全防护
配置复杂度	简单	复杂
性能要求	一般	高

1.3 Nginx代理模块介绍

Nginx提供了多个代理相关的模块：

核心代理模块：

ngx_http_proxy_module：HTTP反向代理模块
ngx_http_upstream_module：上游服务器定义模块
ngx_stream_proxy_module：TCP/UDP代理模块

功能增强模块：

ngx_http_proxy_connect_module：HTTPS正向代理支持
ngx_http_headers_module：HTTP头部处理模块
ngx_http_cache_module：缓存模块
ngx_http_ssl_module：SSL支持模块

二、正向代理配置详解

2.1 HTTP正向代理配置

基础HTTP正向代理

配置文件：/usr/local/nginx/conf/conf.d/forward-proxy.conf

# =============================================
# HTTP正向代理配置
# 监听端口：3128
# =============================================server {# 监听代理端口listen 3128;# 服务器名称（可选）server_name proxy.example.com;# 解析器配置（DNS服务器）resolver 8.8.8.8 8.8.4.4 114.114.114.114;# 解析器超时时间resolver_timeout 30s;# 访问日志access_log /var/log/nginx/proxy.access.log main;# 错误日志error_log /var/log/nginx/proxy.error.log warn;# =============================================# 正向代理配置# =============================================location / {# 代理目标地址# $http_host: 请求的主机名# $request_uri: 请求的URIproxy_pass http://$http_host$request_uri;# 设置代理头信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 代理超时设置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 代理缓冲区设置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理临时文件路径proxy_temp_path /usr/local/nginx/proxy_temp;# 代理缓存路径proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=proxy_cache:10m inactive=60m use_temp_path=off;# 启用代理缓存proxy_cache proxy_cache;# 缓存有效期proxy_cache_valid 200 302 10m;proxy_cache_valid 404 1m;# 缓存键proxy_cache_key $scheme$proxy_host$request_uri;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;}# =============================================# 访问控制配置# =============================================# 限制访问IP（可选）allow 192.168.1.0/24;allow 10.0.0.0/8;deny all;# =============================================# 错误处理# =============================================# 代理连接错误处理error_page 502 503 504 /proxy_error.html;location = /proxy_error.html {root /usr/local/nginx/html;internal;}
}

带认证的HTTP正向代理

# =============================================
# 带认证的HTTP正向代理配置
# =============================================server {listen 3128;server_name proxy.example.com;resolver 8.8.8.8 8.8.4.4;access_log /var/log/nginx/proxy.auth.access.log main;error_log /var/local/nginx/proxy.auth.error.log warn;# =============================================# 基本认证配置# =============================================# 启用HTTP基本认证auth_basic "Proxy Authentication";auth_basic_user_file /usr/local/nginx/conf/htpasswd.proxy;# =============================================# 代理配置# =============================================location / {# 检查认证状态if ($remote_user = "") {return 401;}# 代理目标地址proxy_pass http://$http_host$request_uri;# 设置代理头信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 添加用户信息到代理头proxy_set_header X-Proxy-User $remote_user;# 代理超时设置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 代理缓冲区设置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理缓存配置proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=proxy_cache:10m inactive=60m;proxy_cache proxy_cache;proxy_cache_valid 200 302 10m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$proxy_host$request_uri;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 访问日志记录用户access_log /var/log/nginx/proxy.auth.access.log main proxy=$upstream_addr user=$remote_user;}# =============================================# 访问控制# =============================================# 允许特定网段访问allow 192.168.1.0/24;allow 10.0.0.0/8;deny all;
}

2.2 HTTPS正向代理配置

基础HTTPS正向代理

配置文件：/usr/local/nginx/conf/conf.d/forward-proxy-https.conf

# =============================================
# HTTPS正向代理配置
# 监听端口：3129
# 注意：需要ngx_http_proxy_connect_module模块支持
# =============================================server {# 监听HTTPS代理端口listen 3129;# 服务器名称server_name proxy.example.com;# DNS解析器resolver 8.8.8.8 8.8.4.4 114.114.114.114;resolver_timeout 30s;# 访问日志access_log /var/log/nginx/proxy.https.access.log main;# 错误日志error_log /var/log/nginx/proxy.https.error.log warn;# =============================================# HTTPS代理配置# =============================================location / {# HTTPS代理需要特殊处理proxy_pass https://$http_host$request_uri;# SSL相关配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;proxy_ssl_session_reuse on;proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;# 设置代理头信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 代理超时设置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# SSL连接超时proxy_ssl_timeout 60s;# 代理缓冲区设置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理临时文件路径proxy_temp_path /usr/local/nginx/proxy_temp;# 禁用缓存（HTTPS通常不缓存）proxy_cache off;# 添加SSL信息到日志add_header X-Proxy-SSL $proxy_ssl_server_name;}# =============================================# CONNECT方法处理（HTTPS握手）# =============================================# 处理CONNECT方法（用于HTTPS握手）location /connect {# 启用CONNECT方法支持proxy_connect_address $http_host:443;proxy_connect_connect_timeout 30s;proxy_connect_read_timeout 60s;proxy_connect_send_timeout 60s;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;# 代理头信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 超时设置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;}# =============================================# 访问控制# =============================================# 限制访问IPallow 192.168.1.0/24;allow 10.0.0.0/8;deny all;# =============================================# 错误处理# =============================================# SSL连接错误处理error_page 497 495 496 /proxy_ssl_error.html;location = /proxy_ssl_error.html {root /usr/local/nginx/html;internal;}# 代理连接错误处理error_page 502 503 504 /proxy_error.html;location = /proxy_error.html {root /usr/local/nginx/html;internal;}
}

带缓存的HTTPS正向代理

# =============================================
# 带缓存的HTTPS正向代理配置
# =============================================server {listen 3129;server_name proxy.example.com;resolver 8.8.8.8 8.8.4.4;resolver_timeout 30s;access_log /var/log/nginx/proxy.https.cache.access.log main;error_log /var/log/nginx/proxy.https.cache.error.log warn;# =============================================# 缓存配置# =============================================# HTTPS代理缓存路径proxy_cache_path /usr/local/nginx/proxy_https_cache levels=1:2 keys_zone=proxy_https_cache:20m inactive=120m use_temp_path=off;# =============================================# 代理配置# =============================================location / {# HTTPS代理proxy_pass https://$http_host$request_uri;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;proxy_ssl_session_reuse on;proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;# 代理头信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 超时设置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_ssl_timeout 60s;# 缓冲区设置proxy_buffering on;proxy_buffer_size 8k;proxy_buffers 8 8k;proxy_busy_buffers_size 16k;# 启用缓存proxy_cache proxy_https_cache;# 缓存条件：只缓存成功的响应proxy_cache_valid 200 302 30m;proxy_cache_valid 301 1h;proxy_cache_valid 404 1m;proxy_cache_valid 500 502 503 504 0s;# 缓存键proxy_cache_key $scheme$proxy_host$request_uri;# 缓存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 绕过缓存的条件proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;proxy_no_cache $cookie_nocache $arg_nocache $arg_comment;}# =============================================# 特殊资源缓存配置# =============================================# 静态资源缓存location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot)$ {proxy_pass https://$http_host$request_uri;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;# 代理头信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 静态资源缓存时间更长proxy_cache proxy_https_cache;proxy_cache_valid 200 302 24h;proxy_cache_valid 404 1m;proxy_cache_key $scheme$proxy_host$request_uri;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 浏览器缓存控制add_header Cache-Control "public, max-age=86400";# 关闭访问日志access_log off;}# =============================================# 访问控制# =============================================allow 192.168.1.0/24;allow 10.0.0.0/8;deny all;
}

2.3 正向代理客户端配置

Windows客户端配置

Internet Explorer/Edge：

打开IE设置 → Internet选项
选择"连接"选项卡
点击"局域网设置"
勾选"为LAN使用代理服务器"
输入代理服务器地址和端口
点击"确定"保存

Chrome浏览器：

打开设置 → 高级 → 系统
点击"打开您计算机的代理设置"
配置代理服务器地址和端口

Firefox浏览器：

打开设置 → 常规 → 网络设置
选择"手动代理配置"
输入HTTP代理和HTTPS代理
勾选"同时用于HTTPS"

Linux客户端配置

环境变量方式：

# 设置HTTP代理
export http_proxy="http://proxy.example.com:3128"
export https_proxy="http://proxy.example.com:3129"# 设置FTP代理
export ftp_proxy="http://proxy.example.com:3128"# 设置不使用代理的地址
export no_proxy="localhost,127.0.0.1,*.local"# 永久生效（添加到~/.bashrc或/etc/profile）
echo 'export http_proxy="http://proxy.example.com:3128"' >> ~/.bashrc
echo 'export https_proxy="http://proxy.example.com:3129"' >> ~/.bashrc
source ~/.bashrc

APT/YUM包管理器配置：

# APT代理配置（Ubuntu/Debian）
cat > /etc/apt/apt.conf.d/01proxy << EOF
Acquire::http::Proxy "http://proxy.example.com:3128";
Acquire::https::Proxy "http://proxy.example.com:3129";
EOF# YUM代理配置（CentOS/RHEL）
cat > /etc/yum.conf << EOF
[main]
proxy=http://proxy.example.com:3128
EOF

macOS客户端配置

系统代理设置：

打开系统偏好设置 → 网络
选择当前网络连接 → 高级
选择"代理"选项卡
配置HTTP和HTTPS代理
点击"确定"保存

命令行配置：

# 设置网络代理
networksetup -setwebproxy Wi-Fi proxy.example.com 3128
networksetup -setsecurewebproxy Wi-Fi proxy.example.com 3129# 设置代理认证
networksetup -setwebproxy Wi-Fi proxy.example.com 3128 on username password
networksetup -setsecurewebproxy Wi-Fi proxy.example.com 3129 on username password

三、反向代理配置详解

3.1 基础反向代理配置

单后端服务器反向代理

配置文件：/usr/local/nginx/conf/conf.d/reverse-proxy-basic.conf

# =============================================
# 基础反向代理配置
# 监听端口：80
# 后端服务器：127.0.0.1:8080
# =============================================server {# 监听端口listen 80;# 服务器名称server_name web.example.com;# 网站根目录（可选）root /usr/local/nginx/html/web.example.com;# 默认首页文件index index.html index.htm;# 字符集设置charset utf-8;# 访问日志access_log /var/log/nginx/web.example.com.access.log main;# 错误日志error_log /var/log/nginx/web.example.com.error.log warn;# =============================================# 反向代理配置# =============================================location / {# 后端服务器地址proxy_pass http://127.0.0.1:8080;# 设置代理头信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# 连接超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 代理缓冲区设置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理临时文件路径proxy_temp_path /usr/local/nginx/proxy_temp;# 代理重定向设置proxy_redirect off;# Cookie设置proxy_cookie_domain off;proxy_cookie_path off;# HTTP版本设置proxy_http_version 1.1;proxy_set_header Connection "";# 客户端请求体大小client_max_body_size 50m;client_body_buffer_size 128k;}# =============================================# 静态文件处理# =============================================# 静态文件直接由Nginx处理location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {# 尝试访问本地文件try_files $uri =404;# 设置缓存头expires 7d;add_header Cache-Control "public, no-transform";# 关闭访问日志access_log off;}# =============================================# 健康检查# =============================================# 健康检查端点location /health {access_log off;return 200 "healthy\n";add_header Content-Type text/plain;}# =============================================# 错误处理# =============================================# 错误页面error_page 404 /404.html;error_page 500 502 503 504 /50x.html;location = /50x.html {root /usr/local/nginx/html;}
}

多后端服务器反向代理

配置文件：/usr/local/nginx/conf/conf.d/reverse-proxy-multiple.conf

# =============================================
# 多后端服务器反向代理配置
# 监听端口：80
# 后端服务器组：backend_servers
# =============================================# 定义后端服务器组
upstream backend_servers {# 后端服务器列表server 192.168.1.10:8080 weight=5 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 weight=3 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 weight=2 max_fails=3 fail_timeout=30s backup;# 负载均衡方法# least_conn;  # 最少连接# ip_hash;     # IP哈希# 保持连接设置keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name api.example.com;access_log /var/log/nginx/api.example.com.access.log main;error_log /var/log/nginx/api.example.com.error.log warn;# =============================================# 反向代理配置# =============================================location / {# 代理到后端服务器组proxy_pass http://backend_servers;# 代理头信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# 连接设置proxy_http_version 1.1;proxy_set_header Connection "";# 超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 缓冲区设置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 重定向设置proxy_redirect off;# Cookie设置proxy_cookie_domain off;proxy_cookie_path off;# 请求体大小client_max_body_size 100m;client_body_buffer_size 128k;# 代理缓存配置proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=api_cache:10m inactive=60m;proxy_cache api_cache;proxy_cache_valid 200 302 5m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# 缓存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 绕过缓存proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;proxy_no_cache $cookie_nocache $arg_nocache $arg_comment;}# =============================================# API路径配置# =============================================# API v1路径location /api/v1/ {proxy_pass http://backend_servers;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# API特定设置proxy_connect_timeout 30s;proxy_send_timeout 30s;proxy_read_timeout 30s;# API缓存proxy_cache api_cache;proxy_cache_valid 200 302 1m;proxy_cache_key $scheme$request_method$host$request_uri;# CORS设置add_header 'Access-Control-Allow-Origin' '*' always;add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;# 处理OPTIONS请求if ($request_method = 'OPTIONS') {add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';add_header 'Access-Control-Max-Age' 1728000;add_header 'Content-Type' 'text/plain; charset=utf-8';add_header 'Content-Length' 0;return 204;}}# =============================================# 静态资源# =============================================location ~* \.(css|js|jpg|jpeg|png|gif|ico|woff|woff2|ttf|eot|svg)$ {# 尝试本地文件try_files $uri =404;# 缓存设置expires 30d;add_header Cache-Control "public, no-transform";# 关闭日志access_log off;}# =============================================# 健康检查# =============================================location /health {access_log off;proxy_pass http://backend_servers/health;proxy_connect_timeout 5s;proxy_read_timeout 5s;}
}

3.2 带负载均衡的反向代理

轮询负载均衡

# =============================================
# 轮询负载均衡配置
# =============================================# 定义后端服务器组（轮询方式）
upstream backend_round_robin {# 轮询方式（默认）server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 连接保持设置keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name lb.example.com;access_log /var/log/nginx/lb.example.com.access.log main;error_log /var/log/nginx/lb.example.com.error.log warn;location / {proxy_pass http://backend_round_robin;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;}
}

加权轮询负载均衡

# =============================================
# 加权轮询负载均衡配置
# =============================================# 定义后端服务器组（加权轮询）
upstream backend_weighted {# 权重分配，数值越大分配到的请求越多server 192.168.1.10:8080 weight=5;    # 50%的请求server 192.168.1.11:8080 weight=3;    # 30%的请求server 192.168.1.12:8080 weight=2;    # 20%的请求# 健康检查设置server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 连接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name weighted.example.com;access_log /var/log/nginx/weighted.example.com.access.log main;error_log /var/log/nginx/weighted.example.com.error.log warn;location / {proxy_pass http://backend_weighted;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加负载均衡信息到日志add_header X-Upstream-Addr $upstream_addr;add_header X-Upstream-Response-Time $upstream_response_time;}
}

IP哈希负载均衡

# =============================================
# IP哈希负载均衡配置
# =============================================# 定义后端服务器组（IP哈希）
upstream backend_ip_hash {# IP哈希方式，确保同一客户端请求始终转发到同一服务器ip_hash;server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 健康检查server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 连接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name iphash.example.com;access_log /var/log/nginx/iphash.example.com.access.log main;error_log /var/log/nginx/iphash.example.com.error.log warn;location / {proxy_pass http://backend_ip_hash;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加客户端哈希信息add_header X-Client-Hash $remote_addr;add_header X-Upstream-Addr $upstream_addr;}
}

最少连接负载均衡

# =============================================
# 最少连接负载均衡配置
# =============================================# 定义后端服务器组（最少连接）
upstream backend_least_conn {# 最少连接方式，将请求转发到连接数最少的服务器least_conn;server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 健康检查server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 连接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name leastconn.example.com;access_log /var/log/nginx/leastconn.example.com.access.log main;error_log /var/log/nginx/leastconn.example.com.error.log warn;location / {proxy_pass http://backend_least_conn;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加连接数信息add_header X-Upstream-Addr $upstream_addr;add_header X-Upstream-Connections $upstream_connections;}
}

3.3 带缓存的反向代理

基础缓存配置

# =============================================
# 带缓存的反向代理配置
# =============================================# 定义缓存路径和参数
proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=cache_zone:10m inactive=60m use_temp_path=off;
proxy_cache_path /usr/local/nginx/proxy_cache_api levels=1:2 keys_zone=api_cache:20m inactive=120m use_temp_path=off;server {listen 80;server_name cache.example.com;access_log /var/log/nginx/cache.example.com.access.log main;error_log /var/log/nginx/cache.example.com.error.log warn;# =============================================# 基础缓存配置# =============================================location / {# 后端服务器proxy_pass http://127.0.0.1:8080;# 代理头信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 缓存设置proxy_cache cache_zone;proxy_cache_valid 200 302 10m;proxy_cache_valid 301 1h;proxy_cache_valid 404 1m;proxy_cache_valid 500 502 503 504 0s;# 缓存键proxy_cache_key $scheme$request_method$host$request_uri;# 缓存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 绕过缓存proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;proxy_no_cache $cookie_nocache $arg_nocache $arg_comment;}# =============================================# API缓存配置# =============================================location /api/ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# API专用缓存proxy_cache api_cache;proxy_cache_valid 200 302 5m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# API缓存控制proxy_cache_use_stale error timeout updating;proxy_cache_lock on;proxy_cache_lock_timeout 3s;# CORS设置add_header 'Access-Control-Allow-Origin' '*' always;add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;}# =============================================# 静态资源缓存# =============================================location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;# 静态资源缓存proxy_cache cache_zone;proxy_cache_valid 200 302 24h;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# 浏览器缓存控制expires 30d;add_header Cache-Control "public, no-transform";# 缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 关闭访问日志access_log off;}# =============================================# 缓存清理接口# =============================================location /purge/ {# 限制访问IPallow 127.0.0.1;allow 192.168.1.0/24;deny all;# 缓存清理proxy_cache_purge cache_zone $scheme$request_method$host$request_uri;proxy_cache_purge api_cache $scheme$request_method$host$request_uri;# 返回清理结果add_header Content-Type "text/plain";return 200 "Cache purged\n";}
}

高级缓存配置

# =============================================
# 高级缓存配置
# =============================================# 定义多个缓存区域
proxy_cache_path /usr/local/nginx/proxy_cache_static levels=1:2 keys_zone=static_cache:50m inactive=24h use_temp_path=off;
proxy_cache_path /usr/local/nginx/proxy_cache_api levels=1:2 keys_zone=api_cache:100m inactive=2h use_temp_path=off;
proxy_cache_path /usr/local/nginx/proxy_cache_dynamic levels=1:2 keys_zone=dynamic_cache:200m inactive=1h use_temp_path=off;server {listen 80;server_name advanced-cache.example.com;access_log /var/log/nginx/advanced-cache.example.com.access.log main;error_log /var/log/nginx/advanced-cache.example.com.error.log warn;# =============================================# 缓存条件变量# =============================================# 定义缓存条件变量map $request_method $no_cache_method {POST 1;PUT 1;DELETE 1;PATCH 1;default 0;}map $cookie_user_token $no_cache_auth {default 0;"~*" 1;}map $arg_nocache $no_cache_arg {default 0;"1" 1;"true" 1;}# =============================================# 静态资源缓存# =============================================location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;# 静态资源缓存proxy_cache static_cache;proxy_cache_valid 200 302 7d;proxy_cache_valid 404 1h;proxy_cache_key $scheme$request_method$host$request_uri;# 缓存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 浏览器缓存expires 30d;add_header Cache-Control "public, no-transform";# 缓存状态add_header X-Proxy-Cache $upstream_cache_status;# 关闭日志access_log off;}# =============================================# API缓存# =============================================location /api/ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# API缓存proxy_cache api_cache;proxy_cache_valid 200 302 10m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# 缓存控制proxy_cache_use_stale error timeout updating;proxy_cache_lock on;proxy_cache_lock_timeout 3s;# 条件缓存proxy_no_cache $no_cache_method $no_cache_auth $no_cache_arg;proxy_cache_bypass $no_cache_method $no_cache_auth $no_cache_arg;# CORSadd_header 'Access-Control-Allow-Origin' '*' always;add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;# 缓存状态add_header X-Proxy-Cache $upstream_cache_status;add_header X-Cache-Condition "method=$no_cache_method,auth=$no_cache_auth,arg=$no_cache_arg";}# =============================================# 动态内容缓存# =============================================location /dynamic/ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 动态内容缓存proxy_cache dynamic_cache;proxy_cache_valid 200 302 1m;proxy_cache_valid 404 30s;proxy_cache_key $scheme$request_method$host$request_uri;# 缓存控制proxy_cache_use_stale error timeout updating;proxy_cache_lock on;proxy_cache_lock_timeout 2s;# 条件缓存（更严格）proxy_no_cache $no_cache_method $no_cache_auth $no_cache_arg;proxy_cache_bypass $no_cache_method $no_cache_auth $no_cache_arg;# 缓存状态add_header X-Proxy-Cache $upstream_cache_status;}# =============================================# 缓存统计接口# =============================================location /cache_status/ {# 限制访问allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 返回缓存统计信息add_header Content-Type "application/json";return 200 '{"static_cache": {"size": "50MB","inactive": "24h"},"api_cache": {"size": "100MB","inactive": "2h"},"dynamic_cache": {"size": "200MB","inactive": "1h"}}';}# =============================================# 缓存清理接口# =============================================location /purge/ {# 限制访问allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 根据URL清理缓存location ~ ^/purge/static/(.*)$ {proxy_cache_purge static_cache $scheme$request_method$host/$1;}location ~ ^/purge/api/(.*)$ {proxy_cache_purge api_cache $scheme$request_method$host/$1;}location ~ ^/purge/dynamic/(.*)$ {proxy_cache_purge dynamic_cache $scheme$request_method$host/$1;}# 返回清理结果add_header Content-Type "text/plain";return 200 "Cache purged\n";}
}

四、代理配置高级应用

4.1 SSL/TLS终止

HTTPS反向代理配置

# =============================================
# HTTPS反向代理配置（SSL终止）
# =============================================server {# 监听443端口（HTTPS）listen 443 ssl http2;listen [::]:443 ssl http2;# 服务器名称server_name secure.example.com;# SSL证书配置ssl_certificate /usr/local/nginx/conf/ssl/secure.example.com.crt;ssl_certificate_key /usr/local/nginx/conf/ssl/secure.example.com.key;# SSL协议和加密套件ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;ssl_prefer_server_ciphers on;# SSL会话配置ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;ssl_session_tickets on;# OCSP装订ssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate /usr/local/nginx/conf/ssl/chain.pem;# HSTSadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;access_log /var/log/nginx/secure.example.com.access.log main;error_log /var/log/nginx/secure.example.com.error.log warn;# =============================================# 反向代理配置# =============================================location / {# 后端服务器（HTTP）proxy_pass http://127.0.0.1:8080;# 代理头信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-SSL $ssl_protocol;proxy_set_header X-Forwarded-SSL-Cipher $ssl_cipher;# 连接设置proxy_http_version 1.1;proxy_set_header Connection "";# 超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 缓冲区设置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 设置HTTPS参数proxy_set_header HTTPS on;proxy_set_header HTTP_SCHEME https;}# =============================================# WebSocket代理# =============================================location /ws/ {proxy_pass http://127.0.0.1:8080;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# WebSocket超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;}
}# =============================================
# HTTP重定向到HTTPS
# =============================================server {listen 80;listen [::]:80;server_name secure.example.com;# 重定向到HTTPSreturn 301 https://$server_name$request_uri;
}

4.2 WebSocket代理

# =============================================
# WebSocket代理配置
# =============================================server {listen 80;server_name ws.example.com;access_log /var/log/nginx/ws.example.com.access.log main;error_log /var/log/nginx/ws.example.com.error.log warn;# =============================================# WebSocket代理配置# =============================================location /ws/ {# WebSocket后端服务器proxy_pass http://127.0.0.1:8080;# WebSocket必要头信息proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;# 其他代理头信息proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# WebSocket超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 缓冲区设置（WebSocket通常不缓冲）proxy_buffering off;# 心跳设置proxy_set_header Connection "";}# =============================================# 带认证的WebSocket# =============================================location /ws-auth/ {# 基本认证auth_basic "WebSocket Authentication";auth_basic_user_file /usr/local/nginx/conf/htpasswd.ws;# WebSocket代理proxy_pass http://127.0.0.1:8080;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 添加认证信息proxy_set_header X-WS-User $remote_user;# 超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_buffering off;}# =============================================# WebSocket负载均衡# =============================================location /ws-lb/ {# 定义WebSocket后端服务器组proxy_pass http://websocket_backend;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 负载均衡设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_buffering off;}
}# =============================================
# WebSocket后端服务器组
# =============================================upstream websocket_backend {# IP哈希确保同一客户端连接到同一服务器ip_hash;server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 健康检查server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 连接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}

4.3 代理健康检查

被动健康检查

# =============================================
# 被动健康检查配置
# =============================================upstream backend_health_check {# 后端服务器配置server 192.168.1.10:8080 weight=5 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 weight=3 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 weight=2 max_fails=3 fail_timeout=30s backup;# 负载均衡方法least_conn;# 连接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name health.example.com;access_log /var/log/nginx/health.example.com.access.log main;error_log /var/log/nginx/health.example.com.error.log warn;location / {proxy_pass http://backend_health_check;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加健康检查信息add_header X-Upstream-Status $upstream_status;add_header X-Upstream-Response-Time $upstream_response_time;add_header X-Upstream-Addr $upstream_addr;}# =============================================# 健康检查端点# =============================================location /health {# 限制访问allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 返回健康状态add_header Content-Type "application/json";return 200 '{"status": "healthy","upstream": "backend_health_check","servers": [{"addr": "192.168.1.10:8080", "status": "up"},{"addr": "192.168.1.11:8080", "status": "up"},{"addr": "192.168.1.12:8080", "status": "backup"}]}';}
}

主动健康检查（需要nginx_plus或第三方模块）

# =============================================
# 主动健康检查配置（需要nginx_plus）
# =============================================upstream backend_active_health {zone backend_active_health 64k;server 192.168.1.10:8080 slow_start=30s;server 192.168.1.11:8080 slow_start=30s;server 192.168.1.12:8080 slow_start=30s backup;# 主动健康检查health_check interval=10s fails=3 passes=2 uri=/health port=8080;# 负载均衡least_conn;# 连接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name active-health.example.com;access_log /var/log/nginx/active-health.example.com.access.log main;error_log /var/log/nginx/active-health.example.com.error.log warn;location / {proxy_pass http://backend_active_health;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加健康状态信息add_header X-Upstream-Status $upstream_status;add_header X-Upstream-Response-Time $upstream_response_time;add_header X-Upstream-Addr $upstream_addr;}# =============================================# 健康状态监控# =============================================location /upstream_status {# 限制访问allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 显示上游服务器状态upstream_status;add_header Content-Type "text/plain";}
}

五、代理配置常见问题与解决方案

5.1 代理连接超时

问题现象：

2024/01/15 10:30:15 [error] 12345#0: *12345 upstream timed out (110: Connection timed out) while connecting to upstream

解决方案：

# 调整代理超时设置
location / {proxy_pass http://backend;proxy_set_header Host $host;# 增加连接超时时间proxy_connect_timeout 120s;proxy_send_timeout 120s;proxy_read_timeout 120s;# 启用代理缓冲proxy_buffering on;proxy_buffer_size 8k;proxy_buffers 8 8k;proxy_busy_buffers_size 16k;
}

5.2 代理缓存问题

问题现象：

缓存不生效
缓存内容过期
缓存清理失败

解决方案：

# 检查缓存配置
proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=cache_zone:10m inactive=60m;location / {proxy_pass http://backend;proxy_set_header Host $host;# 确保缓存启用proxy_cache cache_zone;proxy_cache_valid 200 302 10m;proxy_cache_key $scheme$request_method$host$request_uri;# 添加缓存状态头add_header X-Proxy-Cache $upstream_cache_status;# 检查缓存条件proxy_cache_bypass $cookie_nocache $arg_nocache;proxy_no_cache $cookie_nocache $arg_nocache;
}

5.3 SSL代理问题

问题现象：

2024/01/15 10:30:15 [error] 12345#0: *12345 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure)

解决方案：

# 调整SSL配置
location / {proxy_pass https://backend;proxy_set_header Host $host;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers HIGH:!aNULL:!MD5;proxy_ssl_session_reuse on;proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;# SSL超时设置proxy_ssl_timeout 60s;
}

5.4 WebSocket代理问题

问题现象：

WebSocket连接失败
连接频繁断开

解决方案：

# WebSocket代理配置
location /ws/ {proxy_pass http://backend;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;# 禁用缓冲proxy_buffering off;# 调整超时时间proxy_connect_timeout 120s;proxy_send_timeout 120s;proxy_read_timeout 120s;# 心跳设置proxy_set_header Connection "";
}

性能优化建议：