nginx的基本使用及配置負載均衡、解決前后端分離跨域問題

1.作用：做請求轉發，負載均衡，反向代理；靜態文件與項目web的分離，正向代理；

2.請求過程：反向代理過程

客戶端——》nginx——》tomcat服務器

tomcat服務器——》nginx——》客戶端

3.場景運用：前后端分離項目，需要解決跨域，需要用https請求，需要負載均衡，需要靜態文件的正向代理

比如我想訪問：https://XXXX:7443/zlj_jhpt就訪問到了XXXX.70:6443的項目名稱位zlj_jhpt的項目

1）.https請求到外網nginx服務器，外網nginx需要請求到交換平台的接口
2）.外網tomcat配置 7443端口，且服務器入棧開7443端口，ecs安全組規則加入7443端口
3）.交換平台ecs安全組加6443端口，服務器入棧加6443端口

4.注意點：

1）.https請求時Nginx配置ssl證書和tomcat配置ssl證書，其中互聯網的nginx證書必須是根證書（被所有瀏覽器信任的證書，通常信息中心分配或者阿里雲申請）

2）.被代理的tomcat服務器需要開https端口配置ssl證書，這個證書可以用jdk自帶的命令生成即可，具體見上次寫的：https://www.cnblogs.com/tongcc/p/15543436.html
3）.阿里雲服務器安全組開端口，服務器本地入棧開端口

5.重點配置分析：

upstream標簽

upstream zlj_jhpt {
ip_hash; //負載均衡策略：ip_hash,ip_url,輪詢，權重，fails
server XXXX.70:443 weight=1 max_fails=10 fail_timeout=120s;
server XXXX.70:6443 weight=1 max_fails=10 fail_timeout=120s;
#server XXXX.72:8080 weight=1 max_fails=10 fail_timeout=120s;
keepalive 64;
}

server標簽

server {

listen 7443 ssl;#監聽的端口
server_name XXXX:7443;#監聽ip及端口
ssl_certificate D:/zlj_ssl/_.XXXX_bundle.crt;#ssl證書
ssl_certificate_key D:/zlj_ssl/.XXXX_RSA.XXXX_RSA.key;#ssl證書

ssl_session_cache shared:SSL:1m; #所有工作進程之間共享緩存
ssl_session_timeout 5m;

#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

charset ISO-88509-1;

#前端頁面：https://XXXX:7443/zhejiang-social-assistance/zhejiang-social-assistance.html#/five-help/how-help
#接口地址：https://XXXX:7443/zlj_jhpt/api/five-help/help-how-going/count


#接口地址映射
location /api/ {
proxy_pass https://XXXX:7443/zlj_jhpt/api/; 
proxy_set_header X-Real-IP $remote_addr;
}

#前端頁面地址映射
location /zhejiang-social-assistance/ {
root D:\working\yw_szzfdp\web;
expires 12h;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

}

#靜態資源反向代理配置，比如將項目中的圖片放到nginx服務器上

location /stwx/happyCode/images {
alias D:\zly_cache\stwx\happlyCode\images;
expires 12h;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
}


#Tomcat項目映射及跨域問題解決
location /zlj_jhpt {
proxy_pass https://zlj_jhpt;   #寫死一個的話配置：ip地址+端口號+項目名稱 ；負載均衡的話就用upsteam標簽
include proxy.conf;
# 配置html以文件方式打開
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}

}

6.其他配置

虛擬處理器查看：

 

 

5.其他配置分析

#user nobody;
#worker_processes: CPU核心數，(雙核4線程，可以設置為4，但是我這台服務器還有一個tomcat所以我配置3)
worker_processes 3;

#debug | info | notice | warn | error | crit
error_log logs/error.log warn;

pid logs/nginx.pid;

#worker_rlimit_nofile 65535;

#單個工作進程可以允許同時建立外部連接的數量
events {
worker_connections 8192;
}

http {
include mime.types;

default_type application/octet-stream;

fastcgi_intercept_errors on;

log_format main '"$upstream_addr" $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;
access_log off;
open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;

server_names_hash_bucket_size 128;

large_client_header_buffers 4 64k;

client_header_buffer_size 32k;

client_body_buffer_size 5120k;

client_max_body_size 100m;

server_tokens off;

ignore_invalid_headers on;
recursive_error_pages on;

server_name_in_redirect off;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_requests 3000;

keepalive_timeout 120;

client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;

autoindex off;

include gzip.conf;

map_hash_bucket_size 64;

#FastCGI相關參數是為了改善網站的性能：減少資源占用，提高訪問速度。下面參數看字面意思都能理解。
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 8 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
#upstream模塊：配置所映射的服務器項目地址及端口號，5種負載均衡策略：輪詢(默認)，權重（weight），ip_haph,ip_url,fairs
upstream stwx {
ip_hash;
server XXXX.206:8080 weight=1 max_fails=10 fail_timeout=120s;
#server XXXX.72:8080 weight=1 max_fails=10 fail_timeout=120s;
keepalive 64;
}


upstream zlj_jhpt {
ip_hash;
#交換平台地址
server XXXX.70:443 weight=1 max_fails=10 fail_timeout=120s;
#server XXXX.70:8088 weight=1 max_fails=10 fail_timeout=120s;
#server XXXX.72:8080 weight=1 max_fails=10 fail_timeout=120s;
keepalive 64;
}

#server模塊 配置監聽的端口，一個server監聽一個端口，配置客戶端所訪問的路徑
server {
# 監聽了7443端口號
listen 7443 ssl;
# 訪問項目的ip地址及端口號
server_name XXXX:7443;
ssl_certificate D:/zlj_ssl/_.XXXX_bundle.crt;
ssl_certificate_key D:/zlj_ssl/.XXXX_RSA.XXXX_RSA.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

charset ISO-88509-1;
# 訪問項目根路徑 比如：https://XXXX:7443/zlj_jhpt就訪問到了XXXX.70:443的項目名稱位zlj_jhpt的項目
location /zlj_jhpt {
proxy_pass https://zlj_jhpt;
include proxy.conf;
# 配置html以文件方式打開，解決跨域問題
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}


location /st {
proxy_pass https://st;
include proxy.conf;
# 配置html以文件方式打開
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
}

}

server {
listen 80;
server_name localhost XXXX;

charset ISO-88509-1;

location /stwx {
proxy_pass http://stwx;
include proxy.conf;
}

location /nginxstatus {
stub_status on;
access_log on;
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

error_page 404 /404.html;
}


server {
listen 80;
server_name localhost shzz.XXXX;

charset ISO-88509-1;

location /switch_stshzz {
proxy_pass http://switch_stshzz;
include proxy.conf;
}

location /nginxstatus {
stub_status on;
access_log on;
}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

error_page 404 /404.html;
}
server {
listen 8800;
server_name localhost XXXX.206;

return 301 http://XXXX:8089/st;
}
}