- 处理proxy_pass指令
- cache命中则发生响应头部 , 没有命中则根据指令生成发往上游http头部和包体
- 指令proxy_request_buffering如果是on的话, 则读取请求完整包体, 如果为off则根据负载均衡选择上游服务器
- 发送请求(边读包体边发)
- 上游接收处理响应头部
- 如果proxy_buffering是on的话 ,则接受完整的响应包体再发送,如果为off的话 , 则先发送响应头部,响应包体则边读边发
- 如果开启cache则包体加入缓存
proxy模块
对上游使用http/https协议进行反向代理
1 2 3
| Syntax: proxy_pass URL; Default: — Context: location, if in location, limit_except
|
其中url的参数规则为:
- URL必须以http://或者https://开头
- 当URL中携带URI时 , 则将location匹配上的一段替换成该URI, 如果不携带URI,则直接转发给上游
##根据指令生成请求头部和包体
生成发往上游的请求行
1 2 3 4 5 6 7
| Syntax: proxy_method method; Default: — Context: http, server, location
Syntax: proxy_http_version 1.0 | 1.1; Default: proxy_http_version 1.0; Context: http, server, location
|
生成发往上游的请求头部
1 2 3 4 5 6 7 8 9
| Syntax: proxy_set_header field value; Default: proxy_set_header Host $proxy_host; proxy_set_header Connection close; Context: http, server, location
Syntax: proxy_pass_request_headers on | off; Default: proxy_pass_request_headers on; Context: http, server, location
|
若value的值为空 ,则整个haeder都不会向上游发送
生成发往上游的包体
1 2 3 4 5 6
| Syntax: proxy_pass_request_body on | off; Default: proxy_pass_request_body on; Context: http, server, location Syntax: proxy_set_body value; Default: — Context: http, server, location
|
接收客户端请求的包体
1 2 3
| Syntax: proxy_request_buffering on | off; Default: proxy_request_buffering on; Context: http, server, location
|
客户端接收的包体
1 2 3 4 5 6
| Syntax: client_body_buffer_size size; Default: client_body_buffer_size 8k|16k; Context: http, server, location Syntax: client_body_in_single_buffer on | off; Default: client_body_in_single_buffer off; Context: http, server, location
|
接收包体所分配的内存
最大包体长度限制
1 2 3
| Syntax: client_max_body_size size; Default: client_max_body_size 1m; Context: http, server, location
|
仅对请求头部中含有Content-Length有效 , 超出最大长度后, 返回413
临时文件路径
1 2 3 4 5 6
| Syntax: client_body_temp_path path [level1 [level2 [level3]]]; Default: client_body_temp_path client_body_temp; Context: http, server, location Syntax: client_body_in_file_only on | clean | off; Default: client_body_in_file_only off; Context: http, server, location
|
读取包体超时
1 2 3
| Syntax: client_body_timeout time; Default: client_body_timeout 60s; Context: http, server, location
|
读取包体超时, 返回408
向上游服务建立连接
1 2 3
| Syntax: proxy_connect_timeout time; Default: proxy_connect_timeout 60s; Context: http, server, location
|
响应超时则返回502
如果超时则再选择一个上游服务器
1 2 3
| Syntax: proxy_next_upstream http_502 | ..; Default: proxy_next_upstream error timeout; Context: http, server, location
|
上游连接启用tcp keepalive
1 2 3
| Syntax: proxy_socket_keepalive on | off; Default: proxy_socket_keepalive off; Context: http, server, location
|
上游启用http keepalive
1 2 3 4 5 6 7
| Syntax: keepalive connections; Default: — Context: upstream
Syntax: keepalive_requests number; Default: keepalive_requests 100; Context: upstream
|
接收上游响应
向上游发送http响应
1 2 3
| Syntax: proxy_send_timeout time; Default: proxy_send_timeout 60s; Context: http, server, location
|
接收上游响应头部
1 2 3
| Syntax: proxy_buffer_size size; Default: proxy_buffer_size 4k|8k; Context: http, server, location
|
接收上游响应包体
1 2 3
| Syntax: proxy_buffers number size; Default: proxy_buffers 8 4k|8k; Context: http, server, location
|
1 2 3 4 5 6 7 8 9 10 11 12
| Syntax: proxy_buffering on | off; Default: proxy_buffering on; Context: http, server, location Syntax: proxy_max_temp_file_size size; Default: proxy_max_temp_file_size 1024m; Context: http, server, location Syntax: proxy_temp_file_write_size size; Default: proxy_temp_file_write_size 8k|16k; Context: http, server, location Syntax: proxy_temp_path path [level1 [level2 [level3]]]; Default: proxy_temp_path proxy_temp; Context: http, server, location
|
及时转发包体
1 2 3
| Syntax: proxy_busy_buffers_size size; Default: proxy_busy_buffers_size 8k|16k; Context: http, server, location
|
接收上游时网络速度
1 2 3 4 5 6
| Syntax: proxy_read_timeout time; Default: proxy_read_timeout 60s; Context: http, server, location Syntax: proxy_limit_rate rate; Default: proxy_limit_rate 0; Context: http, server, location
|
上游包体持久化
1 2 3 4 5 6
| Syntax: proxy_store_access users:permissions ...; Default: proxy_store_access user:rw; Context: http, server, location Syntax: proxy_store on | off | string; Default: proxy_store off; Context: http, server, location
|
禁用上游响应头部
1 2 3
| Syntax: proxy_ignore_headers field ...; Default: — Context: http, server, location
|
可以禁用的的头部功能:
- X-Accel-Redirect: 上游指定在nginx内部重定向
- X-Accel-Limit-Rate: 上游设置发往客户端的速度限制 , 等同limit_rate指令
- X-Accel-Buffering : 由上游控制是否控制缓存上游响应
- X-Accel-Charset 由上游控制Content-Type中的charset
- X-Accel-Expires , Expires,Cache-Control 控制nginx缓存时间 , 优先级由高到低
- Set-Cookie 出现Set-Cookie则不缓存, 通过proxy_ignore_headers禁止生效
- Vary
转发上游响应
对于某些上游响应的头部, 设置不向客户端转发
1 2 3
| Syntax: proxy_hide_header field; Default: — Context: http, server, location
|
proxy_hide_header默认不转发的有:Date,server,X-Pad , X-Accel-
对于已经被proxy_hide_header的头部, 设置向上游转发 , 则用
1 2 3
| Syntax: proxy_pass_header field; Default: — Context: http, server, location
|
修改返回的set-cookie头部
1 2 3 4 5 6 7 8 9 10 11
| Syntax: proxy_cookie_domain off; proxy_cookie_domain domain replacement; Default: proxy_cookie_domain off; Context: http, server, location
Syntax: proxy_cookie_path off; proxy_cookie_path path replacement; Default: proxy_cookie_path off; Context: http, server, location
|
修改返回的location头部
1 2 3 4 5 6
| Syntax: proxy_redirect default; proxy_redirect off; proxy_redirect redirect replacement; Default: proxy_redirect default; Context: http, server, location
|
上游返回失败时的处理方法
1 2 3 4 5
| Syntax: proxy_next_upstream error | timeout | invalid_header | http_500 | http_502 | http_503 | http_504 | http_403 | http_404 | http_429 | non_idempotent | off ...; Default: proxy_next_upstream error timeout; Context: http, server, location
|
限制proxy_next_upstream的次数和时间
1 2 3 4 5 6 7
| Syntax: proxy_next_upstream_timeout time; Default: proxy_next_upstream_timeout 0; Context: http, server, location
Syntax: proxy_next_upstream_tries number; Default: proxy_next_upstream_tries 0; Context: http, server, location
|
用error_page拦截上游失败响应
当上游响应的响应码大于300的时候, 应将响应返回客户端还是按error_page指令处理
1 2 3
| Syntax: proxy_intercept_errors on | off; Default: proxy_intercept_errors off; Context: http, server, location
|
ssl证书认证
作为上游自己使用的证书
1 2 3 4 5 6 7
| Syntax: ssl_certificate file; Default: — Context: http, server
Syntax: ssl_certificate_key file; Default: — Context: http, server
|
做完上游验证下游证书
1 2 3 4 5 6
| Syntax: ssl_verify_client on | off | optional | optional_no_ca; Default: ssl_verify_client off; Context: http, server Syntax: ssl_client_certificate file; Default: — Context: http, server
|
作为代理自身使用的证书
1 2 3 4 5 6 7
| Syntax: proxy_ssl_certificate file; Default: — Context: http, server, location Syntax: proxy_ssl_certificate_key file; Default: — Context: http, server, location
|
作为代理验证上游的证书
1 2 3 4 5 6 7
| Syntax: proxy_ssl_trusted_certificate file; Default: — Context: http, server, location
Syntax: proxy_ssl_verify on | off; Default: proxy_ssl_verify off; Context: http, server, location
|
创建证书示例:
1 2 3 4 5 6 7 8 9 10 11
| openssl genrsa -out ca.key 2048 #创建根证书CA私钥 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt 创建根证书CA公钥
签发证书: openssl genrsa -out a.pem 1024 openssl rsa -in a.pem -out a.key
openssl req -new -key a.pem -out a.csr #生成签发请求 openssl x509 -req -sha256 -in a.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out a.crt #用CA证书进行签发
openssl verify -CAfile ca.crt a.crt #验证签发是否正确
|