📦 Nginx学习笔记(五)——Nginx后端服务器组配置
⚙️ 一、upstream模块架构解析
核心机制:
Nginx的upstream模块建立了一个虚拟服务器池,通过负载均衡算法将请求分发到多个后端服务器。这种架构提供三大核心能力:
- 故障转移:自动检测并绕过故障节点
- 水平扩展:通过增加后端服务器提升系统容量
- 会话保持:确保特定客户端请求路由到相同后端
📌 二、基础配置语法
http {
upstream backend {
# 服务器配置
server 192.168.1.101:8080 weight=5;
server 192.168.1.102:8080;
server backup.example.com:8080 backup;
# 负载均衡算法
least_conn;
# 健康检查
max_fails=3;
fail_timeout=30s;
}
server {
location / {
proxy_pass http://backend;
}
}
}
⚖ 三、负载均衡策略深度解析
轮询(Round Robin)
默认策略,按配置文件顺序依次分发请求upstream backend { server 192.168.1.101; server 192.168.1.102; }加权轮询(Weighted Round Robin)
根据服务器处理能力分配权重upstream backend { server 192.168.1.101 weight=3; # 处理60%请求 server 192.168.1.102 weight=2; # 处理40%请求 }IP哈希(IP Hash)
基于客户端IP的会话保持方案upstream backend { ip_hash; server 192.168.1.101; server 192.168.1.102; }最少连接(Least Connections)
动态选择当前连接数最少的服务器upstream backend { least_conn; server 192.168.1.101; server 192.168.1.102; }随机负载(Random)
随机选择后端服务器,支持加权随机upstream backend { random; server 192.168.1.101 weight=2; server 192.168.1.102 weight=1; }
🩺 四、健康检查与容错机制
upstream backend {
server 192.168.1.101 max_fails=3 fail_timeout=30s;
server 192.168.1.102 max_fails=2 fail_timeout=60s;
# 被动健康检查
health_check interval=5s fails=3 passes=2;
health_check_timeout 3s;
# 备份服务器
server backup1.example.com:8080 backup;
server backup2.example.com:8080 backup;
}
健康检查参数详解:
| 参数 | 默认值 | 说明 |
|---|---|---|
max_fails |
1 | 允许失败次数 |
fail_timeout |
10s | 失败后暂停时间 |
slow_start |
0 | 恢复后权重渐变时间 |
backup |
- | 标记为备用服务器 |
🔗 五、连接优化参数
upstream backend {
server 192.168.1.101;
# 连接池设置
keepalive 32; # 每个worker保持的连接数
keepalive_requests 1000; # 单个连接最大请求数
keepalive_timeout 60s; # 空闲连接超时
# 连接参数
proxy_connect_timeout 3s; # 连接后端超时
proxy_read_timeout 30s; # 读取响应超时
proxy_send_timeout 30s; # 发送请求超时
}
🧩 六、多场景配置案例
多协议支持
# TCP负载均衡 stream { upstream tcp_backend { server 192.168.1.101:3306; server 192.168.1.102:3306; } server { listen 3306; proxy_pass tcp_backend; } } # UDP负载均衡 stream { upstream dns_servers { server 192.168.1.201:53; server 192.168.1.202:53; } server { listen 53 udp; proxy_pass dns_servers; } }多区域部署
upstream global_backend { # 北美区域 server us-east1.example.com; server us-west1.example.com; # 欧洲区域 server eu-central1.example.com; # 故障转移 server backup.example.com backup; }金丝雀发布
upstream backend { # 正式版本 (90%流量) server 192.168.1.101 weight=90; # 金丝雀版本 (10%流量) server 192.168.1.102 weight=10; }会话持久化
# 基于cookie的会话保持 upstream backend { sticky cookie srv_id expires=1h domain=.example.com path=/; server 192.168.1.101; server 192.168.1.102; } # 基于路由的会话保持 map $request_uri $persist_key { ~/user/([^/]+) $1; default $remote_addr; } upstream backend { hash $persist_key consistent; server 192.168.1.101; server 192.168.1.102; }
🛡 七、安全增强配置
upstream backend {
server 192.168.1.101;
# 访问控制
deny 192.168.1.50; # 屏蔽特定IP
allow 10.0.0.0/8; # 允许内网访问
# SSL终端到终端加密
server 192.168.1.102:443 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# 连接限制
zone backend 10m; # 共享内存区
queue 100 timeout=60s; # 排队请求数
}
📊 八、监控与日志
# 自定义日志格式
log_format upstream_log '$remote_addr - $upstream_addr '
'$upstream_status $upstream_response_time '
'"$request" $status $body_bytes_sent';
# upstream状态监控
location /upstream_status {
stub_status;
allow 127.0.0.1;
deny all;
access_log off;
}
# Prometheus监控
location /metrics {
content_by_lua_block {
metric_connections = ngx.shared.metrics:get("connections") or 0
ngx.say("nginx_upstream_connections ", metric_connections)
}
}
⚠ 九、常见陷阱与解决方案
502 Bad Gateway错误
# 解决方案:调整超时参数 proxy_connect_timeout 5s; proxy_read_timeout 60s; proxy_next_upstream_timeout 0; proxy_next_upstream_tries 3;后端服务器过载
# 解决方案:添加限流 limit_req_zone $binary_remote_addr zone=backend:10m rate=10r/s; location / { limit_req zone=backend burst=20; proxy_pass http://backend; }会话不一致问题
# 解决方案:启用会话保持 upstream backend { sticky route $request_uri; server 192.168.1.101; server 192.168.1.102; }
🧪 十、性能压测方案
# 使用wrk进行压力测试
wrk -t12 -c400 -d30s -s post.lua http://backend.example.com/api
# 监控命令
watch -n 1 "echo 'show pools' | nc 127.0.0.1 9000 | grep backend"
性能优化参数:
events {
worker_connections 10240; # 增加连接数
}
http {
# 内核优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# upstream连接复用
proxy_http_version 1.1;
proxy_set_header Connection "";
}
🔍 配置验证与调试
# 详细日志记录
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
log_format debug_log '$upstream_addr $upstream_response_time $upstream_status';
# 调试端点
location /backend_debug {
proxy_pass http://backend;
add_header X-Backend-Addr $upstream_addr;
add_header X-Backend-Response-Time $upstream_response_time;
access_log /var/log/nginx/backend_debug.log debug_log;
}