Nginx 反向代理
- 2025-08-22 18:13:00
- 丁国栋
- 原创 175
这一个非常典型和通用的 Nginx 代理配置:
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_headers on;
proxy_pass http://127.0.0.1:8080;
}
其中:
- Host 主机头是为了让后端服务能正确处理该请求,根据 Host 来判断应该路由给哪一个虚拟主机或者服务。
- X-Real-IP 和 X-Forwarded-For 的目的是一样的,都是为了让后端服务获取真实的IP地址。
- X-Forwarded-Proto 则是为了让后端服务识别到用户使用的协议,是 HTTPS 还是 HTTP。值得注意的是目前市面上还有不少服务会根据这个主机头判断请求是否合法,例如 HTTP Referer 和 X-Forwarded-Proto 的协议以及Host如果不一致会中断请求或者拒绝服务,在一定程度上可以抵御部分 CSRF 攻击(Cross-Site Request Forgery “跨站请求伪造”)。
完整示例:
upstream jumpserver
{
server 127.0.0.1:8080;
}
server {
listen 80;
server_name jms.thedf.cc;
return 301 https://jms.thedf.cc$request_uri;
}
server {
listen 443 ssl;
server_name jms.thedf.cc;
ssl_certificate /root/.acme.sh/thedf.cc_ecc/fullchain.cer;
ssl_certificate_key /root/.acme.sh/thedf.cc_ecc/thedf.cc.key;
charset utf-8;
access_log /var/log/nginx/access-jms.thedf.cc.log;
error_log /var/log/nginx/error-jms.thedf.cc.log;
location /
{
proxy_pass http://jumpserver;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 0;
client_body_buffer_size 128k;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
}
}
Nginx + php-fpm 典型配置
## cat conf.d/php8.1-fpm.conf
# PHP-FPM FastCGI server
# network or unix domain socket configuration
upstream php81-fpm {
server unix:/run/php/php8.1-fpm.sock;
#server 127.0.0.1:9001;
}
## default.d/php8.1.conf
# pass the PHP scripts to FastCGI server
#
# See conf.d/php-fpm8.1.conf for socket configuration
#
index index.php index.html index.htm;
location ~ \.(php|phar)(/.*)?$ {
fastcgi_split_path_info ^(.+\.(?:php|phar))(/.*)$;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/html/:/tmp/:/proc/";
fastcgi_pass php81-fpm;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
## cat sites-enabled/myapp.thedf.cc.conf
server {
listen 443 ssl;
ssl_certificate /etc/certs/thedf.cc/fullchain.pem;
ssl_certificate_key /etc/certs/thedf.cc/privkey.pem;
server_name myapp.thedf.cc;
root /var/www/html/myapp/www;
index index.php;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /api.php {
include fastcgi_params;
fastcgi_pass php81-fpm;
fastcgi_index api.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ /\.ht {
deny all;
}
include default.d/php8.1.conf;
}
--
发表评论