Nginx+反向代理

Nginx 反向代理

1. 安装 Nginx

对于 Ubuntu/Debian 系统：

sudo apt update
sudo apt install nginx

对于 CentOS 系统：

sudo yum install epel-release
sudo yum install nginx

2. 配置 Nginx 反向代理

编辑 Nginx 配置文件。

sudo nano /etc/nginx/nginx.conf

3. 配置

1. 配置http

...
http{  # 在http代码块下添加以下server块
      server {
              listen 80;
              server_name 本机服务器IP或域名;    #如果是域名，需要解析之后才能用
              location / {
                  proxy_pass http://反代IP或域名:端口;  #如果是80端口可以不用填，如果是域名需要解析才能用
              }
          }
...
}

2. 配置https

1. 申请证书

# ubuntu使用
sudo apt update
sudo apt install nginx certbot python3-certbot-nginx
sudo certbot --nginx -d your_domain
# centos使用
yum update -y
yum install nginx -y

# 申请证书
sudo yum install -y epel-release
sudo yum install -y certbot certbot-nginx python3-certbot-nginx
sudo certbot --nginx -d xiaoyusay.com -d www.xiaoyusay.com  #根据提示填写邮箱

2. 配置nginx

sudo nano /etc/nginx/nginx.conf
...
http{  # 在http代码块下添加以下server块
      server {
              listen 443 ssl;
              server_name 本机的域名;   #已解析并安装证书的域名，多个域名以空格分开
              ssl_certificate /etc/nginx/cert/cert.pem;   #证书文件路径
              ssl_certificate_key /etc/nginx/cert/private.key;   #密钥文件路径
              ssl_session_timeout 5m;    #缓存有效期
              ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;    #加密算法
              ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    #安全链接可选的加密协议
              ssl_prefer_server_ciphers on;    #使用服务器端的首选算法
              location / {
                  root html;
                  index index.html index.htm;
                  proxy_pass https://xiaoyusay.com;  #输入想要反代的网站的网址 https://xiaoyusay.com替换你要反代的网站
              }
          }
...
}

4. 检查配置

检查配置文件是否正确：

sudo nginx -t

如果配置文件没有错误，会看到如下信息：

nginx: configuration file /etc/nginx/nginx.conf test is successful

5. 重新加载 Nginx

sudo systemctl reload nginx

6. 验证配置

打开浏览器，访问 本机设置的域名或ip，您应该会看到本站的页面。

7. 完整的通用配置

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    server {
        listen 80;
        server_name xiaoyusay.com; # 替换你的域名
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        server_name xiaoyusay.com; # 替换你的域名

        ssl_certificate /etc/letsencrypt/live/xiaoyusay.com/fullchain.pem;    # 公钥
        ssl_certificate_key /etc/letsencrypt/live/xiaoyusay.com/privkey.pem;  # 私钥

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        location / {
            proxy_pass http://127.0.0.1:8080; # http://127.0.0.1:8080 替换域名或ip+port
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}