Two important advantages of NGINx are reverse proxies and load balancing
Preface:
Nginx uses the following directory template:
-
Nginx configuration file
Place the Nginx configuration file for your service in the directory /etc/nginx/sites-available/
Then go to /etc/nginx/sites-enabled/ via the soft link
-
SSL certificate
The certificate issued by letsencrypt is stored in /etc/letsencrypt/
Ssl_dhparam Directory location: /etc/letsencryp/
You can create a folder under */etc* to save certificates issued by other organizations
-
Static file deployment
/mnt/var/www/<your-name>/<your-project-name>/ Copy the code -
Project deployment
/var/www/<your-name>/<your-project-name> Copy the code -
Nginx log
/mnt/log/nginx/<your-project-name>/<env>/ Copy the code
1. Basic knowledge
In Reverse Proxy mode, a Proxy server is used to accept Internet connection requests, forward the requests to the server on the Intranet, and return the results obtained from the server to the Internet client. In this case, the proxy server acts as a reverse proxy server.
For example, if a user visits www.example.com/readme and there is no readme page on www.example.com, it is surreptively retrieved from another server and returned to the user as its own content. But users are unaware of the process. For users, it’s like getting the readme page directly from www.example.com. The server corresponding to the domain name www.example.com has the reverse proxy function configured.
A reverse proxy server, which acts like the original server to the client and does not require any special setup for the client. The client sends a normal request to the content in the namespaces of the reverse proxy, and the reverse proxy determines where to forward the request (the original server) and returns the obtained content to the client as if it were its own. As shown below:
Practice 2.
If you have multiple servers (below with code 1, 2, 3, 4), then you can only exposed 1 server, set up a reverse proxy server through the no. 1, mapped to the no. 2, 3, 4, on the server in no. 2, 3, 4 at the same time set up a firewall on the server for 2, 3, 4 server allows only by no. 1 server access
Configuration of 3.
Server nginx.conf file:
#user nobody;
worker_processes 2;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/sites-enabled/*;
}
Copy the codeReverse proxy server nginx profile template:
upstream monitor_server {
server <server1-host>:<port>;
server <server2-host>:<port>; Load balancing via nginx
keepalive 2000;
}
server {
listen 80;
server_name hostname;
# redirect all http to https
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name hostname;
ssl_certificate /etc/letsencrypt/live/hostname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hostname/privkey.pem;
# disable SSLv2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers' order matters
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA2 56:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC 3-SHA:! aNULL";
# the Elliptic curve key used for the ECDHE cipher.
ssl_ecdh_curve secp384r1;
# use command line
# openssl dhparam -out dhparam.pem 2048
# to generate Diffie Hellman Ephemeral Parameters
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# let the server choose the cipher
ssl_prefer_server_ciphers on;
# turn on the OCSP Stapling and verify
ssl_stapling on;
ssl_stapling_verify on;
# http compression method is not secure in https
# opens you up to vulnerabilities like BREACH, CRIME
gzip off;
location^ ~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /mnt/var/www/<your-name>/hostname;
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://monitor_server;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /mnt/log/nginx/hostname/access.log;
error_log /mnt/log/nginx/hostname/error.log;
}
Copy the codeOriginal server configuration template:
server {
listen <port>;
server_name hostname;
location / {
root /var/www/<your-name>/<project name>;
index index.html;
}
access_log /var/log/nginx/hostname/access.log;
error_log /var/log/nginx/hostname/error.log;
}
Copy the code