返回 Skill 列表
extension
分类: 开发与工程无需 API Key

nginx-proxy

配置Nginx和Nginx代理管理器以实现反向代理、负载均衡、SSL/TLS终止、缓存及网页服务。在设置Web服务器、反向代理、SSL证书或负载均衡器时使用。包括Nginx代理管理器GUI、Traefik替代模式以及安全强化。(项目)

person作者: jakexiaohubgithub

Nginx Proxy Manager

Expert guidance for Nginx web server and reverse proxy configuration.

When to Use This Skill

  • Setting up reverse proxy for web services
  • Configuring SSL/TLS certificates (Let's Encrypt)
  • Load balancing across multiple backends
  • Web server configuration
  • Caching and performance optimization
  • Security hardening
  • Nginx Proxy Manager (NPM) GUI setup

Nginx Installation

# Debian/Ubuntu
sudo apt update && sudo apt install nginx

# CentOS/RHEL
sudo yum install nginx

# Docker
docker run -d -p 80:80 -p 443:443 \
  -v /etc/nginx:/etc/nginx:ro \
  -v /var/log/nginx:/var/log/nginx \
  nginx:alpine

Basic Configuration

Main Config Structure

# /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
    multi_accept on;
}

http {
    # Basic settings
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    # MIME types
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Gzip compression
    gzip on;
    gzip_types text/plain text/css application/json application/javascript;

    # Include virtual hosts
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

Simple Web Server

# /etc/nginx/sites-available/mysite.conf
server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    root /var/www/mysite;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }
}

Reverse Proxy Configuration

Basic Reverse Proxy

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

WebSocket Support

server {
    listen 80;
    server_name ws.example.com;

    location / {
        proxy_pass http://localhost:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 86400;
    }
}

Multiple Backends (Path-Based)

server {
    listen 80;
    server_name api.example.com;

    location /api/v1 {
        proxy_pass http://localhost:3001;
        proxy_set_header Host $host;
    }

    location /api/v2 {
        proxy_pass http://localhost:3002;
        proxy_set_header Host $host;
    }

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
    }
}

SSL/TLS Configuration

Let's Encrypt with Certbot

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain certificate
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal (usually set up automatically)
sudo certbot renew --dry-run

SSL Configuration

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;

    # SSL certificates
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

Load Balancing

upstream backend {
    # Round-robin (default)
    server 192.168.1.10:3000;
    server 192.168.1.11:3000;
    server 192.168.1.12:3000;

    # Weighted
    server 192.168.1.10:3000 weight=3;
    server 192.168.1.11:3000 weight=2;
    server 192.168.1.12:3000 weight=1;

    # Least connections
    least_conn;

    # IP hash (session persistence)
    ip_hash;

    # Health checks
    server 192.168.1.10:3000 max_fails=3 fail_timeout=30s;

    # Backup server
    server 192.168.1.99:3000 backup;
}

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
    }
}

Caching

# Define cache zone
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m
                 max_size=1g inactive=60m use_temp_path=off;

server {
    listen 80;
    server_name example.com;

    location / {
        proxy_cache my_cache;
        proxy_cache_valid 200 302 10m;
        proxy_cache_valid 404 1m;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_revalidate on;
        proxy_cache_lock on;

        # Cache key
        proxy_cache_key $scheme$proxy_host$uri$is_args$args;

        # Add cache status header
        add_header X-Cache-Status $upstream_cache_status;

        proxy_pass http://localhost:3000;
    }

    # Skip cache for certain paths
    location /api {
        proxy_cache off;
        proxy_pass http://localhost:3000;
    }
}

Nginx Proxy Manager (Docker)

# docker-compose.yml
services:
  npm:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
      - '81:81'  # Admin UI
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    environment:
      DISABLE_IPV6: 'true'
# Start NPM
docker-compose up -d

# Access admin UI: http://localhost:81
# Default login: admin@example.com / changeme

NPM Features

  • GUI-based proxy host management
  • Automatic Let's Encrypt certificates
  • Access lists and authentication
  • Custom Nginx configurations
  • Redirection rules
  • 404 hosts
  • Streams (TCP/UDP proxying)

Security Hardening

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self';" always;

# Hide Nginx version
server_tokens off;

# Limit request size
client_max_body_size 10m;

# Rate limiting
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;

server {
    location /api {
        limit_req zone=one burst=20 nodelay;
        proxy_pass http://localhost:3000;
    }
}

# Block bad bots
map $http_user_agent $bad_bot {
    default 0;
    ~*malicious 1;
    ~*scanner 1;
}

server {
    if ($bad_bot) {
        return 403;
    }
}

# IP whitelist/blacklist
allow 192.168.1.0/24;
deny all;

Common Configurations

PHP-FPM

server {
    listen 80;
    server_name php.example.com;
    root /var/www/html;
    index index.php index.html;

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Static File Serving with Cache

location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 30d;
    add_header Cache-Control "public, immutable";
}

Basic Authentication

# Create password file
sudo apt install apache2-utils
htpasswd -c /etc/nginx/.htpasswd user1
location /admin {
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://localhost:3000;
}

Troubleshooting

# Test configuration
sudo nginx -t

# Reload configuration
sudo nginx -s reload
sudo systemctl reload nginx

# View logs
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log

# Debug upstream
curl -I -H "Host: example.com" http://localhost

# Check listening ports
ss -tlnp | grep nginx

# Real-time monitoring
ngxtop

Performance Tuning

# Worker processes (set to CPU cores)
worker_processes auto;

# Worker connections
events {
    worker_connections 4096;
    use epoll;  # Linux
    multi_accept on;
}

# Buffer sizes
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

# Keepalive to upstream
upstream backend {
    server localhost:3000;
    keepalive 32;
}