本文详细介绍如何使用 Nginx 配置 HTTPS 反向代理,支持 WebSocket 长连接,并提供生产环境的最佳实践配置。
推荐使用 Let's Encrypt 免费证书,通过 Certbot 自动化管理:
# 安装 Certbot
sudo apt update && sudo apt install certbot python3-certbot-nginx
# 获取证书(自动配置 Nginx)
sudo certbot --nginx -d yourdomain.com
# 设置自动续期
sudo crontab -e
# 添加:0 12 * * * /usr/bin/certbot renew --quietserver {
listen 80;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com;
# SSL 证书配置
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
# 反向代理到后端应用
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}WebSocket 需要特殊的代理配置来支持协议升级:
# WebSocket 代理配置
location /ws {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 长连接超时配置
proxy_connect_timeout 60s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
# 缓冲区配置
proxy_buffering off;
proxy_cache off;
}多实例部署时的负载均衡配置:
upstream backend {
# 粘性会话(WebSocket 推荐)
ip_hash;
server 127.0.0.1:8080 max_fails=3 fail_timeout=30s;
server 127.0.0.1:8081 max_fails=3 fail_timeout=30s;
server 127.0.0.1:8082 backup;
}
server {
# ... SSL 配置 ...
location / {
proxy_pass http://backend;
# ... 其他代理配置 ...
}
location /ws {
proxy_pass http://backend;
# ... WebSocket 配置 ...
}
}# nginx.conf 全局配置
worker_processes auto;
worker_connections 1024;
# 启用 gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript
application/javascript application/xml+rss
application/json;
# 文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# 限制请求大小
client_max_body_size 10M;
client_body_buffer_size 128k;# 限制请求频率
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
server {
# ... 其他配置 ...
# API 接口限流
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
# 登录接口严格限流
location /api/login {
limit_req zone=login burst=3 nodelay;
proxy_pass http://backend;
}
# 隐藏 Nginx 版本
server_tokens off;
# 禁止访问敏感文件
location ~ /\. {
deny all;
}
}# 自定义日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
server {
access_log /var/log/nginx/yourdomain.access.log main;
error_log /var/log/nginx/yourdomain.error.log warn;
}nginx -t 检查配置,openssl 验证证书# 检查配置语法
sudo nginx -t
# 重载配置
sudo nginx -s reload
# 测试 SSL 配置
curl -I https://yourdomain.com
# 测试 WebSocket 连接
wscat -c wss://yourdomain.com/ws以上配置适用于大多数生产环境,可根据具体需求调整参数和安全策略。