头图

How to configure Http, Https, WS, WSS in Nginx?

冰河
中文

Write in front

In today's Internet field, Nginx is one of the most used proxy servers. Many large companies use Nginx as a proxy server in their business systems. Therefore, it is necessary for us to understand the various configurations of Nginx for Http, Https, WS, and WSS. Come on, learn Nginx from Glacier, advance together, and be bald together~~

Nginx configuration Http

First, let's talk about how Nginx configures Http. Nginx configuration Http is one of the most commonly used functions of Nginx. Configure the corresponding information in nginx.conf as shown below.

upstream message {
  server localhost:8080 max_fails=3;
}

server {
    listen       80;
    server_name  localhost;

    location / {
        root   html;
        index  index.html index.htm;
        #允许cros跨域访问 
        add_header 'Access-Control-Allow-Origin' '*';
        #proxy_redirect default;
        #跟代理服务器连接的超时时间,必须留意这个time out时间不能超过75秒,当一台服务器当掉时,过10秒转发到另外一台服务器。
        proxy_connect_timeout 10;
    }
    
     location /message {
       proxy_pass                  http://message;
       proxy_set_header Host $host:$server_port;
    }
}

At this time, if you visit http://localhost/message , it will be forwarded to http://localhost:8080/message .

Nginx configuration Https

If the business has high requirements for website security, Https may be configured in Nginx at this time. The specific configuration information can refer to the following methods.

upstream message {
  server localhost:8080 max_fails=3;
}

server {
    listen       443 ssl;
    server_name localhost;
    ssl_certificate    /usr/local/nginx-1.17.8/conf/keys/binghe.pem;
    ssl_certificate_key /usr/local/nginx-1.17.8/conf/keys/binghe.key;
    ssl_session_timeout 20m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_verify_client off;
    location / {
        root   html;
        index  index.html index.htm;
        #允许cros跨域访问 
        add_header 'Access-Control-Allow-Origin' '*';
        #跟代理服务器连接的超时时间,必须留意这个time out时间不能超过75秒,当一台服务器当掉时,过10秒转发到另外一台服务器。
        proxy_connect_timeout 10;
    }
    
     location /message {
       proxy_pass                  http://message;
       proxy_set_header Host $host:$server_port;
    }
}

At this time, access to https://localhost/message will be forwarded to http://localhost:8080/message .

Nginx configuration WS

The full name of WS is WebSocket, and Nginx is relatively simple to configure WebSocket. You only need to configure it in the nginx.conf file. This method is simple, but very effective, and can horizontally expand the service capabilities of the WebSocket server.

In order to facilitate the better understanding of the friends, here, I will focus on Nginx configuration WS.

First display the configuration file directly, as shown below (if you use it, copy it directly, and then change the ip and port)

map $http_upgrade $connection_upgrade { 
    default upgrade; 
    '' close; 
} 
upstream wsbackend{ 
    server ip1:port1; 
    server ip2:port2; 
    keepalive 1000;
} 
 
server { 
    listen 20038; 
    location /{ 
        proxy_http_version 1.1; 
        proxy_pass http://wsbackend; 
        proxy_redirect off; 
        proxy_set_header Host $host; 
        proxy_set_header X-Real-IP $remote_addr; 
        proxy_read_timeout 3600s; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade; 
    } 
}

Next, we will analyze the specific meaning of the above configuration respectively.

First:

map $http_upgrade $connection_upgrade { 
    default upgrade; 
    '' close; 
} 

It means:

  • If $http_upgrade is not'' (empty), then $connection_upgrade is upgrade.
  • If $http_upgrade is'' (empty), then $connection_upgrade is close.

followed by:

upstream wsbackend{ 
    server ip1:port1; 
    server ip2:port2; 
    keepalive 1000; 
} 

Represents nginx load balancing:

  • Two servers (ip1:port1) and (ip2:port2).
  • Keepalive 1000 represents the idle connection maintained by the upstream server in each nginx process. When there are too many idle connections, the least used idle connection will be closed. Of course, this is not a limit on the total number of connections. It can be imagined as the size of the idle connection pool. The value of should be acceptable to the upstream server.

last:

server { 
    listen 20038; 
    location /{ 
        proxy_http_version 1.1; 
        proxy_pass http://wsbackend; 
        proxy_redirect off;
        proxy_set_header Host $host; 
        proxy_set_header X-Real-IP $remote_addr; 
        proxy_read_timeout 3600s; 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade; 
    } 
} 

Represents the configuration of the listening server

  • listen 20038 represents the port that nginx listens to
  • locations / indicates the path to be monitored (/ indicates all paths, universal matching, equivalent to default)
  • proxt_http_version 1.1 indicates that the version of the HTTP protocol sent by the reverse proxy is 1.1, and HTTP 1.1 supports long connections
  • proxy_pass http://wsbackend ; Represents the uri of the reverse proxy, where load balancing variables can be used
  • proxy_redirect off; means do not replace the path, in fact, it does not matter if it is / here, because default also replaces the path to the back of proxy_pass
  • proxy_set_header Host $host ; Indicates that the request header is unchanged during delivery, $host is a built-in variable of nginx, which means the current request header, proxy_set_header means that the request header is set
  • proxy_set_header X-Real-IP $remote_addr; indicates that the source ip is still the current client ip when transferring
  • proxy_read_timeout 3600s; The connection is closed only after the interval between two requests of the table exceeds 3600s, the default is 60s, the culprit of automatic closing
  • proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; indicates that the X-Forwarded-For header does not change
  • proxy_set_header Upgrade $http_upgrade; indicates that the upgrade setting remains unchanged
  • proxy_set_header Connection $connection_upgrade; means if $http_upgrade is upgrade, the request is upgrade (websocket), if not, close the connection

At this time, access to ws://localhost:20038 will be forwarded to ip1:port1 and ip2:port2 .

Nginx configure WSS

WSS stands for WebSocket + Https. In layman's terms, it is a secure WebSocket. Next, let's take a look at how to configure WSS. When configuring WS, the detailed information of the configuration is described in detail. I will not introduce it in detail here.

map $http_upgrade $connection_upgrade { 
    default upgrade; 
    '' close; 
} 
upstream wsbackend{ 
    server ip1:port1; 
    server ip2:port2; 
    keepalive 1000; 
} 
server{
    listen 20038 ssl;
    server_name localhost;
    ssl_certificate    /usr/local/nginx-1.17.8/conf/keys/binghe.com.pem;
    ssl_certificate_key /usr/local/nginx-1.17.8/conf/keys/binghe.com.key;
    ssl_session_timeout 20m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_verify_client off;
    location /{
      proxy_http_version 1.1;
      proxy_pass http://wsbackend;
      proxy_redirect off; 
      proxy_set_header Host $host; 
      proxy_set_header X-Real-IP $remote_addr; 
      proxy_read_timeout 3600s; 
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
      proxy_set_header Upgrade $http_upgrade; 
      proxy_set_header Connection $connection_upgrade; 
    }
}

At this time, the access wss://localhost:20038 will be forwarded to ip1:port1 and ip2:port2 .

Did you guys learn? Welcome to leave a message at the end of the article.

here today. I’m Glacier. If you have any questions, you can leave a message below, or add me to WeChat: sun_shine_lyz, I will pull you into the group, share technology together, advance together, and be awesome together~~

阅读 3.7k
71 声望
29 粉丝
0 条评论
71 声望
29 粉丝
文章目录
宣传栏