Docker Nginx 部署
概述
Nginx 是一个高性能的 HTTP 和反向代理服务器,也是 IMAP/POP3/SMTP 代理服务器。使用 Docker 部署 Nginx 可以简化配置管理、提高部署效率,并确保环境一致性。
基础部署
1. 使用官方镜像
# 拉取最新版本的 Nginx 镜像
docker pull nginx:latest
# 运行基础 Nginx 容器
docker run -d \
--name nginx-server \
-p 80:80 \
-p 443:443 \
nginx:latest
2. 自定义配置文件部署
创建自定义的 Nginx 配置文件:
# nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# 基础配置
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript
application/javascript application/xml+rss
application/json application/xml;
# 包含站点配置
include /etc/nginx/conf.d/*.conf;
}
创建站点配置文件:
# default.conf
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
index index.html index.htm;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
# 静态文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# 主页面
location / {
try_files $uri $uri/ /index.html;
}
# 健康检查
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
使用自定义配置运行容器:
# 创建配置目录
mkdir -p nginx/conf.d
mkdir -p nginx/html
# 复制配置文件
cp nginx.conf nginx/
cp default.conf nginx/conf.d/
# 创建测试页面
echo "<h1>Hello Docker Nginx!</h1>" > nginx/html/index.html
# 运行容器 (pwd)是在你创建nginx目录下,要在nginx目录下执行
docker run -d \
--name nginx-custom \
-p 80:80 \
-p 443:443 \
-v $(pwd)/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-v $(pwd)/nginx/conf.d:/etc/nginx/conf.d:ro \
-v $(pwd)/nginx/html:/usr/share/nginx/html:ro \
nginx:latest
SSL/HTTPS 配置
1. 自签名证书
# 生成私钥
openssl genrsa -out nginx/ssl/private.key 2048
# 生成证书签名请求
openssl req -new -key nginx/ssl/private.key -out nginx/ssl/certificate.csr
# 生成自签名证书
openssl x509 -req -days 365 -in nginx/ssl/certificate.csr \
-signkey nginx/ssl/private.key -out nginx/ssl/certificate.crt
2. SSL 配置
# ssl.conf
server {
listen 443 ssl http2;
server_name your-domain.com;
# SSL 配置
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
# SSL 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
try_files $uri $uri/ /index.html;
}
}
# HTTP 重定向到 HTTPS
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
3. Let's Encrypt 证书
使用 Certbot 自动获取和更新证书:
# docker-compose-ssl.yml
version: "3.8"
services:
nginx:
image: nginx:latest
container_name: nginx-ssl
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/conf.d:/etc/nginx/conf.d:ro
- ./nginx/html:/usr/share/nginx/html:ro
- ./nginx/ssl:/etc/nginx/ssl:ro
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
certbot:
image: certbot/certbot
container_name: certbot
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
command: certonly --webroot --webroot-path=/var/www/certbot --force-renewal --email your-email@example.com -d your-domain.com --agree-tos
反向代理配置
1. 基础反向代理
# proxy.conf
upstream backend {
server app1:3000;
server app2:3000;
server app3:3000;
}
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
}
2. API 代理
# api-proxy.conf
upstream api_backend {
server api1:8080;
server api2:8080;
}
server {
listen 80;
server_name api.your-domain.com;
# API 限流
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://api_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS 配置
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
}
}
负载均衡配置
1. 轮询负载均衡
# load-balancer.conf
upstream backend {
server backend1:8080;
server backend2:8080;
server backend3:8080;
}
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2. 加权负载均衡
# weighted-lb.conf
upstream backend {
server backend1:8080 weight=3;
server backend2:8080 weight=2;
server backend3:8080 weight=1;
server backend4:8080 backup;
}
3. IP Hash 负载均衡
# ip-hash-lb.conf
upstream backend {
ip_hash;
server backend1:8080;
server backend2:8080;
server backend3:8080;
}
缓存配置
1. 静态文件缓存
# cache.conf
server {
listen 80;
server_name your-domain.com;
root /usr/share/nginx/html;
# 图片缓存
location ~* \.(jpg|jpeg|png|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary Accept-Encoding;
}
# CSS/JS 缓存
location ~* \.(css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary Accept-Encoding;
}
# 字体文件缓存
location ~* \.(woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Access-Control-Allow-Origin *;
}
}
2. 代理缓存
# proxy-cache.conf
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off;
server {
listen 80;
server_name your-domain.com;
location / {
proxy_cache my_cache;
proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
proxy_cache_valid 200 1h;
proxy_cache_valid 404 1m;
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
性能优化
1. 工作进程优化
# nginx.conf 优化部分
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
use epoll;
multi_accept on;
accept_mutex off;
}
2. HTTP 优化
# http 块优化
http {
# 基础优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 100;
# 缓冲区优化
client_body_buffer_size 128k;
client_max_body_size 10m;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json
application/xml
image/svg+xml;
}
监控和日志
1. 访问日志配置
# 自定义日志格式
log_format detailed '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
# 使用自定义格式
access_log /var/log/nginx/access.log detailed;
2. 错误页面配置
# 自定义错误页面
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
3. 健康检查
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 详细健康检查
location /health/detailed {
access_log off;
return 200 '{"status":"healthy","timestamp":"$time_iso8601","server":"$hostname"}\n';
add_header Content-Type application/json;
}
安全配置
1. 基础安全头
# 安全头配置
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
2. 隐藏 Nginx 版本
# 在 http 块中添加
server_tokens off;
3. 限制请求大小
# 限制请求体大小
client_max_body_size 10m;
# 限制请求频率
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
location /login {
limit_req zone=login burst=5 nodelay;
# 其他配置...
}
部署脚本
1. 自动化部署脚本
#!/bin/bash
# deploy-nginx.sh
set -e
# 配置变量
NGINX_IMAGE="nginx:latest"
CONTAINER_NAME="nginx-server"
CONFIG_DIR="./nginx"
SSL_DIR="./nginx/ssl"
# 创建必要目录
mkdir -p $CONFIG_DIR/conf.d
mkdir -p $CONFIG_DIR/html
mkdir -p $CONFIG_DIR/logs
mkdir -p $SSL_DIR
# 停止并删除旧容器
docker stop $CONTAINER_NAME 2>/dev/null || true
docker rm $CONTAINER_NAME 2>/dev/null || true
# 拉取最新镜像
docker pull $NGINX_IMAGE
# 启动新容器
docker run -d \
--name $CONTAINER_NAME \
--restart unless-stopped \
-p 80:80 \
-p 443:443 \
-v $(pwd)/$CONFIG_DIR/nginx.conf:/etc/nginx/nginx.conf:ro \
-v $(pwd)/$CONFIG_DIR/conf.d:/etc/nginx/conf.d:ro \
-v $(pwd)/$CONFIG_DIR/html:/usr/share/nginx/html:ro \
-v $(pwd)/$CONFIG_DIR/logs:/var/log/nginx \
-v $(pwd)/$SSL_DIR:/etc/nginx/ssl:ro \
$NGINX_IMAGE
echo "Nginx 部署完成!"
echo "容器名称: $CONTAINER_NAME"
echo "访问地址: http://localhost"
2. 备份脚本
#!/bin/bash
# backup-nginx.sh
BACKUP_DIR="./backups/$(date +%Y%m%d_%H%M%S)"
CONFIG_DIR="./nginx"
# 创建备份目录
mkdir -p $BACKUP_DIR
# 备份配置文件
cp -r $CONFIG_DIR $BACKUP_DIR/
# 备份 SSL 证书
if [ -d "./nginx/ssl" ]; then
cp -r ./nginx/ssl $BACKUP_DIR/
fi
# 创建备份压缩包
tar -czf $BACKUP_DIR.tar.gz $BACKUP_DIR
rm -rf $BACKUP_DIR
echo "备份完成: $BACKUP_DIR.tar.gz"
故障排除
1. 常见问题
容器无法启动
# 检查容器日志
docker logs nginx-server
# 检查配置文件语法
docker exec nginx-server nginx -t
端口冲突
# 检查端口占用
netstat -tulpn | grep :80
lsof -i :80
# 修改端口映射
docker run -p 8080:80 nginx:latest
权限问题
# 检查文件权限
ls -la nginx/
# 修改权限
chmod 644 nginx/nginx.conf
chmod 644 nginx/conf.d/*.conf
2. 性能调优检查
# 检查 Nginx 进程
docker exec nginx-server ps aux
# 检查连接数
docker exec nginx-server netstat -an | grep :80 | wc -l
# 检查内存使用
docker stats nginx-server