Stream on Liangweidong's bloghttps://liangweidonggood.github.io/tags/stream/Recent content in Stream on Liangweidong's blogHugo -- gohugo.iozh-cnFri, 15 Sep 2023 00:00:00 +0800Nginx 自建镜像实战:前端静态、反向代理、WebSocket 与四层转发https://liangweidonggood.github.io/p/nginx-zi-jian-jingxiang-shizhan/Fri, 15 Sep 2023 00:00:00 +0800https://liangweidonggood.github.io/p/nginx-zi-jian-jingxiang-shizhan/<img src="https://liangweidonggood.github.io/p/nginx-zi-jian-jingxiang-shizhan/image/cover.jpg" alt="Featured image of post Nginx 自建镜像实战:前端静态、反向代理、WebSocket 与四层转发" /><p>Nginx 容器化部署看似简单——<code>docker run -d -p 80:80 nginx</code> 就能跑——但生产里要解决的是:怎么把前端 dist、nginx.conf、SSL 证书<strong>打包成可复用的镜像</strong>,而不是每次新环境都 ssh 进去改配置。这篇把多年自建 Nginx 镜像的套路整理清楚。</p> <blockquote> <p><strong>阅读对象</strong>:前端工程师、运维、需要部署 Web 服务的全栈工程师 <strong>覆盖范围</strong>:前端 dist 打包 + nginx.conf 模板 + 反向代理 / WebSocket / TCP UDP 四层 + SSL + bitnami/nginx 优势对比</p> </blockquote> <h2 id="一为什么需要自建-nginx-镜像">一、为什么需要自建 Nginx 镜像 </h2><p><code>docker run nginx</code> 看似省事,但生产场景里很快撞墙:</p> <ul> <li><strong>前端 dist 在外面</strong>:每次新构建都要 <code>docker cp</code> 或 <code>bind mount</code>,<strong>配置不统一</strong></li> <li><strong>nginx.conf 在外面</strong>:集群里 5 台机器 5 份配置,<strong>改一行同步半天</strong></li> <li><strong>SSL 证书在容器内</strong>:Let&rsquo;s Encrypt 三个月续期,<strong>每台机器都跑一遍 certbot</strong></li> <li><strong>个性化配置散落</strong>:gzip、autoindex、限流、灰度发布,<strong>每个项目都要从头写</strong></li> </ul> <p><strong>自建 Nginx 镜像的本质</strong>:把&quot;配置 + 静态资源 + 证书&quot;做成<strong>不可变的镜像</strong>。新机器拉新镜像即用,<strong>配置漂移被堵在镜像层之外</strong>。</p> <blockquote> <p><strong>When to use</strong>:</p> <ul> <li>同一份前端代码需要部署到多台机器(灰度 / 多机房)</li> <li>业务方只关心&quot;上传代码 + 重启容器&quot;,不想碰 nginx.conf</li> <li>团队有统一的反代规范(统一超时、统一 gzip、统一 WebSocket 头)</li> </ul> </blockquote> <h2 id="二最小化-dockerfile">二、最小化 Dockerfile </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">dockerhub.example.com/base/nginx:latest</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ADD</span> html /usr/share/nginx/html<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> nginx.conf /etc/nginx/nginx.conf<span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>文件结构:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">. </span></span><span class="line"><span class="cl">├── Dockerfile </span></span><span class="line"><span class="cl">├── html </span></span><span class="line"><span class="cl">│ └── index.html </span></span><span class="line"><span class="cl">└── nginx.conf </span></span></code></pre></td></tr></table> </div> </div><p>构建:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker build -t dockerhub.example.com/library/nginx:20240730 . </span></span><span class="line"><span class="cl">docker run -d --restart<span class="o">=</span>always --name apph5 --net<span class="o">=</span>host <span class="se">\ </span></span></span><span class="line"><span class="cl"> dockerhub.example.com/library/nginx:20240730 </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键点</strong>:</p> <ul> <li><code>ADD html</code> 会把整个目录解压到镜像里,<strong>比 <code>COPY html</code> 更适合静态文件</strong>(虽然官方推荐 COPY,但 ADD 对本地目录行为一致)</li> <li><code>--net=host</code> 让 Nginx 直接监听宿主机端口,<strong>省一层 NAT</strong>——H5 活动页常用</li> <li><code>library/nginx:20240730</code> 用<strong>日期做 tag</strong>,避免覆盖旧版本</li> </ul> <h2 id="三生产级-nginxconf-模板">三、生产级 nginx.conf 模板 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">user</span> <span class="s">root</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">worker_processes</span> <span class="mi">1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">error_log</span> <span class="s">/var/log/nginx/error.log</span> <span class="s">warn</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">pid</span> <span class="s">/var/run/nginx.pid</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">events</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">worker_connections</span> <span class="mi">1024</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">http</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">include</span> <span class="s">/etc/nginx/mime.types</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">default_type</span> <span class="s">application/octet-stream</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">log_format</span> <span class="s">main</span> <span class="s">&#39;</span><span class="nv">$remote_addr</span> <span class="s">-</span> <span class="nv">$remote_user</span> <span class="s">[</span><span class="nv">$time_local]</span> <span class="s">&#34;</span><span class="nv">$request&#34;</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;</span><span class="nv">$status</span> <span class="nv">$body_bytes_sent</span> <span class="s">&#34;</span><span class="nv">$http_referer&#34;</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;&#34;</span><span class="nv">$http_user_agent&#34;</span> <span class="s">&#34;</span><span class="nv">$http_x_forwarded_for&#34;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">access_log</span> <span class="s">/var/log/nginx/access.log</span> <span class="s">main</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">sendfile</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">keepalive_timeout</span> <span class="mi">65</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># ============ 核心优化 ============ </span></span></span><span class="line"><span class="cl"> <span class="kn">autoindex</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># 目录浏览(文件服务器场景) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">gzip</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># 开启 gzip </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_buffers</span> <span class="mi">32</span> <span class="s">4K</span><span class="p">;</span> <span class="c1"># 压缩缓冲 </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_comp_level</span> <span class="mi">6</span><span class="p">;</span> <span class="c1"># 压缩级别 1-9,6 是性价比甜蜜点 </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_min_length</span> <span class="mi">1k</span><span class="p">;</span> <span class="c1"># 1K 以下不压缩 </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_types</span> <span class="s">application/javascript</span> <span class="s">text/css</span> <span class="s">text/xml</span><span class="p">;</span> <span class="c1"># 压缩类型 </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_disable</span> <span class="s">&#34;MSIE</span> <span class="s">[1-6]\.&#34;</span><span class="p">;</span> <span class="c1"># 兼容老 IE </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_http_version</span> <span class="mi">1</span><span class="s">.1</span><span class="p">;</span> <span class="c1"># 最低 HTTP 版本 </span></span></span><span class="line"><span class="cl"> <span class="kn">gzip_vary</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># 传输压缩标志 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># ============ 大文件上传 ============ </span></span></span><span class="line"><span class="cl"> <span class="kn">client_max_body_size</span> <span class="s">2000M</span><span class="p">;</span> <span class="c1"># 上传文件大小限制 </span></span></span><span class="line"><span class="cl"> <span class="kn">client_header_buffer_size</span> <span class="mi">128k</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">large_client_header_buffers</span> <span class="mi">4</span> <span class="mi">128k</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># ============ 业务 server ============ </span></span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">10082</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">location</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">add_header</span> <span class="s">&#39;Access-Control-Allow-Origin&#39;</span> <span class="s">&#39;*&#39;</span><span class="p">;</span> <span class="c1"># 跨域 </span></span></span><span class="line"><span class="cl"> <span class="kn">root</span> <span class="s">/usr/share/nginx/html</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">index</span> <span class="s">index.html</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">try_files</span> <span class="nv">$uri</span> <span class="nv">$uri/</span> <span class="s">/index.html</span><span class="p">;</span> <span class="c1"># SPA 路由 </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 反向代理后端 API </span></span></span><span class="line"><span class="cl"> <span class="kn">location</span> <span class="s">^~</span> <span class="s">/api/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://localhost:9527/</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>实战要点</strong>:</p> <ul> <li><code>try_files $uri $uri/ /index.html</code>:<strong>SPA 路由必备</strong>——直接访问 <code>/user/profile</code> 不 404</li> <li><code>gzip_types</code> 务必加 <code>application/javascript</code>(不是 <code>text/javascript</code>)——新版 MIME 标准</li> <li><code>client_max_body_size 2000M</code>:<strong>配合后端 Spring Boot 的 <code>spring.servlet.multipart.max-file-size</code> 一起调</strong></li> <li><code>add_header 'Access-Control-Allow-Origin' '*'</code>:<strong>只用于开发</strong>,生产应该用 <code>https://www.example.com</code> 白名单</li> </ul> <h2 id="四websocket-反向代理">四、WebSocket 反向代理 </h2><p>Nginx 反代 WebSocket 关键是<strong>保留 Upgrade 头</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># http block 顶部加映射 </span></span></span><span class="line"><span class="cl"><span class="k">map</span> <span class="nv">$http_upgrade</span> <span class="nv">$connection_upgrade</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">default</span> <span class="s">upgrade</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">&#39;&#39;</span> <span class="s">close</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># server block 内 location </span></span></span><span class="line"><span class="cl"><span class="k">location</span> <span class="s">/ws/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://localhost:8080/</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_http_version</span> <span class="mi">1</span><span class="s">.1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Upgrade</span> <span class="nv">$http_upgrade</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="nv">$connection_upgrade</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 长连接超时 </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_read_timeout</span> <span class="s">300s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_send_timeout</span> <span class="s">300s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>没加 <code>Upgrade</code> 头时</strong>浏览器控制台会报 <code>WebSocket connection to 'ws://...' failed: Invalid frame header</code>。</p> <h2 id="五四层转发tcp--udp-代理">五、四层转发:TCP / UDP 代理 </h2><p>Nginx 从 1.9 开始支持 <strong>stream 模块</strong>(四层),可以代理 MySQL、Redis、MQTT、SIP 等非 HTTP 协议。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># nginx.conf 顶层加 stream block(与 http 同级) </span></span></span><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">log_format</span> <span class="s">proxy</span> <span class="s">&#39;[</span><span class="nv">$time_local]</span> <span class="nv">$protocol</span> <span class="s">status:</span><span class="nv">$status,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;bytes</span> <span class="s">client:</span><span class="nv">$bytes_sent/$bytes_received</span> <span class="nv">$session_time,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;client:</span> <span class="nv">$remote_addr,</span> <span class="s">upstream:&#34;</span><span class="nv">$upstream_addr&#34;,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;bytes</span> <span class="s">upstream:</span><span class="nv">$upstream_bytes_sent</span> <span class="nv">$upstream_bytes_received&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">access_log</span> <span class="s">/var/log/nginx/stream.log</span> <span class="s">proxy</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># MySQL 反代 </span></span></span><span class="line"><span class="cl"> <span class="kn">upstream</span> <span class="s">mysql</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.1</span><span class="p">:</span><span class="mi">3306</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=10s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.2</span><span class="p">:</span><span class="mi">3306</span> <span class="s">max_fails=2</span> <span class="s">fail_timeout=10s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">3306</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">mysql</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">5s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 端口段转发(PASV FTP 必备) </span></span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">21100</span><span class="s">-21110</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="n">10.0.0.1</span><span class="p">:</span><span class="nv">$server_port</span><span class="p">;</span> <span class="c1"># $server_port 是动态端口 </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>实战案例</strong>:FTP 服务<strong>主动模式</strong>要在客户端出口网络(防火墙 / NAT)做端口段转发,stream 模块就是干这个的。</p> <h2 id="六ssl--https-完整配置">六、SSL / HTTPS 完整配置 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">api.example.com</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate</span> <span class="s">/etc/nginx/ssl/fullchain.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate_key</span> <span class="s">/etc/nginx/ssl/privkey.pem</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 协议版本(生产只开 TLS 1.2+) </span></span></span><span class="line"><span class="cl"> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 加密套件 </span></span></span><span class="line"><span class="cl"> <span class="kn">ssl_ciphers</span> <span class="s">&#39;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_prefer_server_ciphers</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># session 复用 </span></span></span><span class="line"><span class="cl"> <span class="kn">ssl_session_cache</span> <span class="s">shared:SSL:10m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_session_timeout</span> <span class="s">1d</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_session_tickets</span> <span class="no">off</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># HSTS </span></span></span><span class="line"><span class="cl"> <span class="kn">add_header</span> <span class="s">Strict-Transport-Security</span> <span class="s">&#34;max-age=63072000&#34;</span> <span class="s">always</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># HTTP 强转 HTTPS </span></span></span><span class="line"><span class="cl"> <span class="kn">error_page</span> <span class="mi">497</span> <span class="s">https://</span><span class="nv">$host$request_uri</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://localhost:9000</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$http_host</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 80 强转 443 </span></span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server_name</span> <span class="s">api.example.com</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">return</span> <span class="mi">301</span> <span class="s">https://</span><span class="nv">$server_name$request_uri</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>证书挂载</strong>(推荐用 bind mount 而非 ADD 进镜像):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run -d <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /etc/letsencrypt/live/api.example.com:/etc/nginx/ssl:ro <span class="se">\ </span></span></span><span class="line"><span class="cl"> ... </span></span></code></pre></td></tr></table> </div> </div><p>证书 3 个月续期时 <code>nginx -s reload</code> 一下,<strong>不用重启容器</strong>。</p> <h2 id="七bitnaminginx-镜像优势">七、bitnami/nginx 镜像优势 </h2><p><a class="link" href="https://github.com/bitnami/containers/tree/main/bitnami/nginx" target="_blank" rel="noopener" >bitnami/nginx</a> 相对官方 <code>nginx</code> 镜像有几个明显优势:</p> <table> <thead> <tr> <th>特性</th> <th>官方 <code>nginx</code></th> <th><code>bitnami/nginx</code></th> </tr> </thead> <tbody> <tr> <td>非 root 用户运行</td> <td>默认 <code>root</code>(<strong>安全风险</strong>)</td> <td>默认 uid 1001</td> </tr> <tr> <td>默认 HSTS / 安全头</td> <td>无</td> <td>有</td> </tr> <tr> <td>健康检查</td> <td>无</td> <td><code>HEALTHCHECK</code> 内置</td> </tr> <tr> <td>日志切分</td> <td>无</td> <td>接入 stdout/stderr</td> </tr> <tr> <td>镜像体积</td> <td>~ 140MB</td> <td>~ 90MB</td> </tr> </tbody> </table> <p><strong>生产强烈推荐 bitnami 镜像</strong>。<code>root</code> 运行的 nginx 容器一旦被攻破就拿到宿主 root——<code>bitnami</code> 默认 <code>nginx</code> 用户运行,<strong>减少 90% 的攻击面</strong>。</p> <h2 id="八生产部署清单">八、生产部署清单 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 准备前端 dist</span> </span></span><span class="line"><span class="cl">npm run build <span class="c1"># 生成 dist/</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 准备 nginx.conf(用上面的模板)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 准备 SSL 证书</span> </span></span><span class="line"><span class="cl">mkdir -p ssl <span class="o">&amp;&amp;</span> cp /etc/letsencrypt/live/example.com/* ssl/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 构建镜像</span> </span></span><span class="line"><span class="cl">docker build -t dockerhub.example.com/library/web:20240730 . </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 5. 推到 Harbor</span> </span></span><span class="line"><span class="cl">docker push dockerhub.example.com/library/web:20240730 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 6. 生产部署</span> </span></span><span class="line"><span class="cl">docker run -d --name web --restart<span class="o">=</span>always <span class="se">\ </span></span></span><span class="line"><span class="cl"> --network<span class="o">=</span>web <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 443:443 -p 80:80 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /data/web/ssl:/etc/nginx/ssl:ro <span class="se">\ </span></span></span><span class="line"><span class="cl"> dockerhub.example.com/library/web:20240730 </span></span></code></pre></td></tr></table> </div> </div><h2 id="九监控与日志">九、监控与日志 </h2><p><strong>日志接入</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># 用 Loki / ELK 收集,docker-compose 里加 logging driver </span></span></span><span class="line"><span class="cl"><span class="k">logging:</span> </span></span><span class="line"><span class="cl"> <span class="s">driver:</span> <span class="s">loki</span> </span></span><span class="line"><span class="cl"> <span class="s">options:</span> </span></span><span class="line"><span class="cl"> <span class="s">loki-url:</span> <span class="s">&#34;http://internal.example.com:3100/loki/api/v1/push&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">max-size:</span> <span class="s">&#34;50m&#34;</span> </span></span><span class="line"><span class="cl"> <span class="s">max-file:</span> <span class="s">&#34;10&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>健康检查</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">location</span> <span class="s">/nginx_status</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">stub_status</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">access_log</span> <span class="no">off</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">allow</span> <span class="n">127.0.0.1</span><span class="p">;</span> <span class="c1"># 只允许内网 </span></span></span><span class="line"><span class="cl"> <span class="kn">deny</span> <span class="s">all</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>容器外查:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl http://container-ip/nginx_status </span></span><span class="line"><span class="cl"><span class="c1"># Active connections: 2</span> </span></span><span class="line"><span class="cl"><span class="c1"># server accepts handled requests</span> </span></span><span class="line"><span class="cl"><span class="c1"># 100 100 200</span> </span></span><span class="line"><span class="cl"><span class="c1"># Reading: 0 Writing: 1 Waiting: 1</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="十常见坑位">十、常见坑位 </h2><h3 id="101-反代后端丢失-https-信息">10.1 反代后端丢失 HTTPS 信息 </h3><p>后端 Spring Boot 拿到 <code>request.getScheme()</code> 是 <code>http</code> 不是 <code>https</code>——<strong>因为 nginx 用 HTTP 协议连后端</strong>。</p> <p><strong>修复</strong>:后端配 <code>server.tomcat.remoteip.protocol-header=X-Forwarded-Proto</code>,<strong>或</strong> Nginx 显式传:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="102-spa-路由-404">10.2 SPA 路由 404 </h3><p>直接访问 <code>https://app.example.com/user/profile</code> 返回 404。</p> <p><strong>修复</strong>:<code>try_files $uri $uri/ /index.html;</code>——<strong>所有未匹配路径都返回 index.html</strong>,由前端路由处理。</p> <h3 id="103-websocket-反复断连">10.3 WebSocket 反复断连 </h3><p><strong>症状</strong>:WSS 连接 60 秒断一次。</p> <p><strong>原因</strong>:默认 <code>proxy_read_timeout 60s</code>,WebSocket 是长连接,超过 60 秒没数据就被切断。</p> <p><strong>修复</strong>:<code>proxy_read_timeout 300s;</code> 或更长。</p> <h3 id="104-gzip-对小文件无效果">10.4 gzip 对小文件无效果 </h3><p><code>gzip_min_length 1k;</code> 控制 1KB 以下的文件不压缩——<code>gzip_types</code> 只决定&quot;压缩什么类型&quot;,<strong>文件大小阈值由 min_length 控制</strong>。</p> <h2 id="2024-视角补充">2024+ 视角补充 </h2><p>本文写于 2023-09,2024-2026 期间 Nginx 自建镜像关键演进:</p> <ul> <li><strong>Nginx 1.27 LTS</strong>(2024-11):HTTP/3(QUIC)GA;OpenSSL 3.x;动态 SSL 证书加载</li> <li><strong>Nginx 1.28 LTS</strong>(2025-Q4 预期):<strong>ACMEv2 自动证书</strong>(不用 certbot);<strong>BoringSSL</strong> 可选</li> <li><strong>Nginx Unit 1.34+</strong>(2024-2026):<strong>应用服务器模式</strong>(Go / Node / Python / Java / PHP)——Web + App Server 一体</li> <li><strong>Nginx Ingress 1.12+</strong>(K8s):<strong>Gateway API GA</strong>;<strong>IPV6 双栈</strong>;<strong>WAF 集成</strong></li> <li><strong>OpenResty 1.25+</strong>:Lua 生态成熟,<strong>API Gateway / WAF 场景仍是首选</strong></li> <li><strong>bitnami/nginx 镜像</strong>:2024+ 仍维护,<strong>非 root 用户 / 健康检查</strong>仍是优势</li> <li><strong>替代品</strong>(2024+ 视角): <ul> <li><strong>Caddy 2.x</strong>:<strong>自动 HTTPS / Caddyfile 简洁</strong>——新项目首选</li> <li><strong>Traefik 3.x</strong>:K8s 原生 / 自动服务发现</li> <li><strong>HAProxy 3.x</strong>:<strong>四层代理性能优于 Nginx</strong>——数据库 / TCP 代理首选</li> </ul> </li> </ul> <p><strong>实战建议(2025-2026 视角)</strong>:</p> <ul> <li><strong>传统 Web 反代 / 静态站</strong> → <strong>Nginx 1.27 LTS 仍是生产首选</strong></li> <li><strong>想要最少配置 / 自动 HTTPS</strong> → <strong>Caddy 2.x</strong></li> <li><strong>K8s 入口</strong> → <strong>Nginx Ingress 1.12+ / Traefik 3.x / Gateway API</strong></li> <li><strong>API Gateway / WAF</strong> → <strong>OpenResty 1.25+</strong> 仍是稳态</li> <li><strong>数据库 / TCP 代理</strong> → <strong>HAProxy 3.x</strong></li> </ul> <h2 id="下一步">下一步 </h2><ul> <li>想看 <strong>Go 自建最小镜像</strong>(scratch 5MB 级别)→ <a class="link" href="#" >Go 自建最小镜像</a></li> <li>想看 <strong>MinIO 对象存储实战</strong>(含 Nginx 反代安全加固)→ <a class="link" href="#" >MinIO 对象存储实战</a></li> <li>想看 <strong>Java 微服务治理</strong>(Sentinel 限流 / Spring Boot Admin)→ <a class="link" href="#" >Java 微服务治理</a></li> </ul>FTP 服务自托管:vsftpd / pure-ftpd 主被动模式 + Nginx stream + SSLhttps://liangweidonggood.github.io/p/ftp-fuwu-zizhuji/Mon, 15 Mar 2021 00:00:00 +0800https://liangweidonggood.github.io/p/ftp-fuwu-zizhuji/<img src="https://liangweidonggood.github.io/p/ftp-fuwu-zizhuji/image/cover.jpg" alt="Featured image of post FTP 服务自托管:vsftpd / pure-ftpd 主被动模式 + Nginx stream + SSL" /><p>FTP 是企业里&quot;老但稳定&quot;的文件传输方案——<strong>服务器间脚本同步、备份归档、跨地域传输</strong>都还在用。本篇把 vsftpd 与 pure-ftpd 的 Docker 化部署、主被动模式原理、Nginx stream 四层代理、SSL 加密整理清楚。</p> <blockquote> <p><strong>阅读对象</strong>:运维 / 部署工程师、需要搭建内部文件服务器的技术团队 <strong>覆盖范围</strong>:FTP 主动 / 被动模式原理 + vsftpd 完整部署 + pure-ftpd 完整部署 + 虚拟用户 + SSL/TLS 加密 + Nginx stream 反代 + 常见客户端测试</p> </blockquote> <h2 id="一ftp-协议基础">一、FTP 协议基础 </h2><h3 id="11-两个端口">1.1 两个端口 </h3><table> <thead> <tr> <th>端口</th> <th>作用</th> </tr> </thead> <tbody> <tr> <td><strong>21</strong></td> <td>控制端口(命令)</td> </tr> <tr> <td><strong>20</strong></td> <td>数据端口(<strong>仅主动模式</strong>)</td> </tr> </tbody> </table> <p><strong>主动模式(PORT)</strong>:服务器从 20 端口<strong>主动</strong>连客户端告知的端口。 <strong>被动模式(PASV)</strong>:服务器告知客户端自己的地址 + 端口,<strong>等客户端来连</strong>。</p> <p><strong>实战推荐被动模式</strong>——客户端不用开端口,服务器在公网就行。</p> <h3 id="12-主动-vs-被动模式">1.2 主动 vs 被动模式 </h3><table> <thead> <tr> <th>维度</th> <th>主动模式</th> <th>被动模式</th> </tr> </thead> <tbody> <tr> <td>数据连接</td> <td>服务器 → 客户端</td> <td>客户端 → 服务器</td> </tr> <tr> <td>客户端要求</td> <td>必须有公网 IP</td> <td>任何网络</td> </tr> <tr> <td>防火墙</td> <td>客户端要放行随机端口</td> <td>服务器要放行 PASV 端口段</td> </tr> <tr> <td>适用</td> <td>内网</td> <td><strong>公网推荐</strong></td> </tr> </tbody> </table> <p><strong>核心难点</strong>:FTP 协议需要 2 个连接,<strong>NAT / 防火墙容易把数据连接搞断</strong>——必须正确配置。</p> <h2 id="二vsftpd-部署">二、vsftpd 部署 </h2><p><a class="link" href="https://security.appspot.com/vsftpd.html" target="_blank" rel="noopener" >vsftpd</a>(Very Secure FTPD)是 Linux 默认 FTP 服务端,<strong>最稳定</strong>。</p> <h3 id="21-拉取镜像">2.1 拉取镜像 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker pull fauria/vsftpd </span></span></code></pre></td></tr></table> </div> </div><h3 id="22-启动容器">2.2 启动容器 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 测试端口占用</span> </span></span><span class="line"><span class="cl">lsof -i:21100-21110 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 启动</span> </span></span><span class="line"><span class="cl">docker run -d --name vsftpd --restart<span class="o">=</span>always <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 20:20 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 21:21 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 21100-21110:21100-21110 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/docker/vsftpd/data:/home/vsftpd <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/docker/vsftpd/log:/var/log <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="nv">FTP_USER</span><span class="o">=</span>www <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="nv">FTP_PASS</span><span class="o">={{</span>REDACTED<span class="o">}}</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="nv">PASV_ADDRESS</span><span class="o">=</span>203.0.113.10 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="nv">PASV_MIN_PORT</span><span class="o">=</span><span class="m">21100</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="nv">PASV_MAX_PORT</span><span class="o">=</span><span class="m">21110</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="nv">REVERSE_LOOKUP_ENABLE</span><span class="o">=</span>NO <span class="se">\ </span></span></span><span class="line"><span class="cl"> fauria/vsftpd </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键参数</strong>:</p> <ul> <li><code>PASV_ADDRESS=203.0.113.10</code>:<strong>服务器公网 IP</strong>——必须设对,否则客户端连不上</li> <li><code>PASV_MIN_PORT / MAX_PORT</code>:PASV 模式端口段——<strong>防火墙必须放行</strong></li> <li><code>REVERSE_LOOKUP_ENABLE=NO</code>:<strong>强烈推荐</strong>——避免 DNS 反向解析卡登录</li> </ul> <h3 id="23-完整环境变量">2.3 完整环境变量 </h3><table> <thead> <tr> <th>变量</th> <th>默认</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td><code>FTP_USER</code></td> <td><code>admin</code></td> <td>默认用户</td> </tr> <tr> <td><code>FTP_PASS</code></td> <td>随机 16 位</td> <td>不指定就随机</td> </tr> <tr> <td><code>PASV_ADDRESS</code></td> <td>Docker host IP</td> <td><strong>配服务器公网 IP</strong></td> </tr> <tr> <td><code>PASV_ADDR_RESOLVE</code></td> <td><code>NO</code></td> <td>主机名解析</td> </tr> <tr> <td><code>PASV_ENABLE</code></td> <td><code>YES</code></td> <td>启用被动模式</td> </tr> <tr> <td><code>PASV_MIN_PORT</code></td> <td><code>21100</code></td> <td>PASV 起始端口</td> </tr> <tr> <td><code>PASV_MAX_PORT</code></td> <td><code>21110</code></td> <td>PASV 结束端口</td> </tr> <tr> <td><code>REVERSE_LOOKUP_ENABLE</code></td> <td><code>YES</code></td> <td>设为 NO 加快登录</td> </tr> <tr> <td><code>PASV_PROMISCUOUS</code></td> <td><code>NO</code></td> <td>关闭被动模式安全检查</td> </tr> <tr> <td><code>PORT_PROMISCUOUS</code></td> <td><code>NO</code></td> <td>关闭主动模式安全检查</td> </tr> </tbody> </table> <h3 id="24-手动创建用户">2.4 手动创建用户 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 进入容器</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> -i -t vsftpd bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 创建用户目录</span> </span></span><span class="line"><span class="cl">mkdir /home/vsftpd/myuser </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 写虚拟用户</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> -e <span class="s2">&#34;myuser\nmypass&#34;</span> &gt;&gt; /etc/vsftpd/virtual_users.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 转换数据库</span> </span></span><span class="line"><span class="cl">/usr/bin/db_load -T -t <span class="nb">hash</span> -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 退出并重启</span> </span></span><span class="line"><span class="cl"><span class="nb">exit</span> </span></span><span class="line"><span class="cl">docker restart vsftpd </span></span></code></pre></td></tr></table> </div> </div><h3 id="25-生成-ssl-证书">2.5 生成 SSL 证书 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 创建自签证书(生产用 Let&#39;s Encrypt)</span> </span></span><span class="line"><span class="cl">openssl req -x509 -nodes -days <span class="m">365</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -newkey rsa:2048 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -keyout /etc/vsftpd/vsftpd.pem <span class="se">\ </span></span></span><span class="line"><span class="cl"> -out /etc/vsftpd/vsftpd.pem </span></span></code></pre></td></tr></table> </div> </div><p>挂载到容器:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">-v /home/docker/vsftpd/ssl/vsftpd.pem:/etc/vsftpd/vsftpd.pem:ro </span></span></code></pre></td></tr></table> </div> </div><p>在 <code>vsftpd.conf</code> 加:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="na">ssl_enable</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_tlsv1</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_sslv2</span><span class="o">=</span><span class="s">NO</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_sslv3</span><span class="o">=</span><span class="s">NO</span> </span></span><span class="line"><span class="cl"><span class="na">require_ssl_reuse</span><span class="o">=</span><span class="s">NO</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_ciphers</span><span class="o">=</span><span class="s">HIGH</span> </span></span><span class="line"><span class="cl"><span class="na">rsa_cert_file</span><span class="o">=</span><span class="s">/etc/vsftpd/vsftpd.pem</span> </span></span><span class="line"><span class="cl"><span class="na">rsa_private_key_file</span><span class="o">=</span><span class="s">/etc/vsftpd/vsftpd.pem</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>客户端必须选&quot;显式 TLS&quot;</strong>(FTPS),不是 SFTP(SSH 文件传输)。</p> <h2 id="三pure-ftpd-部署">三、pure-ftpd 部署 </h2><p><a class="link" href="https://www.pureftpd.org/" target="_blank" rel="noopener" >pure-ftpd</a> 是另一个流行的 FTP 服务端,<strong>虚拟用户管理更灵活</strong>。</p> <h3 id="31-拉取镜像">3.1 拉取镜像 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker pull stilliard/pure-ftpd </span></span></code></pre></td></tr></table> </div> </div><h3 id="32-启动容器">3.2 启动容器 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker run -d --name ftp --restart<span class="o">=</span>always <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 20-21:20-21 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 30000-30009:30000-30009 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/ftp/conf:/etc/pure-ftpd/passwd <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/ftp/data:/home/ftpusers/www <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/ftp/data:/home/ftp <span class="se">\ </span></span></span><span class="line"><span class="cl"> -e <span class="s2">&#34;PUBLICHOST=localhost&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> stilliard/pure-ftpd <span class="se">\ </span></span></span><span class="line"><span class="cl"> /bin/bash -c <span class="s2">&#34;useradd ftp; \ </span></span></span><span class="line"><span class="cl"><span class="s2"> usermod -d /home/ftp ftp; \ </span></span></span><span class="line"><span class="cl"><span class="s2"> /run.sh -c 100 -C 10 \ </span></span></span><span class="line"><span class="cl"><span class="s2"> -l puredb:/etc/pure-ftpd/pureftpd.pdb \ </span></span></span><span class="line"><span class="cl"><span class="s2"> -j -i -R \ </span></span></span><span class="line"><span class="cl"><span class="s2"> -P 10.0.0.1 -p 30000:30009&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="33-参数详解">3.3 参数详解 </h3><table> <thead> <tr> <th>参数</th> <th>含义</th> </tr> </thead> <tbody> <tr> <td><code>-c 100</code></td> <td>最大客户端数 100</td> </tr> <tr> <td><code>-C 10</code></td> <td>每 IP 最多 10 个连接</td> </tr> <tr> <td><code>-l puredb:...</code></td> <td>虚拟用户文件</td> </tr> <tr> <td><code>-j</code></td> <td>自动创建家目录</td> </tr> <tr> <td><code>-i</code></td> <td>匿名用户不允许上传</td> </tr> <tr> <td><code>-R</code></td> <td>不允许 chmod</td> </tr> <tr> <td><code>-P 10.0.0.1</code></td> <td>PASV 模式告知客户端的 IP</td> </tr> <tr> <td><code>-p 30000:30009</code></td> <td>PASV 端口段</td> </tr> </tbody> </table> <h3 id="34-虚拟用户管理">3.4 虚拟用户管理 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 进入容器</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> -it ftp /bin/bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 添加用户 www(密码 {{REDACTED}})</span> </span></span><span class="line"><span class="cl">pure-pw useradd www <span class="se">\ </span></span></span><span class="line"><span class="cl"> -f /etc/pure-ftpd/passwd/pureftpd.passwd <span class="se">\ </span></span></span><span class="line"><span class="cl"> -m <span class="se">\ </span></span></span><span class="line"><span class="cl"> -u ftpuser <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d /home/ftpusers/www </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 修改家目录权限</span> </span></span><span class="line"><span class="cl">chmod -R <span class="m">777</span> /home/ftp/data/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 删除用户</span> </span></span><span class="line"><span class="cl">pure-pw userdel www -f /etc/pure-ftpd/passwd/pureftpd.passwd -m </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查看用户列表</span> </span></span><span class="line"><span class="cl">pure-pw list -f /etc/pure-ftpd/passwd/pureftpd.passwd </span></span></code></pre></td></tr></table> </div> </div><h3 id="35-验证测试">3.5 验证测试 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 在宿主机创建文件</span> </span></span><span class="line"><span class="cl">touch /home/ftp/data/test.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 浏览器访问(匿名)</span> </span></span><span class="line"><span class="cl">ftp://&lt;SERVER_IP&gt;:21 </span></span><span class="line"><span class="cl"><span class="c1"># 应该能看到 test.txt(无需密码)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. FTP 工具连接</span> </span></span><span class="line"><span class="cl"><span class="c1"># 用户名 www,密码 {{REDACTED}}</span> </span></span><span class="line"><span class="cl"><span class="c1"># 看到 test.txt,能下载能上传能删除</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 主被动模式测试</span> </span></span><span class="line"><span class="cl"><span class="c1"># 在客户端(FileZilla)切换主动 / 被动模式,都能正常上传下载</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="36-清理">3.6 清理 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker rm -f ftp </span></span><span class="line"><span class="cl">rm -rf /home/ftp </span></span></code></pre></td></tr></table> </div> </div><h2 id="四nginx-stream-四层代理">四、Nginx stream 四层代理 </h2><p>FTP 服务器在内网,要暴露到公网?<strong>Nginx stream 模块</strong>做四层代理。</p> <h3 id="41-完整-stream-配置">4.1 完整 stream 配置 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># FTP 控制端口 </span></span></span><span class="line"><span class="cl"> <span class="kn">upstream</span> <span class="s">ftp_control</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.1</span><span class="p">:</span><span class="mi">21</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">21</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">ftp_control</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">1s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_timeout</span> <span class="mi">10m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># FTP 主动模式数据端口(20) </span></span></span><span class="line"><span class="cl"> <span class="kn">upstream</span> <span class="s">ftp_data</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.1</span><span class="p">:</span><span class="mi">20</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">20</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">ftp_data</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">1s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_timeout</span> <span class="mi">10m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># PASV 端口段 </span></span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">21100</span><span class="s">-21110</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="n">10.0.0.1</span><span class="p">:</span><span class="nv">$server_port</span><span class="p">;</span> <span class="c1"># $server_port 是动态端口 </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键点</strong>:</p> <ul> <li><code>proxy_pass 10.0.0.1:$server_port</code>:<strong>动态端口转发</strong>——客户端连 21100 转到 21100,21101 转到 21101</li> <li><code>proxy_timeout 10m</code>:<strong>10 分钟无数据不切断</strong>——大文件传输必备</li> <li><code>proxy_upload_rate / proxy_download_rate</code>:<strong>限速</strong>(生产推荐)</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">21100</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="n">10.0.0.1</span><span class="p">:</span><span class="mi">21100</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_upload_rate</span> <span class="mi">10240k</span><span class="p">;</span> <span class="c1"># 上传限速 10MB/s </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_download_rate</span> <span class="mi">20480k</span><span class="p">;</span> <span class="c1"># 下载限速 20MB/s </span></span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="42-ssl--ftps-代理">4.2 SSL / FTPS 代理 </h3><p>FTPS(FTP over TLS)的四层代理较复杂——<strong>TLS 加密流无法被 Nginx 解密再加密</strong>。</p> <p><strong>推荐方案</strong>:</p> <ul> <li>用 <strong>HAProxy</strong>(原生支持 SSL 透传)</li> <li>或直接在 FTP 服务器端处理 TLS,<strong>Nginx 只代理明文</strong></li> </ul> <h2 id="五客户端使用">五、客户端使用 </h2><h3 id="51-命令行">5.1 命令行 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 上传 / 下载测试</span> </span></span><span class="line"><span class="cl">curl -u www:<span class="o">{{</span>REDACTED<span class="o">}}</span> ftp://203.0.113.10/k8s/test.sh <span class="p">|</span> bash </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 列出</span> </span></span><span class="line"><span class="cl">curl -u www:<span class="o">{{</span>REDACTED<span class="o">}}</span> ftp://203.0.113.10/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 主动模式</span> </span></span><span class="line"><span class="cl">curl -u www:<span class="o">{{</span>REDACTED<span class="o">}}</span> --ftp-port - ftp://203.0.113.10/file </span></span></code></pre></td></tr></table> </div> </div><h3 id="52-filezilla">5.2 FileZilla </h3><p>跨平台 FTP 客户端,<strong>首选</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">主机:203.0.113.10 </span></span><span class="line"><span class="cl">用户名:www </span></span><span class="line"><span class="cl">密码:{{REDACTED}} </span></span><span class="line"><span class="cl">端口:21 </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键设置</strong>:</p> <ul> <li>传输模式:被动(推荐)</li> <li>加密:显式的 TLS(FTPS)</li> </ul> <h3 id="53-winscpwindows">5.3 WinSCP(Windows) </h3><p>适合<strong>自动化脚本</strong>(批处理):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bat" data-lang="bat"><span class="line"><span class="cl"><span class="p">@</span><span class="k">echo</span> off </span></span><span class="line"><span class="cl"><span class="s2">&#34;C:\Program Files\WinSCP\WinSCP.com&#34;</span> <span class="se">^ </span></span></span><span class="line"><span class="cl"><span class="se"> </span> /command <span class="s2">&#34;open ftp://www:{{REDACTED}}@203.0.113.10/&#34;</span> <span class="se">^ </span></span></span><span class="line"><span class="cl"><span class="se"> </span> <span class="s2">&#34;put C:\local\file.zip /remote/file.zip&#34;</span> <span class="se">^ </span></span></span><span class="line"><span class="cl"><span class="se"> </span> <span class="s2">&#34;exit&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="54-lftplinux-推荐">5.4 lftp(Linux 推荐) </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 批量上传</span> </span></span><span class="line"><span class="cl">lftp -u www,<span class="o">{{</span>REDACTED<span class="o">}}</span> -e <span class="s2">&#34;mirror -R /local/path /remote/path&#34;</span> 203.0.113.10 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 加密传输</span> </span></span><span class="line"><span class="cl">lftp -u www,<span class="o">{{</span>REDACTED<span class="o">}}</span> -e <span class="s2">&#34;set ftp:ssl-force true; set ftp:ssl-protect-data true; ls&#34;</span> 203.0.113.10 </span></span></code></pre></td></tr></table> </div> </div><h2 id="六典型坑位">六、典型坑位 </h2><h3 id="61-登录成功但列不出文件">6.1 登录成功但列不出文件 </h3><p><strong>症状</strong>:PASV 模式登录后卡住,<strong>服务器等待客户端连数据端口</strong>。</p> <p><strong>原因</strong>:</p> <ul> <li><code>PASV_ADDRESS</code> 没设对</li> <li>防火墙没放行 PASV 端口段</li> <li>Nginx 反代没配端口段转发</li> </ul> <p><strong>修复</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 确认 PASV_ADDRESS 是公网 IP(不是 127.0.0.1)</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="nv">$PASV_ADDRESS</span> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 防火墙放行</span> </span></span><span class="line"><span class="cl">iptables -A INPUT -p tcp --dport 21100:21110 -j ACCEPT </span></span><span class="line"><span class="cl"><span class="c1"># 3. Nginx stream 加端口段</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="62-主动模式连不上">6.2 主动模式连不上 </h3><p><strong>症状</strong>:PORT 模式报 &ldquo;Connection refused&rdquo;。</p> <p><strong>原因</strong>:服务器 20 端口<strong>主动连客户端</strong>,客户端在 NAT / 防火墙后。</p> <p><strong>修复</strong>:改用 PASV 模式,<strong>别折腾主动模式</strong>。</p> <h3 id="63-上传文件-0-字节">6.3 上传文件 0 字节 </h3><p><strong>症状</strong>:客户端显示上传成功,服务器文件是 0 字节。</p> <p><strong>原因</strong>:PASV 端口被防火墙 drop 掉了。</p> <p><strong>修复</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. tcpdump 看数据连接</span> </span></span><span class="line"><span class="cl">tcpdump -i any port 21100-21110 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 防火墙状态</span> </span></span><span class="line"><span class="cl">iptables -L -n <span class="p">|</span> grep <span class="m">21100</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="64-vsftpd-启动报-500-oops">6.4 vsftpd 启动报 &ldquo;500 OOPS&rdquo; </h3><p><strong>修复</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 容器内检查 vsftpd.conf</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> vsftpd cat /etc/vsftpd/vsftpd.conf <span class="p">|</span> grep -v <span class="s2">&#34;^#&#34;</span> <span class="p">|</span> grep -v <span class="s2">&#34;^</span>$<span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 常见错误:listen_ipv6=YES + listen=YES 冲突</span> </span></span><span class="line"><span class="cl"><span class="c1"># 修法:二选一</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;listen=YES&#34;</span> &gt;&gt; /etc/vsftpd/vsftpd.conf </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;listen_ipv6=NO&#34;</span> &gt;&gt; /etc/vsftpd/vsftpd.conf </span></span></code></pre></td></tr></table> </div> </div><h2 id="七vsftpd-vs-pure-ftpd-选型">七、vsftpd vs pure-ftpd 选型 </h2><table> <thead> <tr> <th>维度</th> <th>vsftpd</th> <th>pure-ftpd</th> </tr> </thead> <tbody> <tr> <td>性能</td> <td>高</td> <td>中等</td> </tr> <tr> <td>稳定性</td> <td><strong>极高</strong></td> <td>高</td> </tr> <tr> <td>配置</td> <td>简洁</td> <td>灵活</td> </tr> <tr> <td>虚拟用户</td> <td>手动 db_load</td> <td><strong>pure-pw 命令行</strong></td> </tr> <tr> <td>TLS / SSL</td> <td>支持</td> <td>支持</td> </tr> <tr> <td>Docker 镜像</td> <td>官方 vsftpd / fauria</td> <td>stilliard</td> </tr> <tr> <td>适合</td> <td>生产 / 简单场景</td> <td><strong>多用户 / 复杂权限</strong></td> </tr> </tbody> </table> <p><strong>简单场景选 vsftpd</strong>(稳定为先),<strong>多用户管理选 pure-ftpd</strong>(命令行友好)。</p> <h2 id="八生产安全清单">八、生产安全清单 </h2><h3 id="81-强制-tls">8.1 强制 TLS </h3><p><strong>vsftpd</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="na">ssl_enable</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">allow_anon_ssl</span><span class="o">=</span><span class="s">NO</span> </span></span><span class="line"><span class="cl"><span class="na">force_local_data_ssl</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">force_local_logins_ssl</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_tlsv1</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_sslv2</span><span class="o">=</span><span class="s">NO</span> </span></span><span class="line"><span class="cl"><span class="na">ssl_sslv3</span><span class="o">=</span><span class="s">NO</span> </span></span><span class="line"><span class="cl"><span class="na">require_ssl_reuse</span><span class="o">=</span><span class="s">NO</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>pure-ftpd</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;TLS 1&#34;</span> &gt; /etc/pure-ftpd/conf/TLS </span></span><span class="line"><span class="cl"><span class="c1"># 把证书放到 /etc/ssl/private/pure-ftpd.pem</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="82-限制用户目录">8.2 限制用户目录 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># vsftpd</span> </span></span><span class="line"><span class="cl"><span class="na">chroot_local_user</span><span class="o">=</span><span class="s">YES</span> </span></span><span class="line"><span class="cl"><span class="na">allow_writeable_chroot</span><span class="o">=</span><span class="s">YES</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># pure-ftpd</span> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;YES&#34;</span> &gt; /etc/pure-ftpd/conf/ChrootEveryone </span></span></code></pre></td></tr></table> </div> </div><h3 id="83-限速">8.3 限速 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># vsftpd</span> </span></span><span class="line"><span class="cl"><span class="na">local_max_rate</span><span class="o">=</span><span class="s">1024000 # 1MB/s</span> </span></span><span class="line"><span class="cl"><span class="na">anon_max_rate</span><span class="o">=</span><span class="s">512000 # 500KB/s</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="84-禁用匿名">8.4 禁用匿名 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="na">anonymous_enable</span><span class="o">=</span><span class="s">NO</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="85-fail2ban-防爆破">8.5 fail2ban 防爆破 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/fail2ban/jail.local</span> </span></span><span class="line"><span class="cl"><span class="k">[vsftpd]</span> </span></span><span class="line"><span class="cl"><span class="na">enabled</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">port</span> <span class="o">=</span> <span class="s">ftp,ftp-data,ftps,ftps-data</span> </span></span><span class="line"><span class="cl"><span class="na">filter</span> <span class="o">=</span> <span class="s">vsftpd</span> </span></span><span class="line"><span class="cl"><span class="na">logpath</span> <span class="o">=</span> <span class="s">/var/log/vsftpd.log</span> </span></span><span class="line"><span class="cl"><span class="na">maxretry</span> <span class="o">=</span> <span class="s">5</span> </span></span><span class="line"><span class="cl"><span class="na">bantime</span> <span class="o">=</span> <span class="s">3600</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="九监控与日志">九、监控与日志 </h2><h3 id="91-vsftpd-日志">9.1 vsftpd 日志 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 容器内</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> vsftpd tail -f /var/log/vsftpd.log </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 输出示例</span> </span></span><span class="line"><span class="cl">Mon May <span class="m">21</span> 03:00:00 <span class="m">2021</span> <span class="o">[</span>pid 1<span class="o">]</span> CONNECT: Client <span class="s2">&#34;1.2.3.4&#34;</span> </span></span><span class="line"><span class="cl">Mon May <span class="m">21</span> 03:00:01 <span class="m">2021</span> <span class="o">[</span>pid 1<span class="o">]</span> <span class="o">[</span>www<span class="o">]</span> OK LOGIN: Client <span class="s2">&#34;1.2.3.4&#34;</span> </span></span><span class="line"><span class="cl">Mon May <span class="m">21</span> 03:00:05 <span class="m">2021</span> <span class="o">[</span>pid 1<span class="o">]</span> <span class="o">[</span>www<span class="o">]</span> OK UPLOAD: Client <span class="s2">&#34;1.2.3.4&#34;</span>, <span class="s2">&#34;/file.zip&#34;</span>, <span class="m">12345</span> bytes, 1.2 MB/s </span></span></code></pre></td></tr></table> </div> </div><h3 id="92-pure-ftpd-日志">9.2 pure-ftpd 日志 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker <span class="nb">exec</span> ftp tail -f /var/log/pure-ftpd/pureftpd.log </span></span></code></pre></td></tr></table> </div> </div><h3 id="93-接入-loki">9.3 接入 Loki </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">logging</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">driver</span><span class="p">:</span><span class="w"> </span><span class="l">loki</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">loki-url</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;http://internal.example.com:3100/loki/api/v1/push&#34;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h2 id="十卸载清理">十、卸载清理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># vsftpd</span> </span></span><span class="line"><span class="cl">docker rm -f vsftpd </span></span><span class="line"><span class="cl">rm -rf /home/docker/vsftpd </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># pure-ftpd</span> </span></span><span class="line"><span class="cl">docker rm -f ftp </span></span><span class="line"><span class="cl">rm -rf /home/ftp </span></span></code></pre></td></tr></table> </div> </div><h2 id="十一2024-视角补充">十一、2024+ 视角补充 </h2><p>本文写于 2021-03,2024-2026 这几年里&quot;FTP 该不该用&quot;的共识有明显变化:</p> <p><strong>FTP 整体趋势</strong>:FTP 协议在 2020s 越来越被<strong>视为遗留技术</strong>——所有主流浏览器(Chrome、Firefox、Edge、Safari)自 <strong>2020-2021</strong> 起就在逐步<strong>淘汰 FTP 协议</strong>。RFC 959 设计于 1985,<strong>默认明文传输</strong>是致命伤(用户名/密码/文件内容全裸奔)。2024+ 的新项目,<strong>优先选 SFTP / HTTPS / MinIO / S3 兼容对象存储</strong>:</p> <table> <thead> <tr> <th>场景</th> <th>2021 主流</th> <th>2024+ 推荐</th> <th>理由</th> </tr> </thead> <tbody> <tr> <td>内部脚本同步</td> <td>FTP/FTPS</td> <td><strong>SFTP(SSH 自带)</strong></td> <td>SSH 默认安全,无需额外服务</td> </tr> <tr> <td>跨地域文件交换</td> <td>FTP 服务器</td> <td><strong>MinIO / S3 兼容对象存储</strong></td> <td>签名 URL、版本控制、跨域复制</td> </tr> <tr> <td>浏览器下载</td> <td>FTP URL</td> <td><strong>HTTPS + 静态站点</strong></td> <td>浏览器已不再支持 <code>ftp://</code> 链接</td> </tr> <tr> <td>客户端工具上传</td> <td>FileZilla/FTP</td> <td><strong>rclone + S3 兼容</strong></td> <td>增量同步、加密、断点续传</td> </tr> <tr> <td>老设备/老协议对接</td> <td>FTP</td> <td>FTP/FTPS(保留)</td> <td>无替代品时仍可用</td> </tr> </tbody> </table> <p><strong>vsftpd / pure-ftpd 项目现状</strong>:</p> <ul> <li><strong>vsftpd</strong> 仍维护,但 <strong>2024 年发布节奏明显放缓</strong>(最后大版本 3.0.5 在 2021)。新特性很少,主要是 CVE 修复</li> <li><strong>pure-ftpd</strong> 状态类似。社区分裂(部分分支用 Rust 重写,但未成熟)</li> <li><strong>ProFTPD</strong> 仍活跃(2024-2025 有 1.3.8+ 发布),但<strong>市场份额不大</strong></li> <li>新部署<strong>不推荐用</strong>这俩老牌项目,能用 SFTP 就用 SFTP</li> </ul> <p><strong>SFTP 容器化(vsftpd 替代)</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># atmoz/sftp 是 2024+ 最流行的自托管 SFTP 镜像</span> </span></span><span class="line"><span class="cl">docker run -d <span class="se">\ </span></span></span><span class="line"><span class="cl"> --name sftp <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p 2222:22 <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/sftp/users.conf:/etc/sftp/users.conf:ro <span class="se">\ </span></span></span><span class="line"><span class="cl"> -v /home/sftp/data:/home <span class="se">\ </span></span></span><span class="line"><span class="cl"> atmoz/sftp <span class="se">\ </span></span></span><span class="line"><span class="cl"> www:<span class="o">{{</span>REDACTED<span class="o">}}</span>:1001:1001:upload </span></span></code></pre></td></tr></table> </div> </div><p><code>users.conf</code> 一行一个用户:<code>用户名:密码:UID:GID:家目录</code>——<strong>比 vsftpd 虚拟用户简单</strong>。</p> <p><strong>FTP 仍必要的场景</strong>(2024 仍存在):</p> <ul> <li>老的工业设备(数控机床、医疗仪器)只支持 FTP 上报数据</li> <li>老的 ERP / 财务系统只支持 FTP 文件交换</li> <li>与海外客户的 B2B 集成(对方系统只懂 FTP)</li> <li>备份归档脚本(老脚本不愿重写)</li> </ul> <p><strong>这些场景的加固清单</strong>:</p> <ul> <li><strong>必须 FTPS</strong>(FTP over TLS),不能明文</li> <li><strong>必须 fail2ban</strong></li> <li><strong>必须 chroot</strong> + 限制用户家目录</li> <li><strong>必须限速</strong>(防 DoS)</li> <li><strong>定期审计</strong>:看 <code>/var/log/vsftpd.log</code> 谁连了、传了什么</li> <li><strong>计划退出</strong>:列入&quot;2026 技术债清单&quot;,逐年替换</li> </ul> <p><strong>生产实践补充(2024 更新)</strong>:</p> <ul> <li><strong>HAProxy 替代 Nginx stream</strong> 做 FTPS 四层代理(Nginx stream 透传 TLS 麻烦)</li> <li><strong>CrowdSec</strong> 替代 fail2ban:社区共享 IP 黑名单,更新更频繁(2024 主流)</li> <li><strong>Caddy + sftp-bridge</strong>:Caddy 2024+ 原生支持 SFTP 代理,可以少一层 vsftpd</li> </ul> <h2 id="十二最佳实践清单">十二、最佳实践清单 </h2><ul> <li><strong>PASV 模式 + 公网 IP</strong>:避免主动模式 NAT 问题</li> <li><strong><code>PASV_ADDRESS</code> 必填</strong>:客户端才知道连哪里</li> <li><strong>PASV 端口段防火墙放行</strong>:21100-21110(或自定义)</li> <li><strong>Nginx stream 四层代理</strong>:内网 FTP 暴露公网</li> <li><strong>强制 TLS / SSL</strong>:FTPS 而非明文 FTP</li> <li><strong>chroot 限制用户家目录</strong>:防止越权访问</li> <li><strong>限速</strong>:避免大文件占满带宽</li> <li><strong>禁用匿名</strong>:除非业务需要</li> <li><strong>fail2ban / CrowdSec 防爆破</strong>:5 次失败封 1 小时</li> <li><strong>定期清理日志</strong>:vsftpd.log 不会自动 rotate</li> <li><strong>新项目优先 SFTP / S3</strong>:FTP 仅作为兼容老系统的备选</li> </ul> <h2 id="下一步">下一步 </h2><ul> <li>想看 <strong>NextCloud 网盘自托管</strong>(家用云盘)→ <a class="link" href="#" >NextCloud 网盘自托管</a></li> <li>想看 <strong>Seafile 私有云盘</strong>(高性能文件同步)→ <a class="link" href="#" >Seafile 私有云盘</a></li> <li>想看 <strong>Cloudreve 网盘</strong>(多存储后端)→ <a class="link" href="#" >Cloudreve 网盘</a></li> <li>想看 <strong>MinIO 对象存储实战</strong>(S3 兼容对象存储)→ <a class="link" href="#" >MinIO 对象存储实战</a></li> <li>想看 <strong>Nginx 自建镜像实战</strong>(含 stream 四层)→ <a class="link" href="#" >Nginx 自建镜像实战</a></li> </ul>Nginx stream 四层 TCP 代理实战:MSTSC 远程桌面透传与排错https://liangweidonggood.github.io/p/nginx-stream-tcp-dai-li-yu-pai-cuo/Sun, 15 Sep 2013 00:00:00 +0800https://liangweidonggood.github.io/p/nginx-stream-tcp-dai-li-yu-pai-cuo/<img src="https://liangweidonggood.github.io/p/nginx-stream-tcp-dai-li-yu-pai-cuo/image/cover.jpg" alt="Featured image of post Nginx stream 四层 TCP 代理实战:MSTSC 远程桌面透传与排错" /><h2 id="背景">背景 </h2><p>Nginx 早期是 HTTP(七层)反代神器,但从 <strong>1.9.0</strong>(2015 年)开始,<strong><code>ngx_stream_core_module</code></strong> 提供了<strong>四层(TCP/UDP)代理</strong>——能代理任何 TCP 协议:</p> <ul> <li><strong>RDP</strong>(Windows 远程桌面 3389)</li> <li><strong>MySQL</strong>、Redis、MongoDB</li> <li><strong>SSH</strong></li> <li><strong>SMTP</strong>、POP3</li> <li><strong>游戏服务器</strong></li> <li><strong>自定义 TCP 协议</strong></li> </ul> <p><strong>与 HAProxy/LVS 对比</strong>:</p> <table> <thead> <tr> <th>维度</th> <th>Nginx stream</th> <th>HAProxy</th> <th>LVS</th> </tr> </thead> <tbody> <tr> <td>学习成本</td> <td>最低</td> <td>中</td> <td>高</td> </tr> <tr> <td>性能</td> <td>中等</td> <td>强</td> <td>最强</td> </tr> <tr> <td>七层能力</td> <td>同时支持</td> <td>同时支持</td> <td>不支持</td> </tr> <tr> <td>适用规模</td> <td>中小(&lt; 5w QPS)</td> <td>大</td> <td>超大</td> </tr> </tbody> </table> <p><strong>典型场景</strong>:公司有几台 Windows 服务器,通过一台 Linux 反代把不同端口的 RDP 流量<strong>透明</strong>转发到不同后端,外网只暴露一个 VIP。</p> <hr> <h2 id="一nginx-stream-模块基础">一、Nginx stream 模块基础 </h2><h3 id="11-编译参数">1.1 编译参数 </h3><p>stream 模块<strong>不是默认编译的</strong>,需要 <code>--with-stream</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nginx -V </span></span><span class="line"><span class="cl"><span class="c1"># 看是否有 --with-stream</span> </span></span><span class="line"><span class="cl"><span class="c1"># 如果没有,要重编译</span> </span></span></code></pre></td></tr></table> </div> </div><p>重编译步骤:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 看现有参数</span> </span></span><span class="line"><span class="cl">nginx -V </span></span><span class="line"><span class="cl"><span class="c1"># 在最后加 --with-stream</span> </span></span><span class="line"><span class="cl">./configure &lt;原参数&gt; --with-stream </span></span><span class="line"><span class="cl">make </span></span><span class="line"><span class="cl"><span class="c1"># 不要 make install(会覆盖),手动替换二进制</span> </span></span><span class="line"><span class="cl">cp objs/nginx /usr/local/nginx/sbin/nginx </span></span></code></pre></td></tr></table> </div> </div><h3 id="12-配置结构">1.2 配置结构 </h3><p><code>/etc/nginx/nginx.conf</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># 顶层 stream 块(与 http 同级) </span></span></span><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">log_format</span> <span class="s">proxy</span> <span class="s">&#39;</span><span class="nv">$remote_addr</span> <span class="s">[</span><span class="nv">$time_local]</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;</span><span class="nv">$protocol</span> <span class="nv">$status</span> <span class="nv">$bytes_sent</span> <span class="nv">$bytes_received</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;</span><span class="nv">$session_time</span> <span class="s">&#34;</span><span class="nv">$upstream_addr&#34;</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;</span><span class="nv">$upstream_bytes_sent</span> <span class="nv">$upstream_bytes_received</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;</span><span class="nv">$upstream_connect_time&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 引入 conf.d/ 下的所有 stream 配置 </span></span></span><span class="line"><span class="cl"> <span class="kn">include</span> <span class="s">/etc/nginx/stream/*.conf</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>/etc/nginx/stream/rdp.conf</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">rdp_pool</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">hash</span> <span class="nv">$remote_addr</span> <span class="s">consistent</span><span class="p">;</span> <span class="c1"># 同一客户端固定连同一后端 </span></span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.10</span><span class="p">:</span><span class="mi">3389</span> <span class="s">max_fails=3</span> <span class="s">fail_timeout=30s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.11</span><span class="p">:</span><span class="mi">3389</span> <span class="s">max_fails=3</span> <span class="s">fail_timeout=30s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">3390</span><span class="p">;</span> <span class="c1"># 外网端口 </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">rdp_pool</span><span class="p">;</span> <span class="c1"># 转发到 upstream </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">10s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_timeout</span> <span class="s">300s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 自定义日志 </span></span></span><span class="line"><span class="cl"> <span class="kn">access_log</span> <span class="s">/var/log/nginx/rdp_access.log</span> <span class="s">proxy</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">error_log</span> <span class="s">/var/log/nginx/rdp_error.log</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键点</strong>:</p> <ul> <li><code>stream</code> 块在<strong>顶层</strong>(与 <code>http</code> 同级),<strong>不在</strong> <code>http</code> 里面</li> <li>监听端口不能与 <code>http</code> 块冲突</li> <li>没有 <code>server_name</code>、没有 <code>location</code>(四层只看 IP:Port)</li> </ul> <hr> <h2 id="二mstsc-远程桌面透传实战">二、MSTSC 远程桌面透传实战 </h2><p><strong>场景</strong>:公网 IP <code>47.104.152.64</code>,Windows 内网 RDP 真实地址 <code>10.0.0.10:3389</code>。</p> <h3 id="21-完整配置">2.1 完整配置 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">log_format</span> <span class="s">proxy</span> <span class="s">&#39;[</span><span class="nv">$time_local]</span> <span class="nv">$protocol</span> <span class="s">status:</span><span class="nv">$status,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;bytes</span> <span class="s">client:</span><span class="nv">$bytes_sent/$bytes_received</span> <span class="nv">$session_time,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;client:</span> <span class="nv">$remote_addr,</span> <span class="s">upstream:&#34;</span><span class="nv">$upstream_addr&#34;,</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;bytes</span> <span class="s">upstream:</span><span class="nv">$upstream_bytes_sent</span> <span class="nv">$upstream_bytes_received</span> <span class="s">&#39;</span> </span></span><span class="line"><span class="cl"> <span class="s">&#39;</span><span class="nv">$upstream_connect_time&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">include</span> <span class="s">/etc/nginx/stream/*.conf</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># /etc/nginx/stream/rdp.conf </span></span></span><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">mstsc</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">hash</span> <span class="nv">$remote_addr</span> <span class="s">consistent</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.33.101</span><span class="p">:</span><span class="mi">3389</span> <span class="s">max_fails=3</span> <span class="s">fail_timeout=30s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">error_log</span> <span class="s">/var/log/nginx/101_3399_error.log</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">access_log</span> <span class="s">/var/log/nginx/101_3399_access.log</span> <span class="s">proxy</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">3399</span><span class="p">;</span> <span class="c1"># 外网访问 3399 </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">10s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_timeout</span> <span class="s">300s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">mstsc</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>客户端连接</strong>:<code>mstsc /v:47.104.152.64:3399</code></p> <h3 id="22-日志样例">2.2 日志样例 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[25/Apr/2017:17:55:57 +0800] TCP status:200, bytes client:103/122 10.671, </span></span><span class="line"><span class="cl">client: 192.168.3.218, upstream: &#34;192.168.1.176:59001&#34; </span></span><span class="line"><span class="cl">bytes upstream:122/103 0.000 </span></span></code></pre></td></tr></table> </div> </div><p><strong>字段解读</strong>:</p> <ul> <li><code>bytes client:103/122</code>:客户端发送 103 字节,接收 122 字节</li> <li><code>client: 192.168.3.218</code>:客户端真实 IP(<strong>不是</strong> 47.104.152.64)</li> <li><code>upstream: &quot;192.168.1.176:59001&quot;</code>:Nginx 主动连到 Windows 的源端口</li> <li><code>bytes upstream:122/103</code>:Nginx 转发给后端的字节数</li> </ul> <hr> <h2 id="三nginx-http-反代的-9-大-buffer-调优">三、Nginx HTTP 反代的 9 大 buffer 调优 </h2><p><strong>常见 warning</strong>(Nginx error.log):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">an upstream response is buffered to a temporary file </span></span></code></pre></td></tr></table> </div> </div><p><strong>原因</strong>:Nginx 默认的 buffer 太小,每个请求的缓存不够,请求头 header 太大或响应体超过 buffer 时,<strong>写入磁盘临时文件</strong>,造成 IO 飙升,访问卡顿。</p> <h3 id="31-完整-buffer-配置">3.1 完整 buffer 配置 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">http</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># client body(上传) </span></span></span><span class="line"><span class="cl"> <span class="kn">client_max_body_size</span> <span class="mi">2048m</span><span class="p">;</span> <span class="c1"># 最大上传 2GB </span></span></span><span class="line"><span class="cl"> <span class="kn">client_body_buffer_size</span> <span class="mi">1024k</span><span class="p">;</span> <span class="c1"># body 缓冲 1MB </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># proxy buffer </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_buffer_size</span> <span class="mi">256k</span><span class="p">;</span> <span class="c1"># header 缓冲 256K </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_buffering</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># 开启缓冲(默认 on) </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_buffers</span> <span class="mi">64</span> <span class="mi">128k</span><span class="p">;</span> <span class="c1"># 64 个 128K 缓冲(共 8MB) </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_busy_buffers_size</span> <span class="mi">512k</span><span class="p">;</span> <span class="c1"># 忙缓冲 512K(不能 &gt; proxy_buffers 总和/2) </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># FastCGI buffer(PHP-FPM) </span></span></span><span class="line"><span class="cl"> <span class="kn">fastcgi_buffer_size</span> <span class="mi">512k</span><span class="p">;</span> <span class="c1"># header 缓冲 </span></span></span><span class="line"><span class="cl"> <span class="kn">fastcgi_buffers</span> <span class="mi">6</span> <span class="mi">512k</span><span class="p">;</span> <span class="c1"># 6 个 512K 缓冲(共 3MB) </span></span></span><span class="line"><span class="cl"> <span class="kn">fastcgi_busy_buffers_size</span> <span class="mi">512k</span><span class="p">;</span> <span class="c1"># 忙缓冲 </span></span></span><span class="line"><span class="cl"> <span class="kn">fastcgi_temp_file_write_size</span> <span class="mi">512k</span><span class="p">;</span> <span class="c1"># 临时文件写入块大小 </span></span></span><span class="line"><span class="cl"> <span class="kn">fastcgi_intercept_errors</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># 拦截错误(4xx/5xx 自己处理) </span></span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="32-各项调优解释">3.2 各项调优解释 </h3><table> <thead> <tr> <th>配置</th> <th>作用</th> <th>调优建议</th> </tr> </thead> <tbody> <tr> <td><code>client_max_body_size</code></td> <td>最大请求体(POST 上传)</td> <td>按业务定,文件上传建议 1g+</td> </tr> <tr> <td><code>client_body_buffer_size</code></td> <td>客户端 body 缓冲</td> <td>16k ~ 1m</td> </tr> <tr> <td><code>proxy_buffer_size</code></td> <td>后端响应<strong>头</strong>缓冲</td> <td>4k ~ 32k,大响应头可调到 128k</td> </tr> <tr> <td><code>proxy_buffers</code></td> <td>后端响应<strong>体</strong>缓冲(数量 × 单个大小)</td> <td>通常 <code>8 16k</code> 或 <code>64 128k</code></td> </tr> <tr> <td><code>proxy_busy_buffers_size</code></td> <td>正在发送的缓冲上限</td> <td>必须 &lt; <code>proxy_buffers</code> 总和的 1/2</td> </tr> <tr> <td><code>proxy_temp_file_write_size</code></td> <td>临时文件单次写入大小</td> <td>默认 8k,调大可减少 IO 次数</td> </tr> <tr> <td><code>fastcgi_intercept_errors</code></td> <td>Nginx 拦截 FastCGI 错误</td> <td><code>on</code> 配合 <code>error_page</code> 自定义错误页</td> </tr> </tbody> </table> <h3 id="33-调优公式">3.3 调优公式 </h3><p><strong>总 buffer = <code>proxy_buffer_size</code> + <code>proxy_buffers</code> × 数量</strong></p> <p>例:<code>proxy_buffers 64 128k</code> = 64 × 128K = <strong>8MB</strong> 单连接缓存</p> <p><strong>繁忙 buffer = <code>proxy_busy_buffers_size</code> × 2 ≤ 总 buffer</strong></p> <p>例:<code>512k × 2 = 1MB ≤ 8MB</code> ✓</p> <hr> <h2 id="四connection-reset-by-peer-排错">四、Connection reset by peer 排错 </h2><p><strong>完整错误</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">recv() failed (104: Connection reset by peer) </span></span><span class="line"><span class="cl">while proxying and reading from upstream, </span></span><span class="line"><span class="cl">client: 89.248.163.87, server: 0.0.0.0:3399, </span></span><span class="line"><span class="cl">upstream: &#34;10.8.33.101:3389&#34; </span></span></code></pre></td></tr></table> </div> </div><p><strong>104 错误</strong> = TCP RST,连接被对端强制关闭。</p> <p><strong>常见原因</strong>:</p> <ol> <li><strong>后端服务主动断开</strong>(如 Windows RDP 服务异常)</li> <li><strong>后端超时未响应</strong>,TCP keepalive 触发 RST</li> <li><strong>后端资源耗尽</strong>(CPU 100%、连接数打满)</li> <li><strong>Nginx 与后端的网络问题</strong>(中间设备丢包)</li> </ol> <h3 id="41-调优配置">4.1 调优配置 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">bigdata</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.20.1</span><span class="p">:</span><span class="mi">18018</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.20.2</span><span class="p">:</span><span class="mi">18018</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.20.3</span><span class="p">:</span><span class="mi">18018</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.20.4</span><span class="p">:</span><span class="mi">18018</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">keepalive</span> <span class="mi">100</span><span class="p">;</span> <span class="c1"># Nginx 与上游保持的长连接数 </span></span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://bigdata</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 加大超时(默认 60s 偏短) </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="mi">120</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_send_timeout</span> <span class="mi">120</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_read_timeout</span> <span class="mi">120</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 关键:启用 HTTP/1.1 + 清理 Connection header </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_http_version</span> <span class="mi">1</span><span class="s">.1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="s">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键点</strong>:</p> <table> <thead> <tr> <th>配置</th> <th>作用</th> </tr> </thead> <tbody> <tr> <td><code>keepalive 100</code></td> <td>Nginx 与<strong>每个</strong>上游保持 100 个长连接(连接复用)</td> </tr> <tr> <td><code>proxy_http_version 1.1</code></td> <td><strong>必须 1.1</strong>——HTTP/1.0 不支持 keep-alive</td> </tr> <tr> <td><code>proxy_set_header Connection &quot;&quot;</code></td> <td>清掉 <code>Connection: close</code>,让 keep-alive 生效</td> </tr> </tbody> </table> <p><strong>为什么 HTTP/1.1 + Connection &quot;&quot; 必加</strong>?</p> <p>HTTP/1.0 的 <code>Connection: keep-alive</code> 是<strong>可选</strong>的,HTTP/1.1 默认 keep-alive 但 <code>Connection: close</code> 可以强制关闭。Nginx 默认往上游发的 <code>Connection: close</code>(不重用连接),所以<strong>必须显式清掉</strong>。</p> <hr> <h2 id="五实战mysql-stream-代理">五、实战:MySQL stream 代理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">upstream</span> <span class="s">mysql_pool</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.10</span><span class="p">:</span><span class="mi">3306</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.11</span><span class="p">:</span><span class="mi">3306</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">33306</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">mysql_pool</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">5s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_timeout</span> <span class="s">600s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>客户端连接</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mysql -h &lt;nginx-ip&gt; -P <span class="m">33306</span> -u root -p </span></span></code></pre></td></tr></table> </div> </div><p><strong>注意</strong>:MySQL 认证是<strong>基于 IP</strong> 的,代理后所有客户端都是 <code>nginx-ip</code>,可能触发 <code>host 'nginx-ip' is not allowed</code>。<strong>对策</strong>:</p> <ul> <li>MySQL 授权时用 <code>'root'@'%'</code></li> <li>或在 MySQL 端用 <code>skip-name-resolve</code></li> </ul> <hr> <h2 id="六实战redis-stream-代理">六、实战:Redis stream 代理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">upstream</span> <span class="s">redis_pool</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.10</span><span class="p">:</span><span class="mi">6379</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">36379</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">redis_pool</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">5s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_timeout</span> <span class="s">300s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>Redis 协议简单,stream 代理<strong>几乎零问题</strong>。</p> <hr> <h2 id="七ssltls-over-stream">七、SSL/TLS over stream </h2><p><strong>stream 块也支持 SSL</strong>(需 <code>--with-stream_ssl_module</code>):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">stream</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">upstream</span> <span class="s">mysql_ssl</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.10</span><span class="p">:</span><span class="mi">3306</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">33307</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">mysql_ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate</span> <span class="s">/etc/nginx/ssl/server.crt</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_certificate_key</span> <span class="s">/etc/nginx/ssl/server.key</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>典型场景</strong>:MySQL 客户端启 SSL,但不想让客户端直接连真实 MySQL,走 Nginx 反代统一证书。</p> <hr> <h2 id="八负载均衡算法">八、负载均衡算法 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">backend</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 1. 轮询(默认) </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.10:8080; </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.11:8080; </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 2. 加权轮询 </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.10:8080 weight=3; </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.11:8080 weight=1; </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 3. ip_hash(会话保持) </span></span></span><span class="line"><span class="cl"> <span class="c1"># ip_hash; </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.10:8080; </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.11:8080; </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 4. consistent hash(一致性 hash,加减节点影响小) </span></span></span><span class="line"><span class="cl"> <span class="kn">hash</span> <span class="nv">$remote_addr</span> <span class="s">consistent</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.10</span><span class="p">:</span><span class="mi">8080</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.11</span><span class="p">:</span><span class="mi">8080</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 5. least_conn(最闲) </span></span></span><span class="line"><span class="cl"> <span class="c1"># least_conn; </span></span></span><span class="line"><span class="cl"> <span class="c1"># server 10.0.0.10:8080; </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 6. random </span></span></span><span class="line"><span class="cl"> <span class="c1"># random; </span></span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="九健康检查与失败处理">九、健康检查与失败处理 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">backend</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.10</span><span class="p">:</span><span class="mi">8080</span> <span class="s">max_fails=3</span> <span class="s">fail_timeout=30s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.0.11</span><span class="p">:</span><span class="mi">8080</span> <span class="s">max_fails=3</span> <span class="s">fail_timeout=30s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 健康检查:失败 3 次标记为 down,30 秒后再试 </span></span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">backend</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">invalid_header</span> <span class="s">http_502</span> <span class="s">http_503</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="c1"># 后端 error/timeout/502/503 时,自动切到下一个 upstream </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_next_upstream_timeout</span> <span class="s">10s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong><code>max_fails</code> 与 <code>fail_timeout</code></strong>:</p> <ul> <li>30 秒内失败 3 次 → 标记 down</li> <li>30 秒后再尝试(如果还失败,继续 down)</li> </ul> <p><strong><code>proxy_next_upstream</code></strong>:</p> <ul> <li><code>error</code>:连接错误</li> <li><code>timeout</code>:超时</li> <li><code>invalid_header</code>:响应头无效</li> <li><code>http_502/503/504</code>:HTTP 错误码</li> <li><code>off</code>:禁用</li> </ul> <hr> <h2 id="十常见错误">十、常见错误 </h2><h3 id="101-stream-块识别为-http">10.1 stream 块识别为 HTTP </h3><p><strong>症状</strong>:Nginx 启动报 <code>unknown directive &quot;stream&quot;</code>。</p> <p><strong>原因</strong>:编译时<strong>没</strong>加 <code>--with-stream</code>。</p> <p><strong>对策</strong>:重编译 nginx 加 <code>--with-stream</code>,参考 1.1 节。</p> <h3 id="102-listen-端口冲突">10.2 listen 端口冲突 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">bind() to 0.0.0.0:3399 failed (98: Address already in use) </span></span></code></pre></td></tr></table> </div> </div><p><strong>对策</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ss -tan <span class="p">|</span> grep <span class="m">3399</span> </span></span><span class="line"><span class="cl"><span class="c1"># 看哪个进程占用</span> </span></span><span class="line"><span class="cl">lsof -i :3399 </span></span></code></pre></td></tr></table> </div> </div><h3 id="103-客户端真实-ip-丢失">10.3 客户端真实 IP 丢失 </h3><p><strong>默认情况</strong>:后端看到的客户端 IP 是 <strong>Nginx 内网 IP</strong>(不是真实客户端)。</p> <p><strong>对策</strong>(<strong>仅限 HTTP</strong>,TCP 协议做不到):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://backend</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>stream 块没有 <code>proxy_set_header</code></strong>!要传真实 IP 必须用<strong>应用层协议</strong>(如 HTTP 的 <code>X-Forwarded-For</code>、MySQL 的账号 IP 白名单)。</p> <h3 id="104-大量-time_wait">10.4 大量 TIME_WAIT </h3><p><strong>症状</strong>:<code>netstat -an | grep TIME_WAIT | wc -l</code> 几万。</p> <p><strong>对策</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 开启 TIME_WAIT 复用</span> </span></span><span class="line"><span class="cl">sysctl -w net.ipv4.tcp_tw_reuse<span class="o">=</span><span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 缩短 TIME_WAIT 时间(默认 60s)</span> </span></span><span class="line"><span class="cl">sysctl -w net.ipv4.tcp_fin_timeout<span class="o">=</span><span class="m">30</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="小结">小结 </h2><p>Nginx stream 模块让 Nginx <strong>从七层反代进化为&quot;四/七层通吃&quot;</strong>:</p> <ol> <li><strong>编译加 <code>--with-stream</code></strong></li> <li><strong><code>stream</code> 块与 <code>http</code> 同级</strong></li> <li><strong><code>listen</code> + <code>proxy_pass</code></strong> 简单粗暴</li> <li><strong><code>keepalive</code> + HTTP/1.1 + <code>Connection &quot;&quot;</code></strong> 是 HTTP 反代性能关键</li> <li><strong><code>buffer</code> 调优</strong>避免写临时文件</li> <li><strong>客户端真实 IP</strong>(四层)<strong>传不到</strong>后端,靠应用层协议</li> </ol> <p><strong>生产建议</strong>:</p> <ul> <li><strong>七层反代</strong>:用 Nginx,配置友好</li> <li><strong>四层 1w-5w QPS</strong>:用 Nginx stream</li> <li><strong>四层 5w+ QPS</strong>:用 LVS DR 或 HAProxy</li> <li><strong>多协议混合</strong>:Nginx 统一管(HTTP 在 http 块,TCP 在 stream 块)</li> </ul> <p><strong>下一步</strong>:</p> <ul> <li>用 Nginx stream + Let&rsquo;s Encrypt 做 TLS 反代</li> <li>上 HAProxy 做更细的健康检查</li> <li>用 Envoy / APISIX 做云原生时代的四/七层代理</li> </ul> <hr> <h2 id="2024-视角nginx-仍是-125--127-时代的王者">2024 视角:Nginx 仍是 1.25+ / 1.27+ 时代的王者 </h2><p>2013 那篇的 <code>ngx_stream_core_module</code> 仍是 Nginx 的核心特性。<strong>2024 视角下</strong>:</p> <h3 id="一nginx-125--1272024-主流">一、Nginx 1.25 / 1.27(2024 主流) </h3><ul> <li><strong>Nginx 1.25.x</strong>(2023-05 起的 mainline):实验新特性。</li> <li><strong>Nginx 1.27.x</strong>(2024-08):<strong>新 mainline</strong>,引入 <strong>HTTP/3 over QUIC</strong> 完整支持。</li> <li><strong>Nginx Plus R32</strong>(2024):商业版新增 <strong>Dynamic Configuration via API</strong>、<strong>Active Health Checks</strong> 增强。</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 看版本</span> </span></span><span class="line"><span class="cl">nginx -v </span></span><span class="line"><span class="cl"><span class="c1"># nginx version: nginx/1.27.0</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="二quic--http3-已成必选项">二、QUIC / HTTP/3 已成&quot;必选项&quot; </h3><ul> <li><strong>2013 那篇</strong>完全没提 QUIC。<strong>2024 视角下</strong> QUIC / HTTP/3 已是性能优化标配: <ul> <li><strong>握手 0-RTT</strong>(比 TLS 1.3 还快)</li> <li><strong>连接迁移</strong>(IP 变化不重连)</li> <li><strong>多路复用</strong>(解决 HTTP/2 队头阻塞)</li> </ul> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># Nginx 1.25+ 启用 HTTP/3 </span></span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">http2</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># 启用 HTTP/3(同时监听 UDP 443) </span></span></span><span class="line"><span class="cl"> <span class="kn">add_header</span> <span class="s">Alt-Svc</span> <span class="s">&#39;h3=&#34;:443&#34;</span><span class="p">;</span> <span class="kn">ma=86400&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_early_data</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">ssl_protocols</span> <span class="s">TLSv1.3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Nginx 1.27+ 直接 </span></span></span><span class="line"><span class="cl"><span class="k">server</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">quic</span> <span class="s">reuseport</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">listen</span> <span class="mi">443</span> <span class="s">ssl</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">http2</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">add_header</span> <span class="s">Alt-Svc</span> <span class="s">&#39;h3=&#34;:443&#34;</span><span class="p">;</span> <span class="kn">ma=86400&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="三buffer-调优的现代配方">三、buffer 调优的&quot;现代&quot;配方 </h3><ul> <li>2013 那篇给的 <code>proxy_buffer_size 256k</code> / <code>proxy_buffers 64 128k</code> 仍是有效。</li> <li><strong>2024 实践</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># 大文件 / 视频流 </span></span></span><span class="line"><span class="cl"><span class="k">proxy_buffer_size</span> <span class="mi">1m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">proxy_buffers</span> <span class="mi">8</span> <span class="mi">1m</span><span class="p">;</span> <span class="c1"># 8 个 1M(共 8M) </span></span></span><span class="line"><span class="cl"><span class="k">proxy_busy_buffers_size</span> <span class="mi">2m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">proxy_temp_file_write_size</span> <span class="mi">4m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># API 服务(小响应) </span></span></span><span class="line"><span class="cl"><span class="k">proxy_buffer_size</span> <span class="mi">16k</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">proxy_buffers</span> <span class="mi">8</span> <span class="mi">16k</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">proxy_busy_buffers_size</span> <span class="mi">32k</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>新指令</strong>: <ul> <li><strong><code>proxy_socket_keepalive on</code></strong>:向上游发 TCP keep-alive(避免 TIME_WAIT 堆积)</li> <li><strong><code>proxy_pass_request_body off</code></strong>:透传大 body 优化</li> <li><strong><code>proxy_force_ranges on</code></strong>:强制 Range 支持</li> </ul> </li> </ul> <h3 id="四connection-reset-by-peer-的-2024-排查清单">四、<code>Connection reset by peer</code> 的 2024 排查清单 </h3><p>2013 那篇给的 <code>proxy_http_version 1.1</code> + <code>Connection &quot;&quot;</code> + <code>keepalive 100</code> 仍是标准动作。<strong>2024 升级</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">backend</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.20.1</span><span class="p">:</span><span class="mi">18018</span> <span class="s">resolve</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">10.0.20.2</span><span class="p">:</span><span class="mi">18018</span> <span class="s">resolve</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">keepalive</span> <span class="mi">32</span><span class="p">;</span> <span class="c1"># 适当调小(旧值 100 过大) </span></span></span><span class="line"><span class="cl"> <span class="kn">keepalive_requests</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1"># 单连接最多 1000 请求后关闭(防内存泄漏) </span></span></span><span class="line"><span class="cl"> <span class="kn">keepalive_timeout</span> <span class="s">60s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">location</span> <span class="s">/</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_pass</span> <span class="s">http://backend</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_http_version</span> <span class="mi">1</span><span class="s">.1</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="s">&#34;&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_connect_timeout</span> <span class="s">5s</span><span class="p">;</span> <span class="c1"># 比 120s 短 </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_send_timeout</span> <span class="s">60s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_read_timeout</span> <span class="s">60s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_socket_keepalive</span> <span class="no">on</span><span class="p">;</span> <span class="c1"># 2024 新 </span></span></span><span class="line"><span class="cl"> <span class="kn">proxy_next_upstream</span> <span class="s">error</span> <span class="s">timeout</span> <span class="s">http_502</span> <span class="s">http_503</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">proxy_next_upstream_tries</span> <span class="mi">2</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>新调试工具</strong>: <ul> <li><strong><code>nginx -T</code></strong>:dump 完整配置(include 全部展开)</li> <li><strong><code>error.log debug</code></strong>:详细 debug 日志</li> <li><strong><code>stub_status</code></strong>:基础统计</li> <li><strong><code>/usr/lib/nginx/modules/ngx_http_vhost_traffic_status</code></strong>(淘宝开源):流量详情</li> </ul> </li> </ul> <h3 id="五stream-块在-k8s-时代的角色">五、stream 块在 K8s 时代的&quot;角色&quot; </h3><ul> <li><strong>2024 趋势</strong>:Nginx stream 在 K8s 时代被 <strong>Envoy</strong> 替代。</li> <li><strong>Nginx Ingress Controller</strong>(K8s 标准 Ingress 实现):</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># k8s-ingress.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">myapp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;50m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">nginx.ingress.kubernetes.io/proxy-read-timeout</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;60&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l">nginx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l">myapp.example.com</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l">Prefix</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backend</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">myapp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="m">80</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>优势</strong>:Nginx Ingress Controller = Nginx + K8s 自动化(自动 reload、自动证书、自动 upstream)。</li> </ul> <h3 id="六动态-upstream-的现代实现">六、动态 upstream 的&quot;现代&quot;实现 </h3><ul> <li><strong>2013 那篇</strong>的 upstream 是静态配置。</li> <li><strong>2024 现代姿势</strong>:<strong><code>upstream {}</code> 动态解析</strong>(DNS + Service Discovery):</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="c1"># 动态 upstream(Nginx Plus 特性,开源版部分支持) </span></span></span><span class="line"><span class="cl"><span class="k">upstream</span> <span class="s">backend</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kn">zone</span> <span class="s">backend</span> <span class="mi">64k</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">server</span> <span class="n">backend-service.default.svc.cluster.local</span><span class="p">:</span><span class="mi">80</span> <span class="s">resolve</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kn">resolver</span> <span class="s">kube-dns.kube-system.svc.cluster.local</span> <span class="s">valid=30s</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 通过 API 动态加 backend </span></span></span><span class="line"><span class="cl"><span class="k">curl</span> <span class="s">-X</span> <span class="s">POST</span> <span class="s">http://127.0.0.1:8080/api/version/http/upstreams/backend/servers/</span> <span class="s">\</span> </span></span><span class="line"><span class="cl"> <span class="s">-d</span> <span class="s">&#39;</span><span class="p">{</span><span class="kn">&#34;server&#34;:&#34;10.0.1.50:80&#34;}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>Nginx 开源版</strong>(1.27+)也支持 <code>resolver</code> + <code>resolve</code> 指令,<strong>SVC 后端自动发现</strong>。</li> </ul> <h3 id="七ssltls-的现代最佳实践">七、SSL/TLS 的&quot;现代&quot;最佳实践 </h3><ul> <li>2013 那篇的 <code>ssl_protocols TLSv1 TLSv1.1 TLSv1.2</code> 已经被<strong>2024 安全规范淘汰</strong>。</li> <li><strong>2024 强制</strong>:</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-nginx" data-lang="nginx"><span class="line"><span class="cl"><span class="k">ssl_protocols</span> <span class="s">TLSv1.2</span> <span class="s">TLSv1.3</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_ciphers</span> <span class="s">ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_prefer_server_ciphers</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_session_cache</span> <span class="s">shared:SSL:50m</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_session_timeout</span> <span class="s">1d</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_session_tickets</span> <span class="no">off</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_stapling</span> <span class="no">on</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="k">ssl_stapling_verify</span> <span class="no">on</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>OCSP Stapling</strong>:减少客户端验证延迟</li> <li><strong>TLS 1.3 强制</strong>:禁用 TLS 1.0/1.1</li> </ul> <h3 id="八nginx--服务网格的混合部署">八、Nginx + 服务网格的&quot;混合部署&quot; </h3><ul> <li>2024 大量 K8s 项目<strong>不再用 Nginx 反代</strong>——用 <strong>Istio / Linkerd</strong> 自带 Envoy。</li> <li><strong>Nginx 仍在用</strong>的场景: <ul> <li><strong>边缘节点</strong>(CDN 边缘)</li> <li><strong>物理机 / 虚拟机</strong>(不在 K8s 里)</li> <li><strong>Web 服务器</strong>(静态资源)</li> <li><strong>API 网关</strong>(Apigee / Kong 基于 Nginx)</li> <li><strong>Sidecar 替代</strong>(轻量场景,Nginx sidecar 比 Envoy 资源占用更少)</li> </ul> </li> </ul> <h3 id="九nginx-商业替代">九、Nginx 商业替代 </h3><ul> <li><strong>F5 NGINX Plus</strong>(商业版):Dynamic Configuration API、Active Health Checks、JWT 验证、WAF</li> <li><strong>OpenResty</strong>(章亦春):<strong>Lua 脚本扩展</strong>——2024 仍是国内&quot;高阶 Nginx 玩法&quot;主流</li> <li><strong>Caddy</strong>:自动 HTTPS(Let&rsquo;s Encrypt 内置)</li> <li><strong>Traefik</strong>:云原生时代的&quot;动态 Nginx&quot;</li> </ul> <p><strong>源文档</strong>:</p> <ul> <li><code>os/linux/第三方tools/dev/反向代理/Nginx/nginx.md</code>(stream TCP 代理 + 自定义日志)</li> <li><code>os/linux/第三方tools/dev/反向代理/Nginx/问题.md</code>(buffer 调优 + Connection reset by peer)</li> </ul>