微服务

nginx分布式网关

Nginx实现分布式网关

Nginx是一款高性能的HTTP服务器和反向代理,凭借其出色的并发处理能力,成为实现分布式网关的理想选择。以下是使用Nginx构建微服务网关的核心方案:

基础配置示例

以下是一个基于Nginx的分布式网关基础配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format    main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log    /var/log/nginx/access.log main;
    sendfile      on;
    keepalive_timeout 65;

    # 服务健康检查配置
    upstream users_service {
        server users-service:3001 max_fails=3 fail_timeout=30s;
        server users-service-backup:3001 max_fails=3 fail_timeout=30s backup;
        keepalive 32;
    }

    upstream products_service {
        server products-service:3002 max_fails=3 fail_timeout=30s;
        server products-service-backup:3002 max_fails=3 fail_timeout=30s backup;
        keepalive 32;
    }

    upstream orders_service {
        server orders-service:3003 max_fails=3 fail_timeout=30s;
        server orders-service-backup:3003 max_fails=3 fail_timeout=30s backup;
        keepalive 32;
    }

    # 主网关配置
    server {
        listen 80;
        server_name gateway.example.com;

        # 跨域支持
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization' always;
        
        # OPTIONS请求直接返回
        if ($request_method = 'OPTIONS') {
            return 204;
        }

        # 用户服务路由
        location /api/users/ {
            proxy_pass http://users_service/;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # 认证检查(可集成外部服务)
            auth_request /auth;
        }

        # 产品服务路由
        location /api/products/ {
            proxy_pass http://products_service/;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # 订单服务路由
        location /api/orders/ {
            proxy_pass http://orders_service/;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # 认证服务
        location = /auth {
            internal;
            proxy_pass http://auth-service:3004/verify;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
            proxy_set_header X-Original-URI $request_uri;
        }

        # 限流配置
        limit_req_zone $binary_remote_addr zone=mylimit:10m rate=100r/m;
        
        # API统一限流
        location /api/ {
            limit_req zone=mylimit burst=50 nodelay;
        }
    }
}

关键功能实现

1. 路由与负载均衡

1
2
3
4
5
6
7
8
9
10
11
12
upstream users_service {
    server users-service-1:3001 weight=5;
    server users-service-2:3001 weight=3;
    server users-service-3:3001 weight=2;
    ip_hash;  # 会话保持
    keepalive 32;
}

location /api/users/ {
    proxy_pass http://users_service/;
    # 其他代理设置...
}

支持多种负载均衡算法:

  • round_robin:默认轮询
  • least_conn:最少连接
  • ip_hash:基于IP哈希
  • url_hash:基于URL哈希
  • least_time:最小响应时间(需Nginx Plus)

2. 认证与授权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# JWT验证示例(需要ngx_http_auth_jwt_module模块)
location /api/protected/ {
    auth_jwt "Realm";
    auth_jwt_key_file /etc/nginx/jwt-key.pub;
    proxy_pass http://backend-service/;
}

# 外部认证服务
location /api/admin/ {
    auth_request /auth_admin;
    proxy_pass http://admin-service/;
}

location = /auth_admin {
    internal;
    proxy_pass http://auth-service:3004/admin_verify;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
}

3. 限流与熔断

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 基于IP的请求限流
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;

# 基于请求URI的限流
limit_req_zone $request_uri zone=uri_limit:10m rate=50r/s;

location /api/ {
    limit_req zone=api_limit burst=50 nodelay;
    limit_req zone=uri_limit burst=20 nodelay;
    
    # 连接超时与熔断
    proxy_connect_timeout 5s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
}

4. 协议转换与API转换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# HTTP转HTTPS
location /secure/ {
    proxy_pass https://backend-secure-service/;
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/nginx/certs/ca-cert.pem;
}

# REST转gRPC
location /grpc/ {
    grpc_pass grpcs://backend-grpc-service:50051;
    grpc_ssl_certificate /etc/nginx/certs/client.crt;
    grpc_ssl_certificate_key /etc/nginx/certs/client.key;
    grpc_ssl_trusted_certificate /etc/nginx/certs/ca-cert.pem;
}

# 请求转换示例
location /v2/api/ {
    rewrite ^/v2/api/(.*)$ /v1/$1 break;
    proxy_pass http://legacy-service/;
}

5. 监控与日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 访问日志配置
log_format upstream '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" '
                    '$upstream_addr $upstream_response_time $request_time';

access_log /var/log/nginx/upstream.log upstream;

# 状态监控页面(需Nginx Plus或编译时添加http_stub_status_module)
location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
}

高级扩展方案

1. 动态配置与服务发现

结合Consul、Etcd等服务发现工具,通过Nginx的动态模块实现服务自动注册与发现:

1
2
3
4
5
6
7
8
9
# 使用ngx_http_dyups_module动态更新upstream
location /upstream/ {
    internal;
    dyups;
}

# 通过API动态更新配置
curl -X POST http://localhost:8080/upstream/backend \
  -d 'server backend1.example.com:80 weight=5; server backend2.example.com:80 weight=5;'

2. Lua脚本扩展

使用OpenResty(基于Nginx的增强版)结合Lua实现复杂网关逻辑:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
location /api/ {
    access_by_lua_block {
        -- JWT验证
        local jwt = require "resty.jwt"
        local token = ngx.var.http_authorization
        if not token then
            ngx.status = ngx.HTTP_UNAUTHORIZED
            ngx.say("Missing token")
            ngx.exit(ngx.HTTP_UNAUTHORIZED)
        end
        
        -- 验证逻辑...
    }
    
    proxy_pass http://backend-service/;
}

3. 灰度发布与A/B测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 基于用户ID的灰度发布
upstream backend {
    server backend-v1:80 weight=90;
    server backend-v2:80 weight=10;
}

# 基于Cookie的A/B测试
map $cookie_ab_test $backend {
    default backend_a;
    2       backend_b;
}

server {
    location / {
        proxy_pass http://$backend/;
    }
}

部署与运维建议

  1. 高可用部署

    • 使用Keepalived或HAProxy实现Nginx集群
    • 采用主备或多活模式部署

  2. 性能优化

    • 调整worker_processes和worker_connections参数
    • 启用gzip压缩
    • 使用HTTP/2协议
    • 配置缓存机制

  3. 安全加固

    • 限制访问IP范围
    • 定期更新Nginx版本
    • 配置防火墙规则
    • 启用HTTPS

  4. 监控告警

    • 集成Prometheus和Grafana监控Nginx性能
    • 配置日志分析系统(ELK Stack)
    • 设置关键指标告警阈值

通过以上配置,Nginx可以作为强大的分布式网关,为微服务架构提供高性能、可靠的请求路由和统一入口。根据实际需求,还可以进一步扩展其功能,如集成WAF、实现请求缓存、支持WebSocket等。