系统网络结构图及nginx配置
- 1.系统网络结构图
- 2.Nginx网络配置
- 2.1请求从互联网区访问到内网区
- 2.2 请求从内网访问互联网
1.系统网络结构图
传统公司服务部署网络都会分区,应用都部署在内网区,请求通过dmz区转出内网与互联网发生交互。
结构图详解:
- 请求从互联网经过层层转发到内网中
- 后台服务需要访问数据库及中间件;网关需要访问redis
- 内网可以访问管理后台
- 管理后台需要调用后台服务支持
如果需要开通网络策略及端口,参考上面的访问路线。
2.Nginx网络配置
2.1请求从互联网区访问到内网区
说明:下面是一个简图,只代表网络交互,实际部署时会有多层负载
流程简要描述:
1.请求通过互联网区访问DMZ区nginx,所以DMZ区的nginx需要暴露一个端口供外网访问。这里通常做法都是提供一个域名供互联网访问,端口如果是http就是80,如果是https就是443.
2.DMZ区的nginx将请求发送到内网区的nginx后,有内网区的nginx做负载发送内网微服务集群
示例nginx配置:
1.互联网请求访问dmz区的nginx配置
server {
listen 80;
server_name yyds.abc.com;
access log /data/1ogs/nginx/in_yyds.abc.com.access.log;
error log /data/1og3/nginx/in_yyds.abc.com.error.log;
location /aa/ {
proxy_pass http://127.0.0.1:8080/;
proxy_pass_header User-Agent;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $http_x_forwarded_for;
proxy_set_header x-Forwarded-For $http_x_forwarded_for;
}
location /aa/bb/ {
proxy_pass http://app_nginx_server/: #app_nginx_server为appnginx所在机器ip
proxy_pass_header User-Agent;
proxy_set_header Host bb.app.com;
proxy_set_header X-Real-IP $http_x_forwarded_for;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /cc/dd/ee {
return 404;
}
#静态图片
location /ee/static-img/ {
root /ff/gg/hh/;
}
}
2.dmz区nginx配置2,用来对1中的请求细化
server {
listen 8080;
server_name yyds.abc.com; #这里是接受80端口转发过来的请求
access_log /data/logs/nginx/yyds.abc.com.access.log;
error_log /data/logs/nginx/yyds.abc.com.error.log;
root 前台代码路径/dist;
index index.html index.htm index.php;
location /aa/ {
proxy_pass http://app_nginx_server/yy/uu; #app_nginx_server为appnginx所在机器ip
proxy_pass_header User-Agent;
proxy_set_header Host 微服务网关域名;
proxy_set_header X-Real-IP $http _x_forwarded_for;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
}
location /rr/ {
proxy_pass http://app_nginx_server;
proxy_set_header Host gateway.app.com;
proxy_set_header X-Real-IP $http_x_forwarded_for;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
}
}
2.2 请求从内网访问互联网
流程简要描述:
1.微服务中涉及到需要访问互联网资源的请求,通过nginx配置的域名,服务先将请求打到appnginx,再通过appnginx转到webnginx,两个nginx还是开放80端口,通过不同的域名和路径转发
2.DMZ区的nginx将请求发送具体的外部资源所在地址
1 微服务将请求转发到appnginx
server{
listen 80;
server_name app.nginx.com;
$http user_agent;
access_1og /data/logs/nginx/out web.nginx.com.access.log;
error_log /data/1ogs/nginx/out web.nginx.com.error.1og;
location /api_weixin/ {
proxy_pass https://web.nginx.com/
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme:
proxy_redirect off;
}
location /open_weixin/ {
proxy_pass https://web.nginx.com/
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme:
proxy_redirect off;
}
}
2.dmz区nginx请求访问出去的配置
server{
listen 80;
server_name web.nginx.com;
$http user_agent;
access_1og /data/logs/nginx/out web.nginx.com.access.log;
error_log /data/1ogs/nginx/out web.nginx.com.error.1og;
location /api_weixin/ {
proxy_pass https://api.weixin.qq.com/
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme:
proxy_redirect off;
}
location /open_weixin/ {
proxy_pass https://open.weixin.qq.com/
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme:
proxy_redirect off;
}
}
