Nginx Stream模块讲解

Nginx Stream模块是Nginx从1.9.0版本开始引入的核心模块，它允许Nginx在传输层（TCP/UDP）进行流量代理和负载均衡，而不仅仅局限于应用层（HTTP）。

1、HTTP模块与Stream模块区别

特性	HTTP模块	Stream模块
OSI层级	应用层（第7层）	传输层（第4层）
协议支持	HTTP/HTTPS等应用协议	TCP/UDP协议
解析能力	解析HTTP	仅转发流量
典型应用场景	Web应用代理	通用TCP/UDP代理

2、检查Nginx是否支持Stream

nginx -V 2>&1 | grep -i stream

1	nginx -V 2>&1 \| grep -i stream

期望输出：

--with-stream
--with-stream_ssl_module
--with-stream_realip_module

如果没有，需要重新编译Nginx，编译时指定stream参数，如--with-stream --with-stream_ssl_module

3、配置结构

Stream模块的配置与HTTP模块类似，但有自己的上下文，Stream与HTTP模块是平级关系。

stream {
    # 上游服务器组定义
    upstream backend {
        server backend1.example.com:12345;
        server backend2.example.com:12345;
    }
    
    # 服务器监听配置
    server {
        listen 12345;
        proxy_pass backend;

        # 超时设置
        proxy_connect_timeout 5s;
        proxy_timeout 30s;
        
        # 日志
        access_log /var/log/nginx/stream_access.log;
        error_log /var/log/nginx/stream_error.log;
    }
}

stream {

# 上游服务器组定义

upstream backend {

server backend1.example.com:12345;

server backend2.example.com:12345;

}

# 服务器监听配置

server {

listen 12345;

proxy_pass backend;

# 超时设置

proxy_connect_timeout 5s;

proxy_timeout 30s;

# 日志

access_log /var/log/nginx/stream_access.log;

error_log /var/log/nginx/stream_error.log;

}

4、关键指令详解

listen 12345; # 监听TCP 12345端口
listen 12345 udp; # 监听UDP 12345端口
proxy_pass backend; # 代理到服务器组
proxy_pass 127.0.0.1:3306; # 代理到指定的地址
proxy_timeout 30s; # 30秒无活动则关闭连接
proxy_connect_timeout 5s; # 5秒内未连接成功则超时

5、一些演示示例

①、MQTT消息代理，适用于IoT设备连接，需要处理大量并发TCP连接场景。

stream {
    # MQTT Broker 集群
    upstream mqtt_brokers {
        hash $remote_addr consistent;  # 一致性哈希，保证同一设备连同一节点
        
        server 192.168.1.40:1883 max_fails=2 fail_timeout=10s;
        server 192.168.1.41:1883 max_fails=2 fail_timeout=10s;
        server 192.168.1.42:1883 max_fails=2 fail_timeout=10s;
    }
    
    server {
        listen 1883;
        proxy_pass mqtt_brokers;
        
        # IoT 设备连接时间长，需要优化
        proxy_connect_timeout 10s;
        proxy_timeout 1h;  # 长连接
        
        # 缓冲区
        proxy_buffer_size 8k;
        proxy_buffers 8 16k;
        
        # 日志记录客户端 IP
        access_log /var/log/nginx/mqtt_access.log;
        
        # 限制并发连接
        limit_conn conn_limit 1000;
    }
    
    # 连接数限制区域
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
}

stream {

# MQTT Broker 集群

upstream mqtt_brokers {

hash $remote_addr consistent; # 一致性哈希，保证同一设备连同一节点

server 192.168.1.40:1883 max_fails=2 fail_timeout=10s;

server 192.168.1.41:1883 max_fails=2 fail_timeout=10s;

server 192.168.1.42:1883 max_fails=2 fail_timeout=10s;

}

server {

listen 1883;

proxy_pass mqtt_brokers;

# IoT 设备连接时间长，需要优化

proxy_connect_timeout 10s;

proxy_timeout 1h; # 长连接

# 缓冲区

proxy_buffer_size 8k;

proxy_buffers 8 16k;

# 日志记录客户端 IP

access_log /var/log/nginx/mqtt_access.log;

# 限制并发连接

limit_conn conn_limit 1000;

}

# 连接数限制区域

limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

}

②、MQTT加密TLS配置示例。

stream {
    upstream mqtt_brokers {    
        server 192.168.1.40:1883 max_fails=2 fail_timeout=10s;
        server 192.168.1.41:1883 max_fails=2 fail_timeout=10s;
        server 192.168.1.42:1883 max_fails=2 fail_timeout=10s;
    }
    
    server {
        listen 8883 ssl;
        proxy_pass mqtt_brokers;
        
        # SSL 证书
        ssl_certificate ssl/mqtt.crt;
        ssl_certificate_key ssl/mqtt.key;
        
        # SSL 优化
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1h;
    }
}

stream {

upstream mqtt_brokers {

server 192.168.1.40:1883 max_fails=2 fail_timeout=10s;

server 192.168.1.41:1883 max_fails=2 fail_timeout=10s;

server 192.168.1.42:1883 max_fails=2 fail_timeout=10s;

}

server {

listen 8883 ssl;

proxy_pass mqtt_brokers;

# SSL 证书

ssl_certificate ssl/mqtt.crt;

ssl_certificate_key ssl/mqtt.key;

# SSL 优化

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 1h;

}

③、最小化端口转发配置

stream {
    server {
        listen 8011;
        proxy_pass 127.0.0.1:8088;
    }
}

stream {

server {

listen 8011;

proxy_pass 127.0.0.1:8088;

}

④、增加白名单的最小化端口转发配置

stream {
    server {
        listen 8011;
        allow 10.10.10.10;
        deny all; 
        proxy_pass 127.0.0.1:8088;
    }
}

stream {

server {

listen 8011;

allow 10.10.10.10;

deny all;

proxy_pass 127.0.0.1:8088;

}

原文链接：Nginx Stream模块讲解，转载请注明来源！

赏

发表回复 取消回复

发表回复取消回复