nginx配置协议

1. 7层协议

OSI（Open System Interconnection）是一个开放性的通行系统互连参考模型，他是一个定义的非常好的协议规范，共包含七层协议。直接上图，这样更直观些：

1.1 协议配置

1.1.1 7层配置

这里我们举例，在nginx做负载均衡，负载多个服务，部分服务是需要7层的，部分服务是需要4层的，也就是说7层和4层配置在同一个配置文件中。

准备三台机器:

代理机：
[root@bogon ~]# cat /etc/nginx/nginx.confuser  nginx;
worker_processes  auto;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;error_log /var/log/nginx/error.log;
pid       /var/run/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log   main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;upstream web {#ip_hashserver 192.168.222.133;server 192.168.222.134;}server {listen       80;server_name  localhost;#charset koi8-r;#access_log  logs/host.access.log  main;location / {proxy_pass http://web;proxy_redirect default;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 30;proxy_send_timeout 60;proxy_read_timeout 60;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}}[root@bogon ~]# nginx -s stop
[root@bogon ~]# nginx后端机器一：
[root@bogon ~]# cd /etc/nginx/conf.d/
[root@bogon conf.d]# cat default.conf 
server {listen       80;server_name  localhost;#access_log  /var/log/nginx/host.access.log  main;location / {root  /usr/share/nginx/html;index index.html;} }在/usr/share/nginx/html/index.html的基础上加2222 ，跟机器二区分开
echo 2222 >>  /usr/share/nginx/html/index.html
后端机器二：
[root@bogon ~]# cat /etc/nginx/nginx.confuser  nginx;
worker_processes  auto;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;error_log /var/log/nginx/error.log;
pid       /var/run/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;server {listen       80;server_name  localhost;location / {root   html;index index.html;    }#error_page  404              /404.html;}}

验证：（刷新就换成另一个机器了）

2. 4层协议

TCP/IP协议

之所以说TCP/IP是一个协议族，是因为TCP/IP协议包括TCP、IP、UDP、ICMP、RIP、SMTP、ARP、TFTP等许多协议，这些协议一起称为TCP/IP协议。

从协议分层模型方面来讲，TCP/IP由四个层次组成：网络接口层、网络层、传输层、应用层。

增加了一个 stream 模块，用来实现四层协议（网络层和传输层）的转发、代理、负载均衡等。stream模块的用法跟http的用法类似，允许我们配置一组TCP或者UDP等协议的监听

 ngx_stream_core_module ，这个模块默认有

2.1 4层配置

4层tcp负载 
stream {
   upstream ssh_01 {
     server 192.168.209.129:22;
        }

   server {
    listen 6666;
    proxy_pass ssh_01;
    proxy_timeout 60s;
    proxy_connect_timeout 30s;
        }
}

stream块是与http块同一级别

机器一：192.168.222.132[root@bogon ~]# cat /etc/nginx/nginx.confuser  nginx;
worker_processes  auto;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;error_log /var/log/nginx/error.log;
pid       /var/run/nginx.pid;events {worker_connections  1024;
}stream {upstream ssh_01 {server 192.168.222.133:22;}server {listen 6666;proxy_pass ssh_01;proxy_timeout 60s;proxy_connect_timeout 30s;}
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log   main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;upstream web {#ip_hashserver 192.168.222.133;server 192.168.222.134;}server {listen       80;server_name  localhost;#charset koi8-r;#access_log  logs/host.access.log  main;location / {proxy_pass http://web;proxy_redirect default;proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 30;proxy_send_timeout 60;proxy_read_timeout 60;}error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}}[root@bogon ~]# nginx -s stop
[root@bogon ~]# nginx 机器二：192.168.222.133[root@bogon ~]# cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  auto;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;error_log /var/log/nginx/error.log;
pid       /var/run/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;log_format  main  '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log  /var/log/nginx/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;server {listen       80;server_name  localhost;location / {root   html;index index.html;    }#error_page  404              /404.html;}}

验证：（机器一）

[root@bogon ~]# ssh 192.168.222.132 -p6666
The authenticity of host '[192.168.222.132]:6666 ([192.168.222.132]:6666)' can't be established.
ECDSA key fingerprint is SHA256:DM5hGfyyepIDAXXk7F1Wb15peBrU+6sWURjGKs9tJzs.
ECDSA key fingerprint is MD5:64:0d:1d:d4:69:2d:88:b1:73:94:47:6f:cf:4c:aa:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.222.132]:6666' (ECDSA) to the list of known hosts.
root@192.168.222.132's password: 
Last login: Fri May  9 17:08:51 2025 from 192.168.222.1[root@bogon ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:79:35:d4 brd ff:ff:ff:ff:ff:ffinet 192.168.222.133/24 brd 192.168.222.255 scope global noprefixroute dynamic ens33valid_lft 1078sec preferred_lft 1078secinet6 fe80::ea55:4601:d3d2:d039/64 scope link noprefixroute valid_lft forever preferred_lft forever