反向代理
配置 Nginx 和 Apache 反向代理,支持 HTTPS 和负载均衡。
Nginx 配置
基础配置
创建 /etc/nginx/sites-available/gospeedtest:
nginx
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 支持
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}启用配置
bash
# 创建符号链接
ln -s /etc/nginx/sites-available/gospeedtest /etc/nginx/sites-enabled/
# 测试配置
nginx -t
# 重载 Nginx
systemctl reload nginxHTTPS 配置(Let's Encrypt)
nginx
server {
listen 80;
server_name your-domain.com;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known/acme-challenge/ {
root /var/www/html;
}
}
server {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}使用 Certbot 获取证书
bash
# 安装 Certbot
apt install certbot python3-certbot-nginx
# 获取证书
certbot --nginx -d your-domain.com
# 自动续期
certbot renew --dry-run负载均衡配置
nginx
upstream gospeedtest_backend {
server localhost:8080;
server localhost:8081;
server localhost:8082;
keepalive 32;
}
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://gospeedtest_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "";
}
}静态资源缓存
nginx
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2$ {
proxy_pass http://localhost:8080;
expires 1y;
add_header Cache-Control "public, immutable";
}
}Apache 配置
基础配置
创建 /etc/apache2/sites-available/gospeedtest.conf:
apache
<VirtualHost *:80>
ServerName your-domain.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RequestHeader set X-Forwarded-Proto "http"
# WebSocket 支持
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) ws://localhost:8080/$1 [P,L]
</VirtualHost>启用配置
bash
# 启用必要的模块
a2enmod proxy proxy_http proxy_wstunnel rewrite headers
# 启用站点
a2ensite gospeedtest
# 测试配置
apache2ctl configtest
# 重载 Apache
systemctl reload apache2HTTPS 配置
apache
<VirtualHost *:80>
ServerName your-domain.com
Redirect permanent / https://your-domain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName your-domain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/your-domain.com/chain.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) ws://localhost:8080/$1 [P,L]
</VirtualHost>TCP 端口转发
使用 Nginx Stream 模块
nginx
stream {
upstream gospeedtest_tcp {
server localhost:12306;
}
server {
listen 12306;
proxy_pass gospeedtest_tcp;
proxy_timeout 60s;
proxy_connect_timeout 10s;
}
}
http {
# HTTP 配置...
}使用 HAProxy
haproxy
frontend gospeedtest_http
bind *:80
mode http
default_backend gospeedtest_http_backend
backend gospeedtest_http_backend
mode http
server gospeedtest1 127.0.0.1:8080 check
frontend gospeedtest_tcp
bind *:12306
mode tcp
default_backend gospeedtest_tcp_backend
backend gospeedtest_tcp_backend
mode tcp
server gospeedtest1 127.0.0.1:12306 check安全增强
限制访问 IP
nginx
server {
listen 80;
server_name your-domain.com;
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
location / {
proxy_pass http://localhost:8080;
# ...
}
}速率限制
nginx
http {
limit_req_zone $binary_remote_addr zone=gospeedtest_limit zone=mylimit:10m rate=10r/s;
server {
listen 80;
server_name your-domain.com;
location / {
limit_req zone=mylimit;
proxy_pass http://localhost:8080;
# ...
}
}
}安全头
nginx
server {
listen 80;
server_name your-domain.com;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
location / {
proxy_pass http://localhost:8080;
# ...
}
}监控和日志
Nginx 访问日志
nginx
log_format gospeedtest '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time';
server {
listen 80;
server_name your-domain.com;
access_log /var/log/nginx/gospeedtest-access.log gospeedtest;
error_log /var/log/nginx/gospeedtest-error.log;
location / {
proxy_pass http://localhost:8080;
# ...
}
}故障排除
502 Bad Gateway
- 确认 GoSpeedTest 服务是否运行
- 检查防火墙设置
- 查看 Nginx 错误日志
bash
tail -f /var/log/nginx/error.logWebSocket 连接失败
- 确保 Upgrade 和 Connection 头正确设置
- 检查代理超时设置
性能问题
- 调整 proxy_buffers 设置
- 启用缓存
- 使用 HTTP/2