|
1、部署yaml配置
---
# ConfigMap for Nginx TCP proxy configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: dag
data:
nginx.conf.template: |
# nginx.conf - 主配置文件
user ${USER}; # 运行进程的Linux用户
worker_processes ${WORKER_PROCESSES}; # Worker进程数(建议设为CPU核心数)
worker_rlimit_nofile 65535; # 增加文件描述符限制
# 错误日志配置(级别可选:debug|info|notice|warn|error|crit)
error_log /var/log/nginx/error.log ${ERROR_LOG_LEVEL};
pid /var/run/nginx.pid; # 进程PID文件位置
events {
worker_connections ${WORKER_CONNECTIONS}; # 单个Worker最大连接数
use epoll; # Linux高性能事件模型
worker_aio_requests 32; # 异步I/O请求数
multi_accept on; # 一次性接受所有新连接
}
http {
# 基础MIME类型映射
include /etc/nginx/mime.types;
default_type application/octet-stream; # 默认MIME类型
# DNS解析配置
resolver ${NGINX_LOCAL_RESOLVERS};
# 日志格式配置
include log.conf;
# gzip压缩配置
include gzip.conf;
# 其他HTTP全局配置
include http.conf;
# 虚拟主机配置
include server.conf;
}
http.conf.template: |
# 防止点击劫持
#add_header X-Frame-Options "SAMEORIGIN" always;
# 阻止MIME类型嗅探
#add_header X-Content-Type-Options "nosniff" always;
# 启用XSS过滤
#add_header X-XSS-Protection "1; mode=block" always;
# 安全增强
server_tokens off; # 隐藏Nginx版本号
# 性能优化配置
sendfile on; # 启用高效文件传输
tcp_nopush on; # 仅在sendfile开启时有效,合并数据包
tcp_nodelay on; # 禁用Nagle算法,减少延迟
# 超时控制
keepalive_requests 1000; # 单连接最大请求数
keepalive_timeout 15 10; # 客户端保持连接超时
client_header_timeout 10; # 请求头超时
client_body_timeout 10; # 请求体超时
send_timeout 10; # 响应传输超时
# 请求体处理
client_max_body_size 0; # 最大请求体大小(0=不限制,生产环境建议设置)
client_body_buffer_size 64k; # 请求体缓冲区大小
client_header_buffer_size 4k; # 请求头缓冲区
large_client_header_buffers 1 128k; # 大型请求头缓冲区
# 输出控制
output_buffers 4 32k; # 响应数据缓冲区
postpone_output 1460; # 最小数据累积量(MTU相关)
aio threads; # 启用异步I/O
directio 4m; # 大文件直接I/O
# 响应头优化
#underscores_in_headers off; # 禁用下划线头(安全)
# 文件描述符缓存(优化静态文件)
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
gzip.conf.template: |
# gzip.conf - 压缩配置
gzip on; # 启用Gzip压缩
gzip_min_length 256; # 最小压缩文件大小(1KB)
gzip_buffers 4 8k; # 压缩缓冲区
gzip_comp_level 6; # 压缩级别(1-9,平衡CPU/压缩率)
gzip_proxied expired no-cache no-store private auth any; # 对代理请求启用压缩
gzip_vary on; # 添加Vary响应头
gzip_http_version 1.0; # 最低HTTP版本
gzip_disable "msie6"; # 禁用旧版IE压缩
# 需压缩的MIME类型(现代Web应用完整列表)
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
log.conf.template: |
log_format main '{"time": "$time_iso8601", "remote_addr": "$remote_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "remote_user": "$remote_user", "bytes_sent": "$bytes_sent", "request_time": "$request_time", "upstream_response_time": "$upstream_response_time", "status": "$status", "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": "$request_length", "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "upstream_status": "$upstream_status", "upstream_addr": "$upstream_addr", "http_sv": "$http_sv", "data_name": "$http_data_name", "upstream_header_time": "$upstream_header_time", "fixed_src": "$http_fixed_src", "size": "$http_size"}';
access_log /var/log/nginx/access.log main;
server.conf.template: |
# server.conf - 虚拟主机配置
server {
# 监听端口
listen 80;
#listen [::]:80;
# 服务器域名,可替换为实际域名
server_name _;
# 主请求处理路径
location / {
# 静态资源路径映射
return 200;
# 默认索引文件
index index.html index.htm;
# 包含扩展location配置
#include location.conf;
}
location /xxl-job-admin {
proxy_pass http://prod-xxl-job;
}
}
---
# Deployment for Nginx TCP proxy
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-http-proxy
namespace: dag
labels:
app: nginx-http-proxy
component: http-proxy
spec:
replicas: 2
selector:
matchLabels:
app: nginx-http-proxy
component: http-proxy
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: nginx-http-proxy
component: http-proxy
spec:
containers:
- name: nginx
image: nginx:1.26.3
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: http-proxy
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /
port: 80
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 2
env:
- name: TZ
value: "Asia/Shanghai"
volumeMounts:
- mountPath: /etc/nginx/templates/
name: nginx-config
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "8Gi"
cpu: "4000m"
volumes:
- name: nginx-config
configMap:
name: nginx-config
securityContext:
fsGroup: 101
nodeSelector:
node-role.kubernetes.io/xx: ''
tolerations:
- key: node-role.kubernetes.io/xx
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/xx
operator: Exists
---
# ClusterIP Service for TCP proxy
apiVersion: v1
kind: Service
metadata:
name: nginx-http-proxy-service
namespace: dag
labels:
app: nginx-http-proxy
component: http-proxy
spec:
type: ClusterIP
selector:
app: nginx-http-proxy
component: http-proxy
ports:
- name: http-proxy
port: 80
targetPort: http-proxy
protocol: TCP
sessionAffinity: None
(责任编辑:liangzh)2、配置热更新 修改cm过1分钟左右后执行:/docker-entrypoint.sh nginx -s reload |