一、为什么Java应用需要Nginx在Java应用如Spring Boot、Tomcat等的生产部署中Nginx扮演着关键角色反向代理隐藏真实应用服务器细节负载均衡分发流量到多个Java实例静态资源处理高效提供图片、CSS、JS等SSL终结统一管理HTTPS证书限流熔断保护后端Java服务二、基础配置示例场景1最简单的反向代理Spring Bootnginx# /etc/nginx/conf.d/java-app.conf upstream my_java_app { server 127.0.0.1:8080; # Spring Boot默认端口 } server { listen 80; server_name api.example.com; # 请求转发到Java应用 location / { proxy_pass http://my_java_app; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }场景2多实例负载均衡nginxupstream java_cluster { # 负载均衡策略默认轮询 server 10.0.1.10:8080 weight3 max_fails3 fail_timeout30s; server 10.0.1.11:8080 weight2 max_fails3 fail_timeout30s; server 10.0.1.12:8080 backup; # 备份服务器 # 健康检查Nginx Plus特有 # health_check interval5s fails3 passes2; } server { listen 80; server_name app.mycompany.com; location / { proxy_pass http://java_cluster; # 连接超时配置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # 缓冲区配置 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } # 健康检查端点绕过负载均衡 location /health { proxy_pass http://java_cluster/actuator/health; access_log off; } }场景3动静分离最佳实践nginxserver { listen 80; server_name www.example.com; # 静态资源由Nginx直接处理 location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf)$ { root /var/www/static; expires 30d; add_header Cache-Control public, immutable; # 静态文件不存在时回源到Java try_files $uri fallback; } # HTML页面走Java需要动态渲染 location ~* \.html$ { proxy_pass http://java_cluster; proxy_set_header Host $host; } # API请求走Java location /api/ { proxy_pass http://java_cluster/api/; proxy_set_header X-Request-ID $request_id; } # 其他请求走Java location / { proxy_pass http://java_cluster; } # 回源处理 location fallback { proxy_pass http://java_cluster; } }场景4WebSocket支持Spring Boot STOMPnginxmap $http_upgrade $connection_upgrade { default upgrade; close; } upstream websocket_backend { server 127.0.0.1:8080; keepalive 32; # 保持长连接 } server { listen 80; server_name chat.example.com; location /ws/ { proxy_pass http://websocket_backend; # WebSocket关键配置 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # 长连接超时 proxy_read_timeout 3600s; proxy_send_timeout 3600s; } location / { proxy_pass http://websocket_backend; } }场景5SSL/TLS配置生产必备nginxserver { listen 443 ssl http2; server_name api.example.com; # 证书配置 ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; # 安全配置A评分 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # HSTS强制HTTPS add_header Strict-Transport-Security max-age63072000 always; # 会话复用 ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_session_tickets off; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid300s; location / { proxy_pass http://java_cluster; proxy_set_header X-Forwarded-Proto https; } } # HTTP自动跳转HTTPS server { listen 80; server_name api.example.com; return 301 https://$server_name$request_uri; }三、高级配置技巧1. 限流保护防止Java应用被打爆nginx# 定义限流区域 limit_req_zone $binary_remote_addr zonelogin_limit:10m rate5r/s; limit_conn_zone $binary_remote_addr zoneconn_limit:10m; server { location /api/login { # 请求限流每秒5次突发10次 limit_req zonelogin_limit burst10 nodelay; limit_req_status 429; # 并发连接限制每个IP最多10个连接 limit_conn conn_limit 10; proxy_pass http://java_cluster; } # 白名单VIP用户不限流 location /api/admin { allow 192.168.1.0/24; deny all; limit_req zonelogin_limit burst100 nodelay; proxy_pass http://java_cluster; } }2. 缓存配置减少Java压力nginxproxy_cache_path /var/cache/nginx levels1:2 keys_zonejava_cache:100m max_size10g inactive60m use_temp_pathoff; server { location /api/public/ { proxy_cache java_cache; proxy_cache_key $scheme$request_method$host$request_uri; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; proxy_cache_min_uses 3; # 缓存穿透保护 proxy_cache_lock on; proxy_cache_lock_timeout 5s; # 添加缓存状态头 add_header X-Cache-Status $upstream_cache_status; proxy_pass http://java_cluster; } # 缓存清理需安装ngx_cache_purge模块 location ~ /purge(/.*) { allow 127.0.0.1; deny all; proxy_cache_purge java_cache $scheme$request_method$host$1; } }3. 日志优化便于排查Java问题nginxlog_format java_main $remote_addr - $remote_user [$time_local] $request $status $body_bytes_sent $http_referer $http_user_agent $http_x_forwarded_for rt$request_time urt$upstream_response_time uct$upstream_connect_time uht$upstream_header_time cache$upstream_cache_status; server { access_log /var/log/nginx/java-access.log java_main buffer32k flush5s; error_log /var/log/nginx/java-error.log warn; # 采集真实耗时 location / { proxy_pass http://java_cluster; proxy_set_header X-Request-Start t${msec}; } }4. 灰度发布/蓝绿部署nginx# 根据Cookie分流 upstream java_stable { server 10.0.1.10:8080 weight100; } upstream java_canary { server 10.0.1.20:8080 weight100; } server { set $backend java_stable; # 如果Cookie中有canary1则走灰度环境 if ($http_cookie ~* canary1) { set $backend java_canary; } # 根据IP灰度10%流量 if ($remote_addr ~* ^10\.0\.[0-9]\.[0-9]) { set $backend java_canary; } location / { proxy_pass http://$backend; } }四、Docker环境配置示例docker-compose.ymlyamlversion: 3.8 services: nginx: image: nginx:alpine volumes: - ./nginx/conf.d:/etc/nginx/conf.d - ./static:/var/www/static ports: - 80:80 - 443:443 networks: - backend java-app: build: . environment: - SPRING_PROFILES_ACTIVEprod networks: - backend networks: backend: driver: bridgeNginx Docker配置nginxupstream java_apps { # Docker Compose服务发现 server java-app:8080; } server { listen 80; resolver 127.0.0.11 valid30s; # Docker DNS location / { proxy_pass http://java_apps; proxy_set_header Host $host; } }五、常见问题排查1. 转发后获取真实客户端IPJava代码接收真实IPjavaRestController public class ClientController { GetMapping(/ip) public String getRealIp(HttpServletRequest request) { String realIp request.getHeader(X-Real-IP); if (realIp null) { realIp request.getHeader(X-Forwarded-For); } if (realIp null) { realIp request.getRemoteAddr(); } return realIp; } }2. Spring Boot配置信任代理yaml# application.yml server: forward-headers-strategy: native # 或 framework tomcat: remoteip: remote-ip-header: X-Forwarded-For protocol-header: X-Forwarded-Proto3. 502 Bad Gateway排查bash# 检查Java应用是否存活 curl http://127.0.0.1:8080/health # 检查Nginx错误日志 tail -f /var/log/nginx/error.log # 检查连接数 ss -tunap | grep :8080 | wc -l # 临时调整超时 proxy_connect_timeout 300s; proxy_read_timeout 300s;六、性能调优参数nginx# /etc/nginx/nginx.conf 全局配置 user www-data; worker_processes auto; worker_rlimit_nofile 65535; events { use epoll; worker_connections 4096; multi_accept on; } http { # 基础优化 sendfile on; tcp_nopush on; tcp_nodelay on; # 连接超时 keepalive_timeout 65; keepalive_requests 100; # 上游长连接 upstream java_cluster { server 127.0.0.1:8080; keepalive 32; # 保持长连接池 } server { location / { proxy_http_version 1.1; proxy_set_header Connection ; proxy_pass http://java_cluster; } } }七、总结生产环境推荐配置组合必备HTTPS 反向代理 负载均衡进阶动静分离 缓存 限流高级WebSocket 灰度发布 监控集成验证配置正确性bashnginx -t # 测试配置 nginx -s reload # 平滑重启 systemctl status nginx # 查看状态这套配置已在大规模Java应用中验证建议根据实际流量逐步调优参数。