Nginx反向代理无法连接上游服务器问题求助
2026-4-20
Nginx反向代理无法连接上游服务器问题求助
嘿,我来帮你梳理排查这个问题!先从你的配置和核心需求入手,一步步解决:
一、先搞定上游连接失败的核心问题
- 先确认Spring应用本身的可用性
先在服务器上用curl http://localhost:8080测试下,看看能不能正常访问你的Spring应用。如果本地curl都失败,那问题出在应用本身,先确保应用启动正常、端口没被其他进程占用。 - 查看Nginx错误日志找线索
这是最直接的排查方式,去/var/log/nginx/error.log里看看,日志会明确写清楚连接上游失败的原因——比如是connection refused(应用没启动)还是timeout(网络或配置问题)。 - 完善反向代理的必要配置
你的location /里只写了proxy_pass,缺少关键的请求头和超时配置,这可能导致上游应用无法正确处理请求,建议补上:location / { proxy_pass http://localhost:8080/; # 传递客户端真实IP和Host信息给上游应用 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 配置超时时间,避免连接超时 proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; }
二、配置两个Spring应用的转发规则
你有两个应用在8080和8081,推荐两种常用的转发方案:
方案1:用子路径区分(无需额外DNS配置)
比如papaluz.com/app1转发到8080,papaluz.com/app2转发到8081,配置如下:
server { listen 443 ssl; server_name papaluz.com; ssl_certificate /etc/letsencrypt/live/papaluz.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/papaluz.com/privkey.pem; # 开启安全SSL配置(后面会解释) ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # 转发到8080的应用 location /app1/ { proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # 转发到8081的应用 location /app2/ { proxy_pass http://localhost:8081/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # 默认访问8080的应用(可选) location / { proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
方案2:用子域名区分(需要先配置DNS解析)
比如app1.papaluz.com对应8080,app2.papaluz.com对应8081,配置两个server块即可:
# 8080应用的子域名配置 server { listen 443 ssl; server_name app1.papaluz.com; ssl_certificate /etc/letsencrypt/live/papaluz.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/papaluz.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; location / { proxy_pass http://localhost:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # 8081应用的子域名配置 server { listen 443 ssl; server_name app2.papaluz.com; ssl_certificate /etc/letsencrypt/live/papaluz.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/papaluz.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; location / { proxy_pass http://localhost:8081/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
三、聊聊你注释掉的SSL配置
ChatGPT给你的这些配置是行业推荐的安全SSL配置,非常建议开启:
ssl_protocols TLSv1.2 TLSv1.3:禁用老旧不安全的TLS1.0/TLS1.1,只支持安全的新版本ssl_prefer_server_ciphers off:让客户端选择自己支持的最优加密套件,提升兼容性ssl_ciphers ...:指定一系列安全的加密套件,避免使用弱加密算法
开启这些配置能让你的HTTPS服务更安全,也能避免一些客户端兼容性问题。
最后,配置后的验证步骤
- 检查Nginx配置语法:
sudo nginx -t - 语法无误后重新加载配置:
sudo systemctl reload nginx - 测试HTTPS访问:用浏览器或
curl https://papaluz.com测试转发是否正常 - 若仍有问题,再去
/var/log/nginx/error.log找具体错误信息
备注:内容来源于stack exchange,提问作者milanHrabos
