Nginx代理配置詳解：正向代理與反向代理完全指南

系列文章索引：

第一篇：《Nginx入門與安裝詳解：從零開始搭建高性能Web服務器》
第二篇：《Nginx基礎配置詳解：nginx.conf核心配置與虛擬主機實戰》
第三篇：《Nginx代理配置詳解：正向代理與反向代理完全指南》
第四篇：《Nginx性能優化與安全配置：打造高性能Web服務器》
第五篇：《Nginx負載均衡配置詳解：多種負載均衡策略實戰》
第六篇：《Nginx高可用方案實戰：Keepalived+雙機熱備部署》

前言

在現代網絡架構中，代理服務器扮演著至關重要的角色。Nginx作為一款高性能的Web服務器，其代理功能被廣泛應用于各種場景，從企業內網訪問控制到大型網站負載均衡。本文將深入探討Nginx的正向代理和反向代理配置，通過實際案例幫助你掌握代理配置的核心技能。

代理服務器本質上是一個中間人，負責在客戶端和服務器之間傳遞請求和響應。根據代理的方向不同，可以分為正向代理和反向代理，它們在應用場景和工作原理上有著本質的區別。

一、代理服務器基礎概念

1.1 什么是代理服務器

代理服務器（Proxy Server）是位于客戶端和目標服務器之間的中間服務器，它接收客戶端的請求，然后轉發給目標服務器，并將服務器的響應返回給客戶端。

代理服務器的基本功能：

請求轉發：將客戶端請求轉發到目標服務器
響應緩存：緩存服務器響應，提高訪問速度
訪問控制：控制客戶端對特定資源的訪問
內容過濾：過濾不合適的內容
安全防護：隱藏真實IP地址，提供安全屏障

1.2 正向代理 vs 反向代理

正向代理（Forward Proxy）

工作原理：

客戶端明確知道代理服務器的存在
客戶端配置代理服務器地址
代理服務器代表客戶端訪問外部網絡
服務器不知道真實客戶端的IP地址

應用場景：

企業內網訪問外網
突破網絡訪問限制
訪問控制與審計
緩存加速

工作流程：

客戶端 → 代理服務器 → 目標服務器

反向代理（Reverse Proxy）

工作原理：

客戶端不知道代理服務器的存在
客戶端直接訪問代理服務器
代理服務器代表服務器接收客戶端請求
客戶端不知道真實服務器的IP地址

應用場景：

負載均衡
安全防護
SSL卸載
緩存加速

工作流程：

客戶端 ← 代理服務器 ← 目標服務器

對比總結

特性	正向代理	反向代理
服務對象	客戶端	服務器
配置位置	客戶端	服務器端
隱藏對象	客戶端IP	服務器IP
典型應用	翻墻、訪問控制	負載均衡、安全防護
配置復雜度	簡單	復雜
性能要求	一般	高

1.3 Nginx代理模塊介紹

Nginx提供了多個代理相關的模塊：

核心代理模塊：

ngx_http_proxy_module：HTTP反向代理模塊
ngx_http_upstream_module：上游服務器定義模塊
ngx_stream_proxy_module：TCP/UDP代理模塊

功能增強模塊：

ngx_http_proxy_connect_module：HTTPS正向代理支持
ngx_http_headers_module：HTTP頭部處理模塊
ngx_http_cache_module：緩存模塊
ngx_http_ssl_module：SSL支持模塊

二、正向代理配置詳解

2.1 HTTP正向代理配置

基礎HTTP正向代理

配置文件：/usr/local/nginx/conf/conf.d/forward-proxy.conf

# =============================================
# HTTP正向代理配置
# 監聽端口：3128
# =============================================server {# 監聽代理端口listen 3128;# 服務器名稱（可選）server_name proxy.example.com;# 解析器配置（DNS服務器）resolver 8.8.8.8 8.8.4.4 114.114.114.114;# 解析器超時時間resolver_timeout 30s;# 訪問日志access_log /var/log/nginx/proxy.access.log main;# 錯誤日志error_log /var/log/nginx/proxy.error.log warn;# =============================================# 正向代理配置# =============================================location / {# 代理目標地址# $http_host: 請求的主機名# $request_uri: 請求的URIproxy_pass http://$http_host$request_uri;# 設置代理頭信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 代理超時設置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 代理緩沖區設置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理臨時文件路徑proxy_temp_path /usr/local/nginx/proxy_temp;# 代理緩存路徑proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=proxy_cache:10m inactive=60m use_temp_path=off;# 啟用代理緩存proxy_cache proxy_cache;# 緩存有效期proxy_cache_valid 200 302 10m;proxy_cache_valid 404 1m;# 緩存鍵proxy_cache_key $scheme$proxy_host$request_uri;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;}# =============================================# 訪問控制配置# =============================================# 限制訪問IP（可選）allow 192.168.1.0/24;allow 10.0.0.0/8;deny all;# =============================================# 錯誤處理# =============================================# 代理連接錯誤處理error_page 502 503 504 /proxy_error.html;location = /proxy_error.html {root /usr/local/nginx/html;internal;}
}

帶認證的HTTP正向代理

# =============================================
# 帶認證的HTTP正向代理配置
# =============================================server {listen 3128;server_name proxy.example.com;resolver 8.8.8.8 8.8.4.4;access_log /var/log/nginx/proxy.auth.access.log main;error_log /var/local/nginx/proxy.auth.error.log warn;# =============================================# 基本認證配置# =============================================# 啟用HTTP基本認證auth_basic "Proxy Authentication";auth_basic_user_file /usr/local/nginx/conf/htpasswd.proxy;# =============================================# 代理配置# =============================================location / {# 檢查認證狀態if ($remote_user = "") {return 401;}# 代理目標地址proxy_pass http://$http_host$request_uri;# 設置代理頭信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 添加用戶信息到代理頭proxy_set_header X-Proxy-User $remote_user;# 代理超時設置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 代理緩沖區設置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理緩存配置proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=proxy_cache:10m inactive=60m;proxy_cache proxy_cache;proxy_cache_valid 200 302 10m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$proxy_host$request_uri;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 訪問日志記錄用戶access_log /var/log/nginx/proxy.auth.access.log main proxy=$upstream_addr user=$remote_user;}# =============================================# 訪問控制# =============================================# 允許特定網段訪問allow 192.168.1.0/24;allow 10.0.0.0/8;deny all;
}

2.2 HTTPS正向代理配置

基礎HTTPS正向代理

配置文件：/usr/local/nginx/conf/conf.d/forward-proxy-https.conf

# =============================================
# HTTPS正向代理配置
# 監聽端口：3129
# 注意：需要ngx_http_proxy_connect_module模塊支持
# =============================================server {# 監聽HTTPS代理端口listen 3129;# 服務器名稱server_name proxy.example.com;# DNS解析器resolver 8.8.8.8 8.8.4.4 114.114.114.114;resolver_timeout 30s;# 訪問日志access_log /var/log/nginx/proxy.https.access.log main;# 錯誤日志error_log /var/log/nginx/proxy.https.error.log warn;# =============================================# HTTPS代理配置# =============================================location / {# HTTPS代理需要特殊處理proxy_pass https://$http_host$request_uri;# SSL相關配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;proxy_ssl_session_reuse on;proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;# 設置代理頭信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 代理超時設置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# SSL連接超時proxy_ssl_timeout 60s;# 代理緩沖區設置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理臨時文件路徑proxy_temp_path /usr/local/nginx/proxy_temp;# 禁用緩存（HTTPS通常不緩存）proxy_cache off;# 添加SSL信息到日志add_header X-Proxy-SSL $proxy_ssl_server_name;}# =============================================# CONNECT方法處理（HTTPS握手）# =============================================# 處理CONNECT方法（用于HTTPS握手）location /connect {# 啟用CONNECT方法支持proxy_connect_address $http_host:443;proxy_connect_connect_timeout 30s;proxy_connect_read_timeout 60s;proxy_connect_send_timeout 60s;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;# 代理頭信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 超時設置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;}# =============================================# 訪問控制# =============================================# 限制訪問IPallow 192.168.1.0/24;allow 10.0.0.0/8;deny all;# =============================================# 錯誤處理# =============================================# SSL連接錯誤處理error_page 497 495 496 /proxy_ssl_error.html;location = /proxy_ssl_error.html {root /usr/local/nginx/html;internal;}# 代理連接錯誤處理error_page 502 503 504 /proxy_error.html;location = /proxy_error.html {root /usr/local/nginx/html;internal;}
}

帶緩存的HTTPS正向代理

# =============================================
# 帶緩存的HTTPS正向代理配置
# =============================================server {listen 3129;server_name proxy.example.com;resolver 8.8.8.8 8.8.4.4;resolver_timeout 30s;access_log /var/log/nginx/proxy.https.cache.access.log main;error_log /var/log/nginx/proxy.https.cache.error.log warn;# =============================================# 緩存配置# =============================================# HTTPS代理緩存路徑proxy_cache_path /usr/local/nginx/proxy_https_cache levels=1:2 keys_zone=proxy_https_cache:20m inactive=120m use_temp_path=off;# =============================================# 代理配置# =============================================location / {# HTTPS代理proxy_pass https://$http_host$request_uri;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;proxy_ssl_session_reuse on;proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;# 代理頭信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 超時設置proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_ssl_timeout 60s;# 緩沖區設置proxy_buffering on;proxy_buffer_size 8k;proxy_buffers 8 8k;proxy_busy_buffers_size 16k;# 啟用緩存proxy_cache proxy_https_cache;# 緩存條件：只緩存成功的響應proxy_cache_valid 200 302 30m;proxy_cache_valid 301 1h;proxy_cache_valid 404 1m;proxy_cache_valid 500 502 503 504 0s;# 緩存鍵proxy_cache_key $scheme$proxy_host$request_uri;# 緩存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 繞過緩存的條件proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;proxy_no_cache $cookie_nocache $arg_nocache $arg_comment;}# =============================================# 特殊資源緩存配置# =============================================# 靜態資源緩存location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot)$ {proxy_pass https://$http_host$request_uri;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;# 代理頭信息proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 靜態資源緩存時間更長proxy_cache proxy_https_cache;proxy_cache_valid 200 302 24h;proxy_cache_valid 404 1m;proxy_cache_key $scheme$proxy_host$request_uri;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 瀏覽器緩存控制add_header Cache-Control "public, max-age=86400";# 關閉訪問日志access_log off;}# =============================================# 訪問控制# =============================================allow 192.168.1.0/24;allow 10.0.0.0/8;deny all;
}

2.3 正向代理客戶端配置

Windows客戶端配置

Internet Explorer/Edge：

打開IE設置 → Internet選項
選擇"連接"選項卡
點擊"局域網設置"
勾選"為LAN使用代理服務器"
輸入代理服務器地址和端口
點擊"確定"保存

Chrome瀏覽器：

打開設置 → 高級 → 系統
點擊"打開您計算機的代理設置"
配置代理服務器地址和端口

Firefox瀏覽器：

打開設置 → 常規 → 網絡設置
選擇"手動代理配置"
輸入HTTP代理和HTTPS代理
勾選"同時用于HTTPS"

Linux客戶端配置

環境變量方式：

# 設置HTTP代理
export http_proxy="http://proxy.example.com:3128"
export https_proxy="http://proxy.example.com:3129"# 設置FTP代理
export ftp_proxy="http://proxy.example.com:3128"# 設置不使用代理的地址
export no_proxy="localhost,127.0.0.1,*.local"# 永久生效（添加到~/.bashrc或/etc/profile）
echo 'export http_proxy="http://proxy.example.com:3128"' >> ~/.bashrc
echo 'export https_proxy="http://proxy.example.com:3129"' >> ~/.bashrc
source ~/.bashrc

APT/YUM包管理器配置：

# APT代理配置（Ubuntu/Debian）
cat > /etc/apt/apt.conf.d/01proxy << EOF
Acquire::http::Proxy "http://proxy.example.com:3128";
Acquire::https::Proxy "http://proxy.example.com:3129";
EOF# YUM代理配置（CentOS/RHEL）
cat > /etc/yum.conf << EOF
[main]
proxy=http://proxy.example.com:3128
EOF

macOS客戶端配置

系統代理設置：

打開系統偏好設置 → 網絡
選擇當前網絡連接 → 高級
選擇"代理"選項卡
配置HTTP和HTTPS代理
點擊"確定"保存

命令行配置：

# 設置網絡代理
networksetup -setwebproxy Wi-Fi proxy.example.com 3128
networksetup -setsecurewebproxy Wi-Fi proxy.example.com 3129# 設置代理認證
networksetup -setwebproxy Wi-Fi proxy.example.com 3128 on username password
networksetup -setsecurewebproxy Wi-Fi proxy.example.com 3129 on username password

三、反向代理配置詳解

3.1 基礎反向代理配置

單后端服務器反向代理

配置文件：/usr/local/nginx/conf/conf.d/reverse-proxy-basic.conf

# =============================================
# 基礎反向代理配置
# 監聽端口：80
# 后端服務器：127.0.0.1:8080
# =============================================server {# 監聽端口listen 80;# 服務器名稱server_name web.example.com;# 網站根目錄（可選）root /usr/local/nginx/html/web.example.com;# 默認首頁文件index index.html index.htm;# 字符集設置charset utf-8;# 訪問日志access_log /var/log/nginx/web.example.com.access.log main;# 錯誤日志error_log /var/log/nginx/web.example.com.error.log warn;# =============================================# 反向代理配置# =============================================location / {# 后端服務器地址proxy_pass http://127.0.0.1:8080;# 設置代理頭信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# 連接超時設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 代理緩沖區設置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 代理臨時文件路徑proxy_temp_path /usr/local/nginx/proxy_temp;# 代理重定向設置proxy_redirect off;# Cookie設置proxy_cookie_domain off;proxy_cookie_path off;# HTTP版本設置proxy_http_version 1.1;proxy_set_header Connection "";# 客戶端請求體大小client_max_body_size 50m;client_body_buffer_size 128k;}# =============================================# 靜態文件處理# =============================================# 靜態文件直接由Nginx處理location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {# 嘗試訪問本地文件try_files $uri =404;# 設置緩存頭expires 7d;add_header Cache-Control "public, no-transform";# 關閉訪問日志access_log off;}# =============================================# 健康檢查# =============================================# 健康檢查端點location /health {access_log off;return 200 "healthy\n";add_header Content-Type text/plain;}# =============================================# 錯誤處理# =============================================# 錯誤頁面error_page 404 /404.html;error_page 500 502 503 504 /50x.html;location = /50x.html {root /usr/local/nginx/html;}
}

多后端服務器反向代理

配置文件：/usr/local/nginx/conf/conf.d/reverse-proxy-multiple.conf

# =============================================
# 多后端服務器反向代理配置
# 監聽端口：80
# 后端服務器組：backend_servers
# =============================================# 定義后端服務器組
upstream backend_servers {# 后端服務器列表server 192.168.1.10:8080 weight=5 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 weight=3 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 weight=2 max_fails=3 fail_timeout=30s backup;# 負載均衡方法# least_conn;  # 最少連接# ip_hash;     # IP哈希# 保持連接設置keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name api.example.com;access_log /var/log/nginx/api.example.com.access.log main;error_log /var/log/nginx/api.example.com.error.log warn;# =============================================# 反向代理配置# =============================================location / {# 代理到后端服務器組proxy_pass http://backend_servers;# 代理頭信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# 連接設置proxy_http_version 1.1;proxy_set_header Connection "";# 超時設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 緩沖區設置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 重定向設置proxy_redirect off;# Cookie設置proxy_cookie_domain off;proxy_cookie_path off;# 請求體大小client_max_body_size 100m;client_body_buffer_size 128k;# 代理緩存配置proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=api_cache:10m inactive=60m;proxy_cache api_cache;proxy_cache_valid 200 302 5m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# 緩存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 繞過緩存proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;proxy_no_cache $cookie_nocache $arg_nocache $arg_comment;}# =============================================# API路徑配置# =============================================# API v1路徑location /api/v1/ {proxy_pass http://backend_servers;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# API特定設置proxy_connect_timeout 30s;proxy_send_timeout 30s;proxy_read_timeout 30s;# API緩存proxy_cache api_cache;proxy_cache_valid 200 302 1m;proxy_cache_key $scheme$request_method$host$request_uri;# CORS設置add_header 'Access-Control-Allow-Origin' '*' always;add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;# 處理OPTIONS請求if ($request_method = 'OPTIONS') {add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';add_header 'Access-Control-Max-Age' 1728000;add_header 'Content-Type' 'text/plain; charset=utf-8';add_header 'Content-Length' 0;return 204;}}# =============================================# 靜態資源# =============================================location ~* \.(css|js|jpg|jpeg|png|gif|ico|woff|woff2|ttf|eot|svg)$ {# 嘗試本地文件try_files $uri =404;# 緩存設置expires 30d;add_header Cache-Control "public, no-transform";# 關閉日志access_log off;}# =============================================# 健康檢查# =============================================location /health {access_log off;proxy_pass http://backend_servers/health;proxy_connect_timeout 5s;proxy_read_timeout 5s;}
}

3.2 帶負載均衡的反向代理

輪詢負載均衡

# =============================================
# 輪詢負載均衡配置
# =============================================# 定義后端服務器組（輪詢方式）
upstream backend_round_robin {# 輪詢方式（默認）server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 連接保持設置keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name lb.example.com;access_log /var/log/nginx/lb.example.com.access.log main;error_log /var/log/nginx/lb.example.com.error.log warn;location / {proxy_pass http://backend_round_robin;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;}
}

加權輪詢負載均衡

# =============================================
# 加權輪詢負載均衡配置
# =============================================# 定義后端服務器組（加權輪詢）
upstream backend_weighted {# 權重分配，數值越大分配到的請求越多server 192.168.1.10:8080 weight=5;    # 50%的請求server 192.168.1.11:8080 weight=3;    # 30%的請求server 192.168.1.12:8080 weight=2;    # 20%的請求# 健康檢查設置server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 連接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name weighted.example.com;access_log /var/log/nginx/weighted.example.com.access.log main;error_log /var/log/nginx/weighted.example.com.error.log warn;location / {proxy_pass http://backend_weighted;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加負載均衡信息到日志add_header X-Upstream-Addr $upstream_addr;add_header X-Upstream-Response-Time $upstream_response_time;}
}

IP哈希負載均衡

# =============================================
# IP哈希負載均衡配置
# =============================================# 定義后端服務器組（IP哈希）
upstream backend_ip_hash {# IP哈希方式，確保同一客戶端請求始終轉發到同一服務器ip_hash;server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 健康檢查server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 連接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name iphash.example.com;access_log /var/log/nginx/iphash.example.com.access.log main;error_log /var/log/nginx/iphash.example.com.error.log warn;location / {proxy_pass http://backend_ip_hash;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加客戶端哈希信息add_header X-Client-Hash $remote_addr;add_header X-Upstream-Addr $upstream_addr;}
}

最少連接負載均衡

# =============================================
# 最少連接負載均衡配置
# =============================================# 定義后端服務器組（最少連接）
upstream backend_least_conn {# 最少連接方式，將請求轉發到連接數最少的服務器least_conn;server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 健康檢查server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 連接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name leastconn.example.com;access_log /var/log/nginx/leastconn.example.com.access.log main;error_log /var/log/nginx/leastconn.example.com.error.log warn;location / {proxy_pass http://backend_least_conn;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加連接數信息add_header X-Upstream-Addr $upstream_addr;add_header X-Upstream-Connections $upstream_connections;}
}

3.3 帶緩存的反向代理

基礎緩存配置

# =============================================
# 帶緩存的反向代理配置
# =============================================# 定義緩存路徑和參數
proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=cache_zone:10m inactive=60m use_temp_path=off;
proxy_cache_path /usr/local/nginx/proxy_cache_api levels=1:2 keys_zone=api_cache:20m inactive=120m use_temp_path=off;server {listen 80;server_name cache.example.com;access_log /var/log/nginx/cache.example.com.access.log main;error_log /var/log/nginx/cache.example.com.error.log warn;# =============================================# 基礎緩存配置# =============================================location / {# 后端服務器proxy_pass http://127.0.0.1:8080;# 代理頭信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 緩存設置proxy_cache cache_zone;proxy_cache_valid 200 302 10m;proxy_cache_valid 301 1h;proxy_cache_valid 404 1m;proxy_cache_valid 500 502 503 504 0s;# 緩存鍵proxy_cache_key $scheme$request_method$host$request_uri;# 緩存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 繞過緩存proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment;proxy_no_cache $cookie_nocache $arg_nocache $arg_comment;}# =============================================# API緩存配置# =============================================location /api/ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# API專用緩存proxy_cache api_cache;proxy_cache_valid 200 302 5m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# API緩存控制proxy_cache_use_stale error timeout updating;proxy_cache_lock on;proxy_cache_lock_timeout 3s;# CORS設置add_header 'Access-Control-Allow-Origin' '*' always;add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;}# =============================================# 靜態資源緩存# =============================================location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;# 靜態資源緩存proxy_cache cache_zone;proxy_cache_valid 200 302 24h;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# 瀏覽器緩存控制expires 30d;add_header Cache-Control "public, no-transform";# 緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 關閉訪問日志access_log off;}# =============================================# 緩存清理接口# =============================================location /purge/ {# 限制訪問IPallow 127.0.0.1;allow 192.168.1.0/24;deny all;# 緩存清理proxy_cache_purge cache_zone $scheme$request_method$host$request_uri;proxy_cache_purge api_cache $scheme$request_method$host$request_uri;# 返回清理結果add_header Content-Type "text/plain";return 200 "Cache purged\n";}
}

高級緩存配置

# =============================================
# 高級緩存配置
# =============================================# 定義多個緩存區域
proxy_cache_path /usr/local/nginx/proxy_cache_static levels=1:2 keys_zone=static_cache:50m inactive=24h use_temp_path=off;
proxy_cache_path /usr/local/nginx/proxy_cache_api levels=1:2 keys_zone=api_cache:100m inactive=2h use_temp_path=off;
proxy_cache_path /usr/local/nginx/proxy_cache_dynamic levels=1:2 keys_zone=dynamic_cache:200m inactive=1h use_temp_path=off;server {listen 80;server_name advanced-cache.example.com;access_log /var/log/nginx/advanced-cache.example.com.access.log main;error_log /var/log/nginx/advanced-cache.example.com.error.log warn;# =============================================# 緩存條件變量# =============================================# 定義緩存條件變量map $request_method $no_cache_method {POST 1;PUT 1;DELETE 1;PATCH 1;default 0;}map $cookie_user_token $no_cache_auth {default 0;"~*" 1;}map $arg_nocache $no_cache_arg {default 0;"1" 1;"true" 1;}# =============================================# 靜態資源緩存# =============================================location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|eot|svg)$ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;# 靜態資源緩存proxy_cache static_cache;proxy_cache_valid 200 302 7d;proxy_cache_valid 404 1h;proxy_cache_key $scheme$request_method$host$request_uri;# 緩存控制proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;proxy_cache_lock on;proxy_cache_lock_timeout 5s;# 瀏覽器緩存expires 30d;add_header Cache-Control "public, no-transform";# 緩存狀態add_header X-Proxy-Cache $upstream_cache_status;# 關閉日志access_log off;}# =============================================# API緩存# =============================================location /api/ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# API緩存proxy_cache api_cache;proxy_cache_valid 200 302 10m;proxy_cache_valid 404 1m;proxy_cache_key $scheme$request_method$host$request_uri;# 緩存控制proxy_cache_use_stale error timeout updating;proxy_cache_lock on;proxy_cache_lock_timeout 3s;# 條件緩存proxy_no_cache $no_cache_method $no_cache_auth $no_cache_arg;proxy_cache_bypass $no_cache_method $no_cache_auth $no_cache_arg;# CORSadd_header 'Access-Control-Allow-Origin' '*' always;add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always;# 緩存狀態add_header X-Proxy-Cache $upstream_cache_status;add_header X-Cache-Condition "method=$no_cache_method,auth=$no_cache_auth,arg=$no_cache_arg";}# =============================================# 動態內容緩存# =============================================location /dynamic/ {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 動態內容緩存proxy_cache dynamic_cache;proxy_cache_valid 200 302 1m;proxy_cache_valid 404 30s;proxy_cache_key $scheme$request_method$host$request_uri;# 緩存控制proxy_cache_use_stale error timeout updating;proxy_cache_lock on;proxy_cache_lock_timeout 2s;# 條件緩存（更嚴格）proxy_no_cache $no_cache_method $no_cache_auth $no_cache_arg;proxy_cache_bypass $no_cache_method $no_cache_auth $no_cache_arg;# 緩存狀態add_header X-Proxy-Cache $upstream_cache_status;}# =============================================# 緩存統計接口# =============================================location /cache_status/ {# 限制訪問allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 返回緩存統計信息add_header Content-Type "application/json";return 200 '{"static_cache": {"size": "50MB","inactive": "24h"},"api_cache": {"size": "100MB","inactive": "2h"},"dynamic_cache": {"size": "200MB","inactive": "1h"}}';}# =============================================# 緩存清理接口# =============================================location /purge/ {# 限制訪問allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 根據URL清理緩存location ~ ^/purge/static/(.*)$ {proxy_cache_purge static_cache $scheme$request_method$host/$1;}location ~ ^/purge/api/(.*)$ {proxy_cache_purge api_cache $scheme$request_method$host/$1;}location ~ ^/purge/dynamic/(.*)$ {proxy_cache_purge dynamic_cache $scheme$request_method$host/$1;}# 返回清理結果add_header Content-Type "text/plain";return 200 "Cache purged\n";}
}

四、代理配置高級應用

4.1 SSL/TLS終止

HTTPS反向代理配置

# =============================================
# HTTPS反向代理配置（SSL終止）
# =============================================server {# 監聽443端口（HTTPS）listen 443 ssl http2;listen [::]:443 ssl http2;# 服務器名稱server_name secure.example.com;# SSL證書配置ssl_certificate /usr/local/nginx/conf/ssl/secure.example.com.crt;ssl_certificate_key /usr/local/nginx/conf/ssl/secure.example.com.key;# SSL協議和加密套件ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;ssl_prefer_server_ciphers on;# SSL會話配置ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;ssl_session_tickets on;# OCSP裝訂ssl_stapling on;ssl_stapling_verify on;ssl_trusted_certificate /usr/local/nginx/conf/ssl/chain.pem;# HSTSadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;access_log /var/log/nginx/secure.example.com.access.log main;error_log /var/log/nginx/secure.example.com.error.log warn;# =============================================# 反向代理配置# =============================================location / {# 后端服務器（HTTP）proxy_pass http://127.0.0.1:8080;# 代理頭信息proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-SSL $ssl_protocol;proxy_set_header X-Forwarded-SSL-Cipher $ssl_cipher;# 連接設置proxy_http_version 1.1;proxy_set_header Connection "";# 超時設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 緩沖區設置proxy_buffering on;proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;# 設置HTTPS參數proxy_set_header HTTPS on;proxy_set_header HTTP_SCHEME https;}# =============================================# WebSocket代理# =============================================location /ws/ {proxy_pass http://127.0.0.1:8080;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# WebSocket超時設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;}
}# =============================================
# HTTP重定向到HTTPS
# =============================================server {listen 80;listen [::]:80;server_name secure.example.com;# 重定向到HTTPSreturn 301 https://$server_name$request_uri;
}

4.2 WebSocket代理

# =============================================
# WebSocket代理配置
# =============================================server {listen 80;server_name ws.example.com;access_log /var/log/nginx/ws.example.com.access.log main;error_log /var/log/nginx/ws.example.com.error.log warn;# =============================================# WebSocket代理配置# =============================================location /ws/ {# WebSocket后端服務器proxy_pass http://127.0.0.1:8080;# WebSocket必要頭信息proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;# 其他代理頭信息proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# WebSocket超時設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 緩沖區設置（WebSocket通常不緩沖）proxy_buffering off;# 心跳設置proxy_set_header Connection "";}# =============================================# 帶認證的WebSocket# =============================================location /ws-auth/ {# 基本認證auth_basic "WebSocket Authentication";auth_basic_user_file /usr/local/nginx/conf/htpasswd.ws;# WebSocket代理proxy_pass http://127.0.0.1:8080;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 添加認證信息proxy_set_header X-WS-User $remote_user;# 超時設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_buffering off;}# =============================================# WebSocket負載均衡# =============================================location /ws-lb/ {# 定義WebSocket后端服務器組proxy_pass http://websocket_backend;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;# 負載均衡設置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;proxy_buffering off;}
}# =============================================
# WebSocket后端服務器組
# =============================================upstream websocket_backend {# IP哈希確保同一客戶端連接到同一服務器ip_hash;server 192.168.1.10:8080;server 192.168.1.11:8080;server 192.168.1.12:8080;# 健康檢查server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 max_fails=3 fail_timeout=30s;# 連接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}

4.3 代理健康檢查

被動健康檢查

# =============================================
# 被動健康檢查配置
# =============================================upstream backend_health_check {# 后端服務器配置server 192.168.1.10:8080 weight=5 max_fails=3 fail_timeout=30s;server 192.168.1.11:8080 weight=3 max_fails=3 fail_timeout=30s;server 192.168.1.12:8080 weight=2 max_fails=3 fail_timeout=30s backup;# 負載均衡方法least_conn;# 連接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name health.example.com;access_log /var/log/nginx/health.example.com.access.log main;error_log /var/log/nginx/health.example.com.error.log warn;location / {proxy_pass http://backend_health_check;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加健康檢查信息add_header X-Upstream-Status $upstream_status;add_header X-Upstream-Response-Time $upstream_response_time;add_header X-Upstream-Addr $upstream_addr;}# =============================================# 健康檢查端點# =============================================location /health {# 限制訪問allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 返回健康狀態add_header Content-Type "application/json";return 200 '{"status": "healthy","upstream": "backend_health_check","servers": [{"addr": "192.168.1.10:8080", "status": "up"},{"addr": "192.168.1.11:8080", "status": "up"},{"addr": "192.168.1.12:8080", "status": "backup"}]}';}
}

主動健康檢查（需要nginx_plus或第三方模塊）

# =============================================
# 主動健康檢查配置（需要nginx_plus）
# =============================================upstream backend_active_health {zone backend_active_health 64k;server 192.168.1.10:8080 slow_start=30s;server 192.168.1.11:8080 slow_start=30s;server 192.168.1.12:8080 slow_start=30s backup;# 主動健康檢查health_check interval=10s fails=3 passes=2 uri=/health port=8080;# 負載均衡least_conn;# 連接保持keepalive 32;keepalive_timeout 30s;keepalive_requests 1000;
}server {listen 80;server_name active-health.example.com;access_log /var/log/nginx/active-health.example.com.access.log main;error_log /var/log/nginx/active-health.example.com.error.log warn;location / {proxy_pass http://backend_active_health;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_http_version 1.1;proxy_set_header Connection "";proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 添加健康狀態信息add_header X-Upstream-Status $upstream_status;add_header X-Upstream-Response-Time $upstream_response_time;add_header X-Upstream-Addr $upstream_addr;}# =============================================# 健康狀態監控# =============================================location /upstream_status {# 限制訪問allow 127.0.0.1;allow 192.168.1.0/24;deny all;# 顯示上游服務器狀態upstream_status;add_header Content-Type "text/plain";}
}

五、代理配置常見問題與解決方案

5.1 代理連接超時

問題現象：

2024/01/15 10:30:15 [error] 12345#0: *12345 upstream timed out (110: Connection timed out) while connecting to upstream

解決方案：

# 調整代理超時設置
location / {proxy_pass http://backend;proxy_set_header Host $host;# 增加連接超時時間proxy_connect_timeout 120s;proxy_send_timeout 120s;proxy_read_timeout 120s;# 啟用代理緩沖proxy_buffering on;proxy_buffer_size 8k;proxy_buffers 8 8k;proxy_busy_buffers_size 16k;
}

5.2 代理緩存問題

問題現象：

緩存不生效
緩存內容過期
緩存清理失敗

解決方案：

# 檢查緩存配置
proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=cache_zone:10m inactive=60m;location / {proxy_pass http://backend;proxy_set_header Host $host;# 確保緩存啟用proxy_cache cache_zone;proxy_cache_valid 200 302 10m;proxy_cache_key $scheme$request_method$host$request_uri;# 添加緩存狀態頭add_header X-Proxy-Cache $upstream_cache_status;# 檢查緩存條件proxy_cache_bypass $cookie_nocache $arg_nocache;proxy_no_cache $cookie_nocache $arg_nocache;
}

5.3 SSL代理問題

問題現象：

2024/01/15 10:30:15 [error] 12345#0: *12345 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure)

解決方案：

# 調整SSL配置
location / {proxy_pass https://backend;proxy_set_header Host $host;# SSL配置proxy_ssl_server_name on;proxy_ssl_protocols TLSv1.2 TLSv1.3;proxy_ssl_ciphers HIGH:!aNULL:!MD5;proxy_ssl_session_reuse on;proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;# SSL超時設置proxy_ssl_timeout 60s;
}

5.4 WebSocket代理問題

問題現象：

WebSocket連接失敗
連接頻繁斷開

解決方案：

# WebSocket代理配置
location /ws/ {proxy_pass http://backend;proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_set_header Host $host;# 禁用緩沖proxy_buffering off;# 調整超時時間proxy_connect_timeout 120s;proxy_send_timeout 120s;proxy_read_timeout 120s;# 心跳設置proxy_set_header Connection "";
}

性能優化建議：