反向代理/负载均衡
协作服务器本地可以由您选择的反向代理或负载均衡器提供服务。它需要通过 TLS 协议来确保与服务器的通信安全,并用于处理大规模环境。此外,使用反向代理处理应用程序服务器的流量是一个好习惯。除了在应用程序的多个实例之间分配负载外,它还可以用于使用 WAF 来保护连接或防止 DDOS 攻击。
# 要求
WebSocket 协议处理用户与协作服务器本地之间的大部分通信。所选的反向代理或负载均衡器必须支持 WebSocket 协议。
X-Forwarded-Proto 和 Host 标头需要从反向代理传递到协作服务器本地。这些标头是处理上传的图像 URL 的生成以及确保管理面板正常工作所必需的。
如果您的反向代理不支持这些标头,您可以使用 APPLICATION_EXTERNAL_ENDPOINT 变量覆盖 外部端点 来修复错误的 URL。
# NGINX
# 基本配置
server {
listen 80;
server_name your.domain.name;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8000;
}
}
# 处理多个实例
upstream ckeditor-cs {
server ckeditor-cs-1.example.com:8000 weight=1;
server ckeditor-cs-2.example.com:8000 weight=1;
server ckeditor-cs-3.example.com:8000 weight=1;
}
server {
listen 80;
server_name your.domain.name;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://ckeditor-cs;
}
}
# 使用 TLS 加密连接
server {
server_name your.domain.name;
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name your.domain.name;
listen 443;
ssl on;
ssl_certificate /etc/ssl/your_cert.crt;
ssl_certificate_key /etc/ssl/your_cert_key.key;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8000;
}
}
# HAProxy
# 基本配置
global
daemon
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
http-request set-header X-Forwarded-Proto http
default_backend servers
backend servers
server server1 127.0.0.1:8000 check
# 处理多个实例
global
daemon
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
http-request set-header X-Forwarded-Proto http
default_backend servers
backend servers
option httpchk
server server1 ckeditor-cs-1.example.com:8000 check
server server2 ckeditor-cs-2.example.com:8000 check
server server3 ckeditor-cs-3.example.com:8000 check
# 使用 TLS 加密连接
global
daemon
tune.ssl.default-dh-param 2048
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
bind *:443 ssl crt /etc/ssl/your_certificate.pem
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
redirect scheme https if !{ ssl_fc }
default_backend servers
backend servers
server server1 127.0.0.1:8000
# Caddy
Caddy 处理自动 TLS 证书和证书续订。此外,它不需要为 WebSocket 连接进行任何额外配置,并且会自动传递所有必需的标头。
# 一行命令
$ caddy reverse-proxy --from your.domain.name --to 127.0.0.1:8000
# 基本配置
your.domain.com {
reverse_proxy 127.0.0.1:8000
}
# 处理多个实例
your.domain.com {
reverse_proxy ckeditor-cs-1.example.com:8000 ckeditor-cs-3.example.com:8000 ckeditor-cs-3.example.com:8000
}