Appearance
Nginx 配置规范
nginx安全规范
基础配置
bash
user root;
worker_processes 1;
events {
worker_connections 10240;
}
http {
log_format '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"';
include mime.types;
default_type application/octet-stream;
sendfile on;
#autoindex on;
#autoindex_exact_size off;
autoindex_localtime on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_min_length 100;
gzip_buffers 4 16k;
gzip_comp_level 1;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_types "*";
gzip_vary off;
server_tokens off;
client_max_body_size 200m;
server {
listen 80 default_server;
server_name _;
return 403 /www/403/index.html;
}
include ../serve/*.conf;
}功能配置片段
隐藏 Nginx 版本信息
bash
http {
server_tokens off;
}日志按天分割存储
bash
http {
map $time_iso8601 $logdate {
'~^(?<ymd>\d{4}-\d{2}-\d{2})' $ymd;
default 'date-not-found';
}
#win环境下,路径分隔符要使用\\,不要会转译错误
access_log E:\\webapp\\nginx\\logs\\access_$logdate.log;
}禁止ip直接访问80端口
bash
server {
listen 80 default;
server_name _;
return 500;
}启动 web 服务 (vue 项目为例)
bash
server {
# 项目启动端口
listen 80;
# 域名(localhost)
server_name _;
# 禁止 iframe 嵌套
add_header X-Frame-Options SAMEORIGIN;
# 访问地址 根路径配置
location / {
# 项目目录
root html;
# 默认读取文件
index index.html;
# 配置 history 模式的刷新空白
try_files $uri $uri/ /index.html;
}
# 后缀匹配,解决静态资源找不到问题
location ~* \.(gif|jpg|jpeg|png|css|js|ico)$ {
root html/static/;
}
# 图片防盗链
location ~/static/.*\.(jpg|jpeg|png|gif|webp)$ {
root html;
valid_referers *.deeruby.com;
if ($invalid_referer) {
return 403;
}
}
# 访问限制
location /static {
root html;
# allow 允许
allow 39.xxx.xxx.xxx;
# deny 拒绝
deny all;
}
}PC端和移动端使用不同的项目文件映射
bash
server {
......
location / {
root /home/static/pc;
if ($http_user_agent ~* '(mobile|android|iphone|ipad|phone)') {
root /home/static/mobile;
}
index index.html;
}
}一个web服务,配置多个项目 (location 匹配路由区别)
bash
server {
listen 80;
server_name _;
# 主应用
location / {
root html/main;
index index.html;
try_files $uri $uri/ /index.html;
}
# 子应用一
location ^~ /store/ {
proxy_pass http://localhost:8001;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 子应用二
location ^~ /school/ {
proxy_pass http://localhost:8002;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 静态资源读取不到问题处理
rewrite ^/api/profile/(.*)$ /(替换成正确路径的文件的上一层目录)/$1 last;
}
# 子应用一服务
server {
listen 8001;
server_name _;
location / {
root html/store;
index index.html;
try_files $uri $uri/ /index.html;
}
location ^~ /store/ {
alias html/store/;
index index.html index.htm;
try_files $uri /store/index.html;
}
# 接口代理
location /api {
proxy_pass http://localhost:8089;
}
}
# 子应用二服务
server {
listen 8002;
server_name _;
location / {
root html/school;
index index.html;
try_files $uri $uri/ /index.html;
}
location ^~ /school/ {
alias html/school/;
index index.html index.htm;
try_files $uri /school/index.html;
}
# 接口代理
location /api {
proxy_pass http://localhost:10010;
}
}配置负载均衡
bash
upstream my_upstream {
server http://localhost:9001;
server http://localhost:9002;
server http://localhost:9003;
}
server {
listen 9000;
server_name test.com;
location / {
proxy_pass my_upstream;
proxy_set_header Host $proxy_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}SSL 配置 HTTPS
bash
server {
listen 80;
server_name www.xxx.com;
# 将 http 重定向转移到 https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.xxx.com;
ssl_certificate /etc/nginx/ssl/www.xxx.com.pem;
ssl_certificate_key /etc/nginx/ssl/www.xxx.com.key;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /project/xxx;
index index.html index.htm index.md;
try_files $uri $uri/ /index.html;
}
}跨域配置
bash
if ($request_method = OPTIONS ) {
add_header "Access-Control-Allow-Origin" *;
add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD";
add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
add_header 'Access-Control-Max-Age' 600;
return 200;
}开启 GZip 压缩
bash
http
{
include conf/mime.types;
gzip on;
gzip_min_length 1000;
gzip_buffers 4 8k;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css application/xml application/javascript application/json;
}跨域传递 Cookie
bash
http
location /foo {
proxy_pass http://localhost:4000;
proxy_cookie_path /foo "/; SameSite=None; HTTPOnly; Secure";
}健康检查
bash
http
http {
# 指定一个 upstream 负载均衡组,名称为 evalue
upstream evalue {
# 定义组内的节点服务,如果不加 weight 参数,默认就是 Round Robin ,加上了 weight 参数就是加权轮询
server 192.168.90.100:9999 weight=100;
server 192.168.90.101:9999 weight=100;
# interval=3000 检查间隔 3 秒 , rise=3 连续成功3次认为服务健康 , fall=5 连续失败 5 次认为服务不健康 , timeout=3000 健康检查的超时时间为 3 秒 , type=http 检查类型 http
check interval=3000 rise=3 fall=5 timeout=3000 type=http;
# check_http_send 设定检查的行为:请求类型 url 请求协议 -> HEAD /api/v1/health HTTP/1.0
check_http_send "HEAD /api/v1/health HTTP/1.0\r\n\r\n";
# 设定认为返回正常的响应状态
check_http_expect_alive http_2xx http_3xx;
}
}限流配置
bash
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
location / {
limit_req zone=one burst=5;
proxy_pass http://backend;
}
}
}History 二级路由刷新问题
bash
location / {
root html;
try_files $uri $uri/ @router;
index index.html index.htm;
}
location @router {
rewrite ^.*$ /index.html last;
}图片防盗链
bash
server {
listen 80;
server_name *.jartto.com;
# 图片防盗链
location ~* \.(gif|jpg|jpeg|png|bmp|swf)$ {
valid_referers none blocked server_names ~\.google\. ~\.baidu\. *.qq.com; # 只允许本机 IP 外链引用
if ($invalid_referer){
return 403;
}
}
}配置多 Server
bash
http {
server {
listen 80;
server_name www.jartto.com;
root /var/www/jartto.com;
# other server configuration directives
}
server {
listen 80;
server_name www.another-jartto.com;
root /var/www/another-jartto.com;
# other server configuration directives
}
}动态修改配置模块
bash
upstream backends {
zone zone_for_backends 1m;
server 127.0.0.1:6001;
server 127.0.0.1:6002;
server 127.0.0.1:6003;
}
server {
listen 6000;
location /dynamic {
allow 127.0.0.1;
deny all;
dynamic_upstream;
}
location / {
proxy_pass http://backends;
}
}