nginx常用配置总结

多二级/三级域名多服务nginx配置

常用命令

1
2
3
4
5
6
7
8
#启动
/usr/local/nginx/sbin/nginx
#停止
/usr/local/nginx/sbin/nginx -s stop
#检查脚本
/usr/local/nginx/sbin/nginx -t
#重新加载配置
/usr/local/nginx/sbin/nginx -s reload

nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#指定nginx 用户 组
#user sure sure;
#内容存进程的id,作用防止多个进程启动
pid /usr/local/nginx/conf/nginx.pid;
#错误日志(从左到右:debug最详细 crit最少)
#[ debug | info | notice | warn | error | crit ]
error_log /usr/local/nginx/logs/error.log crit;

#启动进程,通常设置成和cpu的数量相等,或者设置auto
worker_processes 24;
#在linux 2.6内核下开启文件打开数为65535
worker_rlimit_nofile 65535;

events {
#Epoll: 使用于Linux内核2.6版本及以后的系统
use epoll;
#所以nginx支持的总连接数就等于worker_processes * worker_connections
worker_connections 65535;
}

http {
#文件扩展名与类型对应关系
include mime.types;
#没有找到对应类型使用application/octet-stream
default_type application/octet-stream;

#访问日志关
access_log off;
# 隐藏nginx版本,防止通过版本漏洞攻击
server_tokens off;

server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;

sendfile on;
tcp_nopush on;
#连接超时时间
keepalive_timeout 120;
tcp_nodelay on;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;

#解决iframe跨域问题
add_header P3P "CP=CAO PSA OUR";

#解决页面部分缓存问题
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
ssi_types text/action;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_for';
log_format mlnormal '$remote_addr|$remote_user|[$time_local]|$host|"$request"|'
'$status|$body_bytes_sent|"$http_referer"|'
'"$http_user_agent"|$http_x_forwarded_for|'
'$upstream_addr|$upstream_status|$upstream_response_time|'
'$server_addr';
include vhost/*.conf;
}

子配置目录vhost/*.conf,支持多个域名对应服务的配置文件,一个服务对应一个二级域名文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

#均衡代理,以及模式设置
upstream webcs {
# 过源IP进行HASH的机制。可以解决session问题
ip_hash;
#tomcat服务的访问地址
server 134.175.14.8:8042 max_fails=2 fail_timeout=30s;
server 134.175.151.120:8043 max_fails=2 fail_timeout=30s;
}

server {
listen 80;
#listen 443 ssl;
#域名访问地址
# 多个域名 server_name ... iexxk.com www.iexxk.com;
server_name outtest.iexxk.com;
index index.htm index.html index.jsp;
#tomcat webapp目录,或这dobase目录
root /data/web/webcs;

#ssl_certificate /data/ssl/shenqi.cer;
#ssl_certificate_key /data/ssl/shenqi.key;
#ssl_session_timeout 5m;

access_log /usr/local/nginx_logs/login.access.log mlnormal;

location ~ ^/WEB-INF/* {
deny all;
}

location ~ .(svn|git|cvs) {
deny all;
}

location ~.*\.(jsp|do|shtml)?$ {
#proxy_pass配置为:http:// + upstream策略名称
proxy_pass http://webcs;
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
#include /usr/local/nginx/conf/proxy.conf;
}

location ~* \.(gif|jpg|jpeg|png|bmp|swf|js|css)$ {
expires 30d;
}
}

配置ssl/https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
upstream res {
ip_hash;
server 172.16.16.8:14081 max_fails=2 fail_timeout=30s;
server 172.16.16.8:14081 max_fails=2 fail_timeout=30s;
}

server {
listen 80;
listen 443 ssl;
server_name outtest.res.suresvip.com;

#证书相关配置
ssl on; #注意这个用on其他所有改nginx配置的网站都会重定向到https,所以改用off不会影响其他的,但是不会自动重定向
ssl_certificate /usr/local/nginx/ssl/1_outtest.res.suresvip.com_bundle.crt;
ssl_certificate_key /usr/local/nginx/ssl/2_outtest.res.suresvip.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;

#注释下面的不然使用https访问会下载文件
# index index.htm index.html index.jsp;
# root /data/web/res1;

access_log /usr/local/nginx_logs/login.access.log mlnormal;

location ~ ^/WEB-INF/* {
deny all;
}

location ~ .(svn|git|cvs) {
deny all;
}

location ~.* {
proxy_pass http://res;
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
#include /usr/local/nginx/conf/proxy.conf;
}

location ~* \.(gif|jpg|jpeg|png|bmp|swf|js|css)$ {
expires 30d;
}
}

本地https配置

1
2
3
4
5
6
7
8
9
10
 server {
listen 9600 ssl;
server_name localhost;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
location / {
proxy_pass http://bpf_pf_access;
}
}

tomcat测试https

settings->Automatically follow redirects->Default: Settings->general->ssl certificate verification(off)->certificates->client certificates(添加证书文件即可)

nginx域名验证

  1. 阿里云申请证书

  2. 选择文件验证,下载文件复制类容

  3. 在nginx添加如下

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    server {
    listen 80;
    server_name iexxk.com;
    # return 301 https://$host$request_uri;
    #以下部分是验证用的,验证通过后可以删除,将刚刚复制的字符串替换200后的字符串
    location ^~/.well-known/pki-validation/fileauth.txt {
    add_header Content-Type 'text/html; charset=utf-8';
    return 200 '202207310000001mwx2sk9p9akvj3vg3b8sqew1uxxxxxxxxxx0f01ri34uddzzc';
    }
    }
  4. 点击验证,验证通过后,等待审核通过

  5. 下载nginx证书文件

  6. 上传证书文件到nginx服务器,配置nginx证书文件

    1
    2
    3
    4
    5
    6
    7
    server{
    listen 443 ssl;
    server_name iexxk.com;
    ssl_certificate /etc/nginx/ssl/8218253_prd-gva.mh.bluemoon.com.cn_nginx/8218253_iexxk.com.pem;
    ssl_certificate_key /etc/nginx/ssl/8218253_prd-gva.mh.bluemoon.com.cn_nginx/8218253_iexxk.com.key;
    ...
    }