本文是對Nginx常用配置的整理及記錄。
配置文件
- 目錄 /etc/nginx/nginx.conf
- 默認配置語法
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
默認模塊
-
http_stub_status_module:nginx客戶端狀態
- 配置語法:stub_status;需寫在location或server下
location /status { stub_status; }
-
http_sub_module:http內容替換
- 配置語法
- sub_filter string replacement
- sub_filter_last_modified on|off
- sub_filter_once on|off:是否只替換第一個
location / { root /usr/share/nginx/html; index index.html index.htm; sub_filter '要替換的內容' '被替換後的內容'; sub_filter_once off; }
請求限制
-
連接頻率限制:limit_conn_module
-
語法
- limit_conn_zone key zone=name:size;
- limit_conn zone number;
-
請求頻率限制:limit_reg_module
-
語法
- limit_req_zone key zone=name:size rate=rate;
- limit_req zone=name [burst=numer][nodelay];
- burst保留遺留number數的請求到下一秒執行
limit_conn_zone $binanry_remote_addr zone=conn_zone:1m;
# 同個ip過來請求,每秒只允許一個請求
limit_req_zone $binanry_remote_addr zone=req_zone:1m rate=1r/s;
http {
server {
location / {
root /usr/share/nginx/html;
limit_conn conn_zone 1;
limit_conn req_zone;
limit_conn req_zone burst=3 nodealy;
index index.html index.htm;
}
}
}
- 壓測工具:ab(apache bench)
- ab -n 100 -c 10 http://test.com/ :-n表示請求數,-c表示併發數
訪問限制
- 基於IP的的訪問控制:http_access_module
- 語法
- allow address|CIDR|UNIX:|all;
- deny address|CIDR|UNIX:|all;
location ~ ^/admin.html {
root /usr/share/nginx/html;
allow all;
deny 222.122.191.3;
# deny 222.122.191.0/24;
index index.html index.htm;
}
}
- 基於用戶的信任登錄:http_auth_basic_module
- 語法
- auth_basic string |off;
- auth_basic_user_file file;
- 工具htpasswd
location ~ ^/admin.html {
root /usr/share/nginx/html;
auth_basic "Auth access error!input your password!";
auth_basic_user_file /etc/nginx/auth_conf;
index index.html index.htm;
}
}
靜態資源web服務
- 靜態資源服務場景-CDN
- sendfile on|off:文件讀取
- tcp_nopush on|off:sendfile開啓下才能使用。提高網絡包的傳輸效率
- tcp_nodelay on|off:keeplive連接下有效,提高網絡包的傳輸實時性
- gzip on|off:壓縮傳輸
- gzip_comp_level level;
- gzip_http_version 1.0|1.1;
- 壓縮模塊拓展,預讀gzip功能:http_gzip_static_modules,語法gzip_status on|off
- 瀏覽器緩存
- expires [modified] time;
- expires epoch|max|off;
location ~ ^/admin.html {
root /usr/share/nginx/html;
expires 24h;
index index.html index.htm;
}
}
- 跨域訪問-Access-Control-Allow-Origin
- add_header name value [always];
location ~ ^/admin.html {
root /usr/share/nginx/html;
add_header Access-Control-Allow-Origin http://www.baidu.com;
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
}
}
- 防盜鏈http_refer
- valid_referers none|blocked|server_names|string;
location ~ .*\.(jpg|png) {
valid_referers blocked 116.66.111.222 ~/google\./;
if($invalid_referer) {
return 403;
}
root /usr/share/nginx/html;
}
}
代理服務
- proxy_pass URL;
# 反向代理
location ~ /test_proxy.html$ {
proxy_pass http://127.0.0.1:8080;
}
location / {
if($http_x_forwarded_for !~* "^116\.62\.103\.228") {
return 403;
}
root /usr/share/nginx/html;
index index.html;
}
# 正向代理
location / {
proxy_pass http://$http_host$request_uri;
}
- 緩衝區:proxy_buffering on|off;
- 跳轉重定向:proxy_redirect default;
- 頭信息:proxy_set_header field value;
- 超時:proxy_connect_timeout time;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect default;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 256k;
}
# 可以把上面的配置參數寫到proxy_params文件中再引用
location / {
proxy_pass http://127.0.0.1:8080;
include proxy_params;
}
負載均衡
- upstream name {…}; 結合proxy_pass;
http {
upstream oden {
server 116.62.103.222:8001 down;
server 116.62.103.222:8002 backup;
server 116.62.103.222:8003 max_fail=1 fail_timeout=10s;
server 116.62.103.222:8004 weight = 5;
}
server {
listen 80;
server_name localhost;
location / {
proxy_pass http://oden;
include proxy_params;
}
}
}
- 調度算法
- 輪詢
- 加權輪詢,weight越大分配到的機率更高
- ip_hash:每個請求按訪問IP的hash結果分配,這樣來自同一個IP固定訪問一個後端服務器
- least_conn:最少鏈接數,哪個機器連接數少就分發
- url_hash:按照訪問的URL的hash結果分配請求,是每個URL定向到同一個後端服務器
- hash關鍵數值:hash自定義的key
- hash key[consistent]
upstream oden {
ip_hash;
server 116.62.103.222:8001;
}
upstream oden {
hash $request_uri;
server 116.62.103.222:8001;
}
緩存服務
- proxy_cache
- proxy_cache_path path
- proxy_cache zone | off
- proxy_cache_valid[code…] time
- 緩存維度:proxy_cache_key string
- $scheme $proxy_host $request_uri
http {
proxy_cache_path /opt/app/cache levels=1:2 keys_zone=oden_cache:10m max_size=10g inactive=60m use_tep_path=off;
upstream oden {
server 116.62.103.222:8001;
server 116.62.103.222:8002;
}
server {
listen 80;
server_name localhost;
location / {
proxy_cache oden_cache;
proxy_pass http://oden;
# 在這些情況下緩存的時間
proxy_cache_valid 200 304 12h;
proxy_cache_valid any 10m;
proxy_cache_key $host$uri$is_args$args;
add_header Nginx-Cache "$upstrem_cache_status";
# 發生錯誤時跳到下一臺服務器
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
include proxy_params;
}
}
}
- 清理指定緩存
- rm -rf緩存目錄內容
- 第三方拓展模塊ngx_cache_purge
- 讓部分頁面不緩存
- proxy_no_cache string;
- proxy_no_cache
- 分片請求
- slice size;
命令
- 重啓:systemctl restart nginx.service
- 配置文件語法正確性檢查:nginx -t -c /etc/nginx/nginx.conf