CentOS7配置nginx
作者QQ:67065435 QQ群:821635552
本站内容全部为作者原创,转载请注明出处!
SSL支持
SSL支持(同时支持HTTP、HTTPS、IPV4、IPV6、H2)
server { listen 80; listen 443 ssl http2; listen [::]:80; listen [::]:443 ssl http2; server_name xxx.xxx.com; root /www/xxx; location / { index index.php index.html index.htm; } location ~* \.php { include fastcgi_params; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } ssl_certificate /fullchain.pem; ssl_certificate_key /privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; }
日志定制
日志定制
# 关键在于自定义日志格式名要一致 log_format [自定义日志格式名] '[格式]'; access_log [日志路径] [自定义日志格式名]; # 举例如下 log_format my_style '[$time_local] $remote_addr $status $request'; access_log logs/access.log my_style;
频率限制
频率限制
# 需要开启nginx的2个模块: ngx_http_limit_conn_module ngx_http_limit_req_module # 通过客户端IP限制访问频率 limit_req_zone $binary_remote_addr zone=[自定义频率限制名称]:[最大内存占用] rate=[限制频率]; limit_req zone=[自定义频率限制名称] burst=[漏桶数] nodelay; # 通过Server name限制访问频率 limit_req_zone $server_name zone=[自定义频率限制名称]:[最大内存占用] rate=[限制频率]; limit_req zone=[自定义频率限制名称] burst=[漏桶数] nodelay; # 举例说明 limit_req_zone $binary_remote_addr zone=per_ip:10m rate=30r/s; limit_req_zone $server_name zone=per_sv:10m rate=30r/m; limit_req zone=per_ip burst=5 nodelay; limit_req zone=per_sv burst=5; # $binary_remote_addr 用来通过客户端IP限制访问频率,$server_name 用来通过Server name限制访问频率 # zone 在 limit_req_zone 中相当于自定义一个会话存储池,存储池的名字是自己定义的,大小也是自己定义的 # rate 的作用是限制访问频率,其中 30r/s 表示30次请求每秒,30r/m 表示 0.5 次请求每秒 # zone 在 limit_req 中的作用是使用已经自定义的会话存储池,存储池的名字是已经定义过的 # burst 表示在 s 秒内,请求的总次数不大于 rate * s + burst # nodelay 存在该项表示 当请求总次数大于 rate * s + burst 时,响应503状态 # nodelay 不存在该项表示 当请求总次数大于 rate * s + burst 时,响应会被延时处理
资源缓存
- 静态缓存
server { listen 80; server_name m.xxx.com; root /www/view/dist; location / { index index.html index.php; } location ~ .*\.(js|css|jpg|png|gif|ico|ttf|woff|woff2|svg)$ { #expires max; #缓存10年 #expires 1d; #缓存1天 #expires 1h; #缓存1小时 #expires -1; #不缓存 expires max; } }
防止盗链
防盗链
server { listen 80; server_name m.xxx.com; root /www/view/dist; # 域名白名单 location / { valid_referers none blocked *.xxx.com; if ($invalid_referer) { return 444; } } # 域名白名单+搜索引擎域名正则 location / { valid_referers none blocked *.xxx.com server_names ~\.google\. ~\.baidu\.; if ($invalid_referer) { return 444; } } }
多IF判断
- 多IF判断
set $flag "0"; if ($uri = '/') { set $flag "${flag}1"; } if ($scheme = 'http') { set $flag "${flag}2"; } # 两个条件都不成立 if ($flag = '0') { # Do something... } # 只有第一个条件成立 if ($flag = '01') { # Do something... } # 只有第二个条件成立 if ($flag = '02') { # Do something... } # 两个条件都能成立 if ($flag = '012') { # Do something... }
URL重写
URL重写
server { listen 80; listen 443 ssl; server_name *.xxx.com xxx.com; rewrite ^(.*) https://$host$1 permanent; ssl_certificate /fullchain.pem; ssl_certificate_key /privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#这里顺序固定才能开启http2 ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; }
反向代理
反向代理
# 反向代理 # http://127.0.0.1:8080 # 到http://www.xxx.com server { listen 80; server_name www.xxx.com; location / { proxy_pass http://127.0.0.1:8080; } } # 反向代理 # http://127.0.0.1:8080 # http://127.0.0.1:8888 # 到http://www.xxx.com server { listen 80; server_name www.xxx.com; location /route1 { proxy_pass http://127.0.0.1:8080; } location /route2 { proxy_pass http://127.0.0.1:8888; } }
PHP-FPM
反向代理-php
server { listen 80; listen 443 ssl; server_name www.xxx.com; root /www/book_note/dist; location / { index index.php index.html index.htm; } location ~* \.php { include fastcgi_params; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }反向代理-symfony
server { listen 80; listen 443 ssl; server_name test.com; server_name www.test.com; root /www/book_read/web; location / { try_files $uri /app.php$is_args$args; } location ~ ^/(app_dev|config)\.php(/|$) { fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } location ~ ^/app\.php(/|$) { fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; internal; } location ~ \.php$ { return 404; } }反向代理-路由
# 细节1:proxy有无'/' # ①proxy无'/' http://127.0.0.1 listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1; } # ②proxy有'/' http://127.0.0.1/ listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1/; } # 同样请求 http://xxx.com/api/user_info # ①传到proxy请求为 http://127.0.0.1/api/user_info # ②传到proxy请求为 http://127.0.0.1/user_info # 细节2:location有无'/' proxy有无'/' # ①location无'/' location /api proxy无'/' http://127.0.0.1 listen 80; server_name xxx.com; location /api { proxy_pass http://127.0.0.1; } # ②location无'/' location /api proxy有'/' http://127.0.0.1/ listen 80; server_name xxx.com; location /api { proxy_pass http://127.0.0.1/; } # ③location有'/' location /api/ proxy无'/' http://127.0.0.1 listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1; } # ④location有'/' location /api/ proxy有'/' http://127.0.0.1/ listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1/; } # 同样请求 http://xxx.com/api/user_info # ①传到proxy请求为 http://127.0.0.1/api/user_info # ②传到proxy请求为 http://127.0.0.1//user_info # ③传到proxy请求为 http://127.0.0.1/api/user_info # ④传到proxy请求为 http://127.0.0.1/user_info
负载均衡
IP列表
192.168.0.1 (负载均衡服务器) 192.168.0.2 (WEB 服务器1) 192.168.0.3 (WEB 服务器2)相关配置
#均询式负载均衡 upstream load_blc { server 192.168.0.2:80; server 192.168.0.3:80; } #权重式负载均衡 #upstream load_blc { # server 192.168.0.2:80 weight=10; # server 192.168.0.3:80 weight=10; #} #容错式负载均衡 #upstream load_blc { # server 192.168.0.2:80 max_fails=10; # server 192.168.0.3:80 max_fails=10; #} #ip_hash负载均衡(session兼容好) #upstream load_blc { # ip_hash; # server 192.168.0.2:80; # server 192.168.0.3:80; #} #fair负载均衡(响应最快服务器优先分配给用户) #upstream load_blc { # fair; # server 192.168.0.2:80; # server 192.168.0.3:80; #} #url_hash负载均衡(后端服务器为缓存时效果较好) #upstream load_blc { # server 192.168.0.2:80; # server 192.168.0.3:80; # hash $request_uri; # hash_method crc32; #} #upstream中server格式: #server ip:port [down|weight=?|max_fails|fail_timeout|backup]; #down: 表示单前的server暂时不参与负载 #weight: 默认为1.weight越大,负载的权重就越大。 #max_fails: 允许请求失败的次数默认为1.当超过最大次数时,返回proxy_next_upstream模块定义的错误 #fail_timeout: max_fails次失败后,暂停的时间。 #backup: 其它所有的非backup机器down或者忙的时候,请求backup机器。所以这台机器压力会最轻。 server { listen 80; server_name www.xxx.com; location / { proxy_redirect default; proxy_redirect / /; proxy_set_header Host $host; proxy_pass http://load_blc; } }注意事项
nginx支持同时设置多组的负载均衡,用来给不同的负载均衡server来使用。 client_body_in_file_only: 设置为On 可以讲client post过来的数据记录到文件中用来做debug client_body_temp_path: 设置记录文件的目录 可以设置最多3层目录 location: 对URL进行匹配.可以进行重定向或者进行新的代理 负载均衡
攻击处理
nginx被恶意访问,创建如下脚本
#!/bin/bash # 将没有配置过的域名被访问的日志存储到/www/log/y_[域名].log(日志已修改格式为IP开头) grep -oE '^[0-9\.]+' /www/log/y_*log|sort|uniq|sort|awk 'NF{print "deny " $0 ";"}' > /usr/local/nginx/conf/deny.conf # 将不存在的路由被访问的日志存储到/www/log/z_[域名].log,这行代码开头的正则根据个人业务进行调整(日志已修改格式为IP开头) grep -oE '(.*?)HTTP/(1\.1|2\.0) 404' /www/log/z_*.log|grep -oE '^[0-9\.]+'|sort|uniq|sort|awk 'NF{print "deny " $0 ";"}' >> /usr/local/nginx/conf/deny.conf # 测试配置 nginx -t # 等待十秒 sleep 10 # 重载配置 nginx -s reloadnginx配置文件在http内第1行加上以下配置
include /usr/local/nginx/conf/deny.conf;执行第一步的脚本
chmod -R 755 /xxx/deny_ip /xxx/deny_ip
正向代理
场景介绍
与第三方合作,三方接口安全文档限制只能通过111.111.111.111访问其服务器才能通过接口验证。 现在业务跑在111.111.111.112这台服务器上,要让111.111.111.112能通过111.111.111.111正 向代理来访问三方接口,从而通过接口安全验证。代理服务器111.111.111.111配置
server { listen 80; resolver 114.114.114.114; location / { proxy_set_header HOST $host; proxy_set_header x-bce-date $http_x_bce_date; proxy_set_header accept-encodeing 'gzip,deflate'; proxy_set_header authorization $http_authorization; proxy_pass $scheme://$http_host$request_uri; } }业务服务器111.111.111.112请求三方接口的代码(PHP为例)
<?php # 假设服务器111.111.111.111内网IP为192.168.0.111 $url = '三方接口链接'; $curl = curl_init($url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($curl, CURLOPT_TIMEOUT, 120); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 120); curl_setopt($curl, CURLOPT_PROXY, 'http://192.168.0.111:8888'); curl_setopt($curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); $result = curl_exec($curl); curl_close($curl); echo $result;