CentOS7配置nginx
作者QQ:67065435 QQ群:821635552
本站内容全部为作者原创,转载请注明出处!
SSL支持
SSL支持(同时支持HTTP、HTTPS、IPV4、IPV6、H2)
server { listen 80; listen 443 ssl http2; listen [::]:80; listen [::]:443 ssl http2; server_name xxx.xxx.com; root /www/xxx; location / { index index.php index.html index.htm; } location ~* \.php { include fastcgi_params; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } ssl_certificate /fullchain.pem; ssl_certificate_key /privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; }
日志定制
- 日志定制
# 关键在于自定义日志格式名要一致 log_format [自定义日志格式名] '[格式]'; error_log [日志路径] [自定义日志格式名]; access_log [日志路径] [自定义日志格式名]; # 举例如下 log_format my_style '[$time_local] $remote_addr $status $request'; access_log logs/access.log my_style;
资源缓存
- 静态缓存
server { listen 80; server_name m.xxx.com; root /www/view/dist; location / { index index.html index.php; } location ~ .*\.(js|css|jpg|png|gif|ico|ttf|woff|woff2|svg)$ { #expires max; #缓存10年 #expires 1d; #缓存1天 #expires 1h; #缓存1小时 #expires -1; #不缓存 expires max; } }
防止盗链
防盗链
server { listen 80; server_name m.xxx.com; root /www/view/dist; # 域名白名单 location / { valid_referers none blocked *.xxx.com; if ($invalid_referer) { return 444; } } # 域名白名单+搜索引擎域名正则 location / { valid_referers none blocked *.xxx.com server_names ~\.google\. ~\.baidu\.; if ($invalid_referer) { return 444; } } }
多IF判断
- 多IF判断
set $flag "0"; if ($uri = '/') { set $flag "${flag}1"; } if ($scheme = 'http') { set $flag "${flag}1"; } if ($flag = '011') { rewrite ^(.*) https://$host$1 permanent; }
URL重写
URL重写
server { listen 80; listen 443 ssl; server_name *.xxx.com xxx.com; rewrite ^(.*) https://$host$1 permanent; ssl_certificate /fullchain.pem; ssl_certificate_key /privkey.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#这里顺序固定才能开启http2 ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; }
反向代理
反向代理
# 反向代理 # http://127.0.0.1:8080 # 到http://www.xxx.com server { listen 80; server_name www.xxx.com; location / { proxy_pass http://127.0.0.1:8080; } } # 反向代理 # http://127.0.0.1:8080 # http://127.0.0.1:8888 # 到http://www.xxx.com server { listen 80; server_name www.xxx.com; location /route1 { proxy_pass http://127.0.0.1:8080; } location /route2 { proxy_pass http://127.0.0.1:8888; } }
PHP-FPM
反向代理-php
server { listen 80; listen 443 ssl; server_name www.xxx.com; root /www/book_note/dist; location / { index index.php index.html index.htm; } location ~* \.php { include fastcgi_params; fastcgi_index index.php; fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }
反向代理-symfony
server { listen 80; listen 443 ssl; server_name test.com; server_name www.test.com; root /www/book_read/web; location / { try_files $uri /app.php$is_args$args; } location ~ ^/(app_dev|config)\.php(/|$) { fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } location ~ ^/app\.php(/|$) { fastcgi_pass 127.0.0.1:9000; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; internal; } location ~ \.php$ { return 404; } }
反向代理-路由
# 细节1:proxy有无'/' # ①proxy无'/' http://127.0.0.1 listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1; } # ②proxy有'/' http://127.0.0.1/ listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1/; } # 同样请求 http://xxx.com/api/user_info # ①传到proxy请求为 http://127.0.0.1/api/user_info # ②传到proxy请求为 http://127.0.0.1/user_info # 细节2:location有无'/' proxy有无'/' # ①location无'/' location /api proxy无'/' http://127.0.0.1 listen 80; server_name xxx.com; location /api { proxy_pass http://127.0.0.1; } # ②location无'/' location /api proxy有'/' http://127.0.0.1/ listen 80; server_name xxx.com; location /api { proxy_pass http://127.0.0.1/; } # ③location有'/' location /api/ proxy无'/' http://127.0.0.1 listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1; } # ④location有'/' location /api/ proxy有'/' http://127.0.0.1/ listen 80; server_name xxx.com; location /api/ { proxy_pass http://127.0.0.1/; } # 同样请求 http://xxx.com/api/user_info # ①传到proxy请求为 http://127.0.0.1/api/user_info # ②传到proxy请求为 http://127.0.0.1//user_info # ③传到proxy请求为 http://127.0.0.1/api/user_info # ④传到proxy请求为 http://127.0.0.1/user_info
负载均衡
IP列表
192.168.0.1 (负载均衡服务器) 192.168.0.2 (WEB 服务器1) 192.168.0.3 (WEB 服务器2)
相关配置
#均询式负载均衡 upstream load_blc { server 192.168.0.2:80; server 192.168.0.3:80; } #权重式负载均衡 #upstream load_blc { # server 192.168.0.2:80 weight=10; # server 192.168.0.3:80 weight=10; #} #容错式负载均衡 #upstream load_blc { # server 192.168.0.2:80 max_fails=10; # server 192.168.0.3:80 max_fails=10; #} #ip_hash负载均衡(session兼容好) #upstream load_blc { # ip_hash; # server 192.168.0.2:80; # server 192.168.0.3:80; #} #fair负载均衡(响应最快服务器优先分配给用户) #upstream load_blc { # fair; # server 192.168.0.2:80; # server 192.168.0.3:80; #} #url_hash负载均衡(后端服务器为缓存时效果较好) #upstream load_blc { # server 192.168.0.2:80; # server 192.168.0.3:80; # hash $request_uri; # hash_method crc32; #} #upstream中server格式: #server ip:port [down|weight=?|max_fails|fail_timeout|backup]; #down: 表示单前的server暂时不参与负载 #weight: 默认为1.weight越大,负载的权重就越大。 #max_fails: 允许请求失败的次数默认为1.当超过最大次数时,返回proxy_next_upstream模块定义的错误 #fail_timeout: max_fails次失败后,暂停的时间。 #backup: 其它所有的非backup机器down或者忙的时候,请求backup机器。所以这台机器压力会最轻。 server { listen 80; server_name www.xxx.com; location / { proxy_redirect default; proxy_redirect / /; proxy_set_header Host $host; proxy_pass http://load_blc; } }
注意事项
nginx支持同时设置多组的负载均衡,用来给不同的负载均衡server来使用。 client_body_in_file_only: 设置为On 可以讲client post过来的数据记录到文件中用来做debug client_body_temp_path: 设置记录文件的目录 可以设置最多3层目录 location: 对URL进行匹配.可以进行重定向或者进行新的代理 负载均衡
正向代理
场景介绍
与第三方合作,三方接口安全文档限制只能通过111.111.111.111访问其服务器才能通过接口验证。 现在业务跑在111.111.111.112这台服务器上,要让111.111.111.112能通过111.111.111.111正 向代理来访问三方接口,从而通过接口安全验证。
代理服务器111.111.111.111配置
server { listen 80; resolver 114.114.114.114; location / { proxy_set_header HOST $host; proxy_set_header x-bce-date $http_x_bce_date; proxy_set_header accept-encodeing 'gzip,deflate'; proxy_set_header authorization $http_authorization; proxy_pass $scheme://$http_host$request_uri; } }
业务服务器111.111.111.112请求三方接口的代码(PHP为例)
<?php # 假设服务器111.111.111.111内网IP为192.168.0.111 $url = '三方接口链接'; $curl = curl_init($url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($curl, CURLOPT_TIMEOUT, 120); curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 120); curl_setopt($curl, CURLOPT_PROXY, 'http://192.168.0.111:8888'); curl_setopt($curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); $result = curl_exec($curl); curl_close($curl); echo $result;