Linux配置nginx

  1. 作者QQ:67065435 QQ群:821635552

SSL支持

  1. SSL支持(同时支持HTTP、HTTPS)

    server {
    listen      80;
    listen      443 ssl;
    server_name xxx.xxx.com;
    root        /www/xxx;

    location / {
        index  index.php index.html index.htm;
    }

    location ~* \.php {
        include                 fastcgi_params;
        fastcgi_index           index.php;
        fastcgi_pass            127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_param           PATH_INFO $fastcgi_path_info;
        fastcgi_param           SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    ssl_certificate             /fullchain.pem;
    ssl_certificate_key         /privkey.pem;
    ssl_session_timeout         5m;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;#这里顺序固定才能开启http2
    ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
}

日志定制

  1. 日志定制
    # 关键在于自定义日志格式名要一致
log_format [自定义日志格式名] '[格式]';
error_log [日志路径] [自定义日志格式名];
access_log [日志路径] [自定义日志格式名];
# 举例如下
log_format my_style '[$time_local] $remote_addr $status $request';
access_log logs/access.log my_style;

资源缓存

  1. 资源缓存
    location / {
    #expires max; #缓存10年
    #expires 1d;  #缓存1天
    #expires 1h;  #缓存1小时
    #expires -1;  #永远过期
}
  2. 页应用缓存
    server {
    listen          80;
    server_name     m.xxx.com;
    root            /www/view/dist;
    location / {
        try_files   $uri $uri/ /index.html;
        add_header  Cache-Control "private,no-store,no-cache,must-revalidate,proxy-revalidate";
    }
    location ~ .*\.(js|css|jpg|png|gif|ico|ttf|woff|woff2|svg)$ {
        expires max;
    }
}

防止盗链

  1. 防止盗链

    # 域名白名单
location / {
    valid_referers none blocked *.xxx.com;
    if ($invalid_referer) {
        return 444;
    }
}

# 域名白名单+搜索引擎域名正则
location / {
    valid_referers none blocked *.xxx.com server_names ~\.google\. ~\.baidu\.;
    if ($invalid_referer) {
        return 444;
    }
}

多个判断

  1. 多个判断
    set $flag "0";
if ($uri = '/') {
    set $flag "${flag}1";
}
if ($scheme = 'http') {
    set $flag "${flag}1";
}
if ($flag = '011') {
    rewrite ^(.*)  https://$host$1 permanent;
}

URL重写

  1. URL重写

    server {
    listen  80;
    listen  443 ssl;
    server_name *.xxx.com xxx.com;

    rewrite ^(.*)  https://$host$1 permanent;

    ssl_certificate             /fullchain.pem;
    ssl_certificate_key         /privkey.pem;
    ssl_session_timeout         5m;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;#这里顺序固定才能开启http2
    ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;
}

反向代理

  1. 反向代理

    # 反向代理
# http://127.0.0.1:8080
# 到http://www.xxx.com
server {
    listen              80;
    server_name         www.xxx.com;
    location / {
        proxy_pass          http://127.0.0.1:8080;
    }
}

# 反向代理
# http://127.0.0.1:8080
# http://127.0.0.1:8888
# 到http://www.xxx.com
server {
    listen              80;
    server_name         www.xxx.com;
    location /route1 {
        proxy_pass          http://127.0.0.1:8080;
    }
    location /route2 {
        proxy_pass          http://127.0.0.1:8888;
    }
}

  2. 反向代理实践-php

    server {
    listen      80;
    listen      443 ssl;
    server_name www.xxx.com;
    root        /www/book_note/dist;

    location / {
        index   index.php index.html index.htm;
    }

    location ~* \.php {
        include                 fastcgi_params;
        fastcgi_index           index.php;
        fastcgi_pass            127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_param           PATH_INFO       $fastcgi_path_info;
        fastcgi_param           SCRIPT_NAME     $fastcgi_script_name;
        fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

  3. 反向代理应用-symfony3.x

    server {
    listen      80;
    listen      443 ssl;
    server_name test.com;
    server_name www.test.com;
    root        /www/book_read/web;
    location / {
        try_files $uri /app.php$is_args$args;
    }
    location ~ ^/(app_dev|config)\.php(/|$) {
        fastcgi_pass            127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include                 fastcgi_params;
        fastcgi_param           SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param           DOCUMENT_ROOT $realpath_root;
    }
    location ~ ^/app\.php(/|$) {
        fastcgi_pass            127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include                 fastcgi_params;
        fastcgi_param           SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param           DOCUMENT_ROOT $realpath_root;
        internal;
    }
    location ~ \.php$ {
        return 404;
    }
}

负载均衡(本质上还是在做反向代理)

  1. IP列表

    192.168.0.1  (负载均衡服务器)
192.168.0.2  (WEB 服务器1)
192.168.0.3  (WEB 服务器2)

  2. 相关配置

    #均询式负载均衡
upstream load_blc {
    server 192.168.0.2:80;
    server 192.168.0.3:80;
}

#权重式负载均衡
#upstream load_blc {
#    server 192.168.0.2:80 weight=10;
#    server 192.168.0.3:80 weight=10;
#}

#ip_hash负载均衡(session稳定)
#upstream load_blc {
#    ip_hash;
#    server 192.168.0.2:80;
#    server 192.168.0.3:80;
#}

#fair负载均衡(第三方)(响应最快服务器优先分配给用户)
#upstream load_blc {
#    server 192.168.0.2:80;
#    server 192.168.0.3:80;
#    fair;
#}

#url_hash负载均衡(第三方)(后端服务器为缓存时效果较好)
#upstream load_blc {
#    server 192.168.0.2:80;
#    server 192.168.0.3:80;
#    hash $request_uri;
#    hash_method crc32;
#}

#upstream中server格式:
#server ip:port [down|weight=?|max_fails|fail_timeout|backup];
#down:         表示单前的server暂时不参与负载
#weight:       默认为1.weight越大,负载的权重就越大。
#max_fails:    允许请求失败的次数默认为1.当超过最大次数时,返回proxy_next_upstream模块定义的错误
#fail_timeout: max_fails次失败后,暂停的时间。
#backup:       其它所有的非backup机器down或者忙的时候,请求backup机器。所以这台机器压力会最轻。

server {
    listen       80;
    server_name  www.xxx.com;
    location / {
        proxy_pass     http://load_blc;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

  3. 注意事项

    nginx支持同时设置多组的负载均衡,用来给不同的负载均衡server来使用。
client_body_in_file_only: 设置为On 可以讲client post过来的数据记录到文件中用来做debug
client_body_temp_path:    设置记录文件的目录 可以设置最多3层目录
location:                 对URL进行匹配.可以进行重定向或者进行新的代理 负载均衡

正向代理

  1. 场景介绍

    与第三方合作,三方接口安全文档限制只能通过111.111.111.111访问其服务器才能通过接口验证。
现在业务跑在111.111.111.112这台服务器上,要让111.111.111.112能通过111.111.111.111正
向代理来访问三方接口,从而通过接口安全验证。

  2. 代理服务器111.111.111.111配置

    server {
    listen      80;
    resolver    114.114.114.114;
    location / {
        proxy_set_header    HOST              $host;
        proxy_set_header    x-bce-date        $http_x_bce_date;
        proxy_set_header    accept-encodeing  'gzip,deflate';
        proxy_set_header    authorization     $http_authorization;
        proxy_pass          $scheme://$http_host$request_uri;
    }
}

  3. 业务服务器111.111.111.112请求三方接口的代码(PHP为例)

    <?php
# 假设服务器111.111.111.111内网IP为192.168.0.111
$url = '三方接口链接';

$curl = curl_init($url);

curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);

curl_setopt($curl, CURLOPT_TIMEOUT, 120);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 120);

curl_setopt($curl, CURLOPT_PROXY, 'http://192.168.0.111:8888');
curl_setopt($curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);

curl_setopt($curl, CURLOPT_HTTPHEADER, ['CLIENT-IP:111.111.111.111', 'X-FORWARDED-FOR:111.111.111.111']);

$result = curl_exec($curl);

curl_close($curl);
echo $result;
Copyright © 豆包嘿嘿~ 2012-∞ 冀ICP备17033181号 all right reserved,powered by Gitbook修订: 2020-05-13 11:59:26

results matching ""

    No results matching ""