Linux配置nginx

  1. 作者QQ:67065435 QQ群:821635552

SSL支持

  1. SSL支持(同时支持HTTP、HTTPS)

    server {
        listen      80;
        listen      443 ssl;
        server_name xxx.xxx.com;
        root        /www/xxx;
    
        location / {
            index  index.php index.html index.htm;
        }
    
        location ~* \.php {
            include                 fastcgi_params;
            fastcgi_index           index.php;
            fastcgi_pass            127.0.0.1:9000;
            fastcgi_split_path_info ^(.+\.php)(.*)$;
            fastcgi_param           PATH_INFO $fastcgi_path_info;
            fastcgi_param           SCRIPT_NAME $fastcgi_script_name;
            fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
    
        ssl_certificate             /fullchain.pem;
        ssl_certificate_key         /privkey.pem;
        ssl_session_timeout         5m;
        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;#这里顺序固定才能开启http2
        ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;
    }
    

日志定制

  1. 日志定制
    # 关键在于自定义日志格式名要一致
    log_format [自定义日志格式名] '[格式]';
    error_log [日志路径] [自定义日志格式名];
    access_log [日志路径] [自定义日志格式名];
    # 举例如下
    log_format my_style '[$time_local] $remote_addr $status $request';
    access_log logs/access.log my_style;
    

资源缓存

  1. 资源缓存
    location / {
        #expires max; #缓存10年
        #expires 1d;  #缓存1天
        #expires 1h;  #缓存1小时
        #expires -1;  #永远过期
    }
    
  2. 页应用缓存
    server {
        listen          80;
        server_name     m.xxx.com;
        root            /www/view/dist;
        location / {
            try_files   $uri $uri/ /index.html;
            add_header  Cache-Control "private,no-store,no-cache,must-revalidate,proxy-revalidate";
        }
        location ~ .*\.(js|css|jpg|png|gif|ico|ttf|woff|woff2|svg)$ {
            expires max;
        }
    }
    

防止盗链

  1. 防止盗链

    # 域名白名单
    location / {
        valid_referers none blocked *.xxx.com;
        if ($invalid_referer) {
            return 444;
        }
    }
    
    # 域名白名单+搜索引擎域名正则
    location / {
        valid_referers none blocked *.xxx.com server_names ~\.google\. ~\.baidu\.;
        if ($invalid_referer) {
            return 444;
        }
    }
    

多个判断

  1. 多个判断
    set $flag "0";
    if ($uri = '/') {
        set $flag "${flag}1";
    }
    if ($scheme = 'http') {
        set $flag "${flag}1";
    }
    if ($flag = '011') {
        rewrite ^(.*)  https://$host$1 permanent;
    }
    

URL重写

  1. URL重写

    server {
        listen  80;
        listen  443 ssl;
        server_name *.xxx.com xxx.com;
    
        rewrite ^(.*)  https://$host$1 permanent;
    
        ssl_certificate             /fullchain.pem;
        ssl_certificate_key         /privkey.pem;
        ssl_session_timeout         5m;
        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;#这里顺序固定才能开启http2
        ssl_ciphers                 ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;
    }
    

反向代理

  1. 反向代理

    # 反向代理
    # http://127.0.0.1:8080
    # 到http://www.xxx.com
    server {
        listen              80;
        server_name         www.xxx.com;
        location / {
            proxy_pass          http://127.0.0.1:8080;
        }
    }
    
    # 反向代理
    # http://127.0.0.1:8080
    # http://127.0.0.1:8888
    # 到http://www.xxx.com
    server {
        listen              80;
        server_name         www.xxx.com;
        location /route1 {
            proxy_pass          http://127.0.0.1:8080;
        }
        location /route2 {
            proxy_pass          http://127.0.0.1:8888;
        }
    }
    
  2. 反向代理实践-php

    server {
        listen      80;
        listen      443 ssl;
        server_name www.xxx.com;
        root        /www/book_note/dist;
    
        location / {
            index   index.php index.html index.htm;
        }
    
        location ~* \.php {
            include                 fastcgi_params;
            fastcgi_index           index.php;
            fastcgi_pass            127.0.0.1:9000;
            fastcgi_split_path_info ^(.+\.php)(.*)$;
            fastcgi_param           PATH_INFO       $fastcgi_path_info;
            fastcgi_param           SCRIPT_NAME     $fastcgi_script_name;
            fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
        }
    }
    
  3. 反向代理应用-symfony3.x

    server {
        listen      80;
        listen      443 ssl;
        server_name test.com;
        server_name www.test.com;
        root        /www/book_read/web;
        location / {
            try_files $uri /app.php$is_args$args;
        }
        location ~ ^/(app_dev|config)\.php(/|$) {
            fastcgi_pass            127.0.0.1:9000;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include                 fastcgi_params;
            fastcgi_param           SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param           DOCUMENT_ROOT $realpath_root;
        }
        location ~ ^/app\.php(/|$) {
            fastcgi_pass            127.0.0.1:9000;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include                 fastcgi_params;
            fastcgi_param           SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param           DOCUMENT_ROOT $realpath_root;
            internal;
        }
        location ~ \.php$ {
            return 404;
        }
    }
    

负载均衡(本质上还是在做反向代理)

  1. IP列表

    192.168.0.1  (负载均衡服务器)
    192.168.0.2  (WEB 服务器1)
    192.168.0.3  (WEB 服务器2)
    
  2. 相关配置

    #均询式负载均衡
    upstream load_blc {
        server 192.168.0.2:80;
        server 192.168.0.3:80;
    }
    
    #权重式负载均衡
    #upstream load_blc {
    #    server 192.168.0.2:80 weight=10;
    #    server 192.168.0.3:80 weight=10;
    #}
    
    #ip_hash负载均衡(session稳定)
    #upstream load_blc {
    #    ip_hash;
    #    server 192.168.0.2:80;
    #    server 192.168.0.3:80;
    #}
    
    #fair负载均衡(第三方)(响应最快服务器优先分配给用户)
    #upstream load_blc {
    #    server 192.168.0.2:80;
    #    server 192.168.0.3:80;
    #    fair;
    #}
    
    #url_hash负载均衡(第三方)(后端服务器为缓存时效果较好)
    #upstream load_blc {
    #    server 192.168.0.2:80;
    #    server 192.168.0.3:80;
    #    hash $request_uri;
    #    hash_method crc32;
    #}
    
    #upstream中server格式:
    #server ip:port [down|weight=?|max_fails|fail_timeout|backup];
    #down:         表示单前的server暂时不参与负载
    #weight:       默认为1.weight越大,负载的权重就越大。
    #max_fails:    允许请求失败的次数默认为1.当超过最大次数时,返回proxy_next_upstream模块定义的错误
    #fail_timeout: max_fails次失败后,暂停的时间。
    #backup:       其它所有的非backup机器down或者忙的时候,请求backup机器。所以这台机器压力会最轻。
    
    server {
        listen       80;
        server_name  www.xxx.com;
        location / {
            proxy_pass     http://load_blc;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    
  3. 注意事项

    nginx支持同时设置多组的负载均衡,用来给不同的负载均衡server来使用。
    client_body_in_file_only: 设置为On 可以讲client post过来的数据记录到文件中用来做debug
    client_body_temp_path:    设置记录文件的目录 可以设置最多3层目录
    location:                 对URL进行匹配.可以进行重定向或者进行新的代理 负载均衡
    

正向代理

  1. 场景介绍

    与第三方合作,三方接口安全文档限制只能通过111.111.111.111访问其服务器才能通过接口验证。
    现在业务跑在111.111.111.112这台服务器上,要让111.111.111.112能通过111.111.111.111正
    向代理来访问三方接口,从而通过接口安全验证。
    
  2. 代理服务器111.111.111.111配置

    server {
        listen      80;
        resolver    114.114.114.114;
        location / {
            proxy_set_header    HOST              $host;
            proxy_set_header    x-bce-date        $http_x_bce_date;
            proxy_set_header    accept-encodeing  'gzip,deflate';
            proxy_set_header    authorization     $http_authorization;
            proxy_pass          $scheme://$http_host$request_uri;
        }
    }
    
  3. 业务服务器111.111.111.112请求三方接口的代码(PHP为例)

    <?php
    # 假设服务器111.111.111.111内网IP为192.168.0.111
    $url = '三方接口链接';
    
    $curl = curl_init($url);
    
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    
    curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
    
    curl_setopt($curl, CURLOPT_TIMEOUT, 120);
    curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 120);
    
    curl_setopt($curl, CURLOPT_PROXY, 'http://192.168.0.111:8888');
    curl_setopt($curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
    
    curl_setopt($curl, CURLOPT_HTTPHEADER, ['CLIENT-IP:111.111.111.111', 'X-FORWARDED-FOR:111.111.111.111']);
    
    $result = curl_exec($curl);
    
    curl_close($curl);
    echo $result;
    
Copyright © 豆包嘿嘿~ 2012-∞ 冀ICP备17033181号 all right reserved,powered by Gitbook修订: 2020-05-13 11:59:26

results matching ""

    No results matching ""