Nginx/Tengine通用配置教程,包含多域名共用一个端口指向不同程序、Nginx负载均衡配置、Https配置、禁止通过IP访问、设置访问流量并发速率、Nginx反代PHP、Nginx反代Tomcat。
Nginx通用配置:
代码语言:javascript复制user www www;
worker_processes auto;
worker_cpu_affinity auto;
dso {
load ngx_http_concat_module.so;
load ngx_http_sysguard_module.so;
}
error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 1024m;
client_body_buffer_size 10m;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
server_tokens off;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
#Gzip Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/xml application/xml application/atom xml application/rss xml application/xhtml xml image/svg xml
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject
image/x-icon;
gzip_disable "MSIE [1-6].(?!.*SV1)";
#If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
#如果不是域名访问,就直接返回444错误
server {
listen 80 default_server;
server_name _;
return 444;
}
server {
listen 80;
server_name v.4xx.me;
access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
index index.html index.htm index.jsp;
root /data/wwwroot/v.4xx.me; #可不需要
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ {
proxy_pass http://127.0.0.1:8080;
proxy_connect_timeout 300s;
proxy_send_timeout 900;
proxy_read_timeout 900;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding '';
proxy_set_header Referer $http_referer;
proxy_set_header Cookie $http_cookie;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
Nginx共用一个端口指向不同程序
代码语言:javascript复制#主要通过域名判断
server {
listen 80;
server_name 域名1;
access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
index index.html index.htm index.jsp;
root /data/wwwroot/v.4xx.me; #可不需要
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
}
server {
listen 80;
server_name 域名2;
access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
index index.html index.htm index.jsp;
root /data/wwwroot/v.4xx.me; #可不需要
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
}
Nginx负载均衡配置
代码语言:javascript复制#tomcat例子,php同理
upstream tomcats {
# session共享
session_sticky cookie=SESSION.V.4XX.ME fallback=on mode=insert option=direct;
server 127.0.0.1:9001 weight=1;
server 192.168.128.1:80 weight=1; #weight权重,可负载内网机器
}
server {
listen 80;
server_name 域名;
location / {
session_sticky_hide_cookie upstream=tomcats; # session共享
proxy_pass http://tomcats;
include proxy.conf;
}
}
Nginx开启Https
代码语言:javascript复制#需要nginx先安装了ssl相关模块
#php typeoch博客的配置,用的fastcgi_pass unix:/dev/shm/php-cgi.sock;
server {
listen 80;
listen 443 ssl http2;
ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt; #ssl证书路径
ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH CHACHA20:EECDH AES128:RSA AES128:EECDH AES256:RSA AES256:EECDH 3DES:RSA 3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name 4xx.me;
access_log /data/wwwlogs/4xx.me_nginx.log combined;
index index.html index.htm index.php;
root /data/wwwroot/4xx.me;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; } #http请求自动301跳转到https
if (!-e $request_filename) { #重定向
rewrite ^(.*)$ /index.php$1 last;
}
location ~ [^/].php(/|$) {
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
set $path_info "";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(. ?.php)(/. )$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /.ht {
deny all;
}
}
#java tomcat配置
server {
listen 80;
listen 443 ssl http2;
ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt; #ssl证书路径
ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH CHACHA20:EECDH AES128:RSA AES128:EECDH AES256:RSA AES256:EECDH 3DES:RSA 3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
server_name 域名;
access_log /data/wwwlogs/4xx.me_nginx.log combined;
index index.html index.htm index.jsp;
root /data/wwwroot/4xx.me;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; } #http请求自动301跳转到https
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
}
禁止通过IP访问
代码语言:javascript复制#如果不是域名访问,就直接返回444错误
server {
listen 80 default_server;
server_name _;
return 444;
}
设置访问流量并发速率,可防御少量ddos、cc流量攻击
代码语言:javascript复制limit_req_zone $binary_remote_addr zone=qpscon:10m rate=10r/s; #1秒接收10个请求
server {
listen 80;
server_name 域名;
location / {
limit_req zone=qpscon burst=10 nodelay; #burst 突发流量时10个请求缓冲
proxy_pass http://tomcats;
include proxy.conf;
}
}