title, date, lastmod, tags, categories
| title |
date |
lastmod |
tags |
categories |
| Nginx 笔记 |
2019-10-30T11:47:55+08:00 |
2019-10-30T11:47:55+08:00 |
|
|
set
全局变量
- $args $query_string 请求行中的参数
- $content_length 请求头里的 Content-length 字段
- $content_type 请求头里的 Content-type 字段
- $document_root 请求在 root 指令中指定的值
- $host 请求头里的 Host 字段,如果没有则是服务器名
- $http_user_agent 客户端agent信息
- $http_cookie 客户端cookie信息
- $limit_rate 这个变量可以限制连接速率
- $request_method 客户端请求的动作,通常为GET或POST
- $remote_addr 客户端的IP地址
- $remote_port 客户端的端口
- $remote_user 已经经过 Auth Basic Module 验证的用户名
- $request_filename 请求的文件路径,由 root 或 alias 指令与 URI 请求生成
- $scheme http 或者 https
- $server_protocol 请求使用的协议 HTTP/1.0 或 HTTP/1.1
- $server_addr 服务器地址,在完成一次系统调用后可以确定这个值
- $server_name 服务器名称
- $server_port 请求到达服务器的端口号
- $request_uri 包含请求参数的原始URI,不包含主机名,如"/foo/bar.php?arg=baz"
- $document_uri $uri 不带请求参数的当前URI,不包含主机名,如"/foo/bar.html"
rewrite
- rewrite {url正则} {replacement} {flag};
- flag
- last 完成 rewrite,重新开始匹配
- break 重写后不再匹配后续 rewrite
- redirect 返回 302 临时重定向
- permanent 返回 301 永久重定向
if
- if(condition){...}
- false 字符串为空或以 0 开头都是
- = != 变量比较
- ~ !~ 区分大小写正则是否匹配
* !* 不区分大小写是否匹配- -f !-f 判断文件是否存在
- -d !-d 判断目录是否存在
- -e !-e 判断文件、目录、链接是否存在
- -x !-x 判断可执行文件是否存在
location
- = 精确匹配
- ^~ 开头匹配指定字符串,不是正则,匹配符合后停止搜索
- ~ 区分大小写的正则匹配,匹配符合后继续向下搜索
- ~
* 不区分大小写的正则匹配,匹配符合后继续向下搜索
- / 通用匹配,可匹配任何请求,匹配后继续向下搜索
try_files
- try_files {file} ... {uri}
- try_files {file} ... ={code}
- try_files {file} ... {location_name}
客户端访问控制
- deny all 拒绝全部访问
- deny 192.168.1.0/24 拒绝指定网段
- deny 192.168.1.2 拒绝指定ip
- allow all 允许全部访问(默认)
- allow 192.168.1.0/24 允许指定网段
- allow 192.168.1.2 允许指定ip
配置 web 访问目录
location / {
root /var/www/html/;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
下载
location ^~ /attachment/ {
root /data/;
# alias /data/attachment/;
add_header Content-Disposition: 'attachment;';
}
浏览目录文件
location ^~ /share/ {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
反向代理负载均衡
- /etc/nginx/conf.d/upstream.conf
http {
upstream tomcat {
#ip_hash;
server 192.168.1.201:8443 fail_timeout=32s;
server 192.168.1.202:8443 fail_timeout=32s;
server 192.168.1.203:8443 backup fail_timeout=32s;
keepalive 300;
}
- /etc/nginx/conf.d/80.conf
server {
listen 80;
server_name _;
location ^~ /webapp/ {
proxy_pass http://tomcat;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Host $host;
#proxy_set_header X-Forwarded-Server $host;
client_max_body_size 8m;
client_body_buffer_size 8m;
proxy_connect_timeout 2s;
#proxy_send_timeout 16;
#proxy_read_timeout 16;
proxy_buffer_size 64k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
#proxy_max_temp_file_size 0;
#add_header 'Access-Control-Allow-Origin' *;
}
}
}
反向代理 websocket
location /websocket/ {
proxy_pass http://127.0.0.1:8002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Basic HTTP 认证
- 生成密码文件(用户名是admin,密码是123456)
echo "admin:$(openssl passwd -crypt 123456)" > /etc/nginx/nginx.auth
#或者
htpasswd -c -m /mnt/vdb1/svnrepos/accesspwd gxfp #根据提示输入密码
- 修改 nginx 配置,http、server 和 location 都可以
location / {
auth_basic "Kibana";
auth_basic_user_file /etc/nginx/nginx.auth;
}
创建 ssl 密钥
mkdir /etc/nginx/ssl && cd /etc/nginx/ssl
openssl genrsa -out ssl.key 2048
openssl req -new -key ssl.key -days 3650 -out ssl.csr
openssl x509 -req -in ssl.csr -signkey ssl.key -out ssl.crt
https 访问
server {
ssl on;
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
http 自动跳转 https,有三种配置
- rewrite 服务端重定向
server {
listen 80;
server_name www.domain.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
- return 客户端重定向
server {
listen 80;
server_name www.domain.com;
return 301 https://$server_name$request_uri;
}
- error_page 客户端重定向
server {
ssl on;
listen 80;
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
error_page 497 https://$server_name$request_uri;
}
http 和 https 共存
server {
listen 80;
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
nginx 日志配置
- http 常规日志
log_format main '$remote_addr - [$time_local] "$request_method $uri" "$args" '
'"-" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
- http 登陆日志,打印 post 请求体
log_format login '$remote_addr - [$time_local] "$request_method $uri" "$args" '
'"$request_body" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
- https 常规日志,从 http_x_forwoarded_for 中获取请求源地址
log_format smain '$http_x_forwarded_for - [$time_local] "$request_method $uri" "$args" '
'"-" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "-"';
- https 登陆日志,从 http_x_forwoarded_for 中获取请求源地址,并打印 post 请求体
log_format slogin '$http_x_forwarded_for - [$time_local] "$request_method $uri" "$args" '
'"$request_body" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "-"';
常用全局配置
events {
use epoll;
multi_accept on;
worker_connections 10240;
}
http {
access_log /var/log/nginx/access.log main;
gzip on;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
keepalive_timeout 65;
types_hash_max_size 2048;
}
