colben/www.colben.cn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
www.colben.cn/content/post/nginx.md
colben b0f6120151 update
2021-11-14 14:32:08 +08:00

281 lines
8.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "Nginx 笔记"
date: 2019-10-30T11:47:55+08:00
lastmod: 2019-10-30T11:47:55+08:00
tags: ["nginx", "https", "ssl", "反向代理"]
categories: ["web"]
---
# set
- set ${变量名} {字符串};
# 全局变量
- $args $query_string 请求行中的参数
- $content_length 请求头里的 Content-length 字段
- $content_type 请求头里的 Content-type 字段
- $document_root 请求在 root 指令中指定的值
- $host 请求头里的 Host 字段,如果没有则是服务器名
- $http_user_agent 客户端agent信息
- $http_cookie 客户端cookie信息
- $limit_rate 这个变量可以限制连接速率
- $request_method 客户端请求的动作通常为GET或POST
- $remote_addr 客户端的IP地址
- $remote_port 客户端的端口
- $remote_user 已经经过 Auth Basic Module 验证的用户名
- $request_filename 请求的文件路径,由 root 或 alias 指令与 URI 请求生成
- $scheme http 或者 https
- $server_protocol 请求使用的协议 HTTP/1.0 或 HTTP/1.1
- $server_addr 服务器地址,在完成一次系统调用后可以确定这个值
- $server_name 服务器名称
- $server_port 请求到达服务器的端口号
- $request_uri 包含请求参数的原始URI不包含主机名如"/foo/bar.php?arg=baz"
- $document_uri $uri 不带请求参数的当前URI不包含主机名如"/foo/bar.html"
# rewrite
- rewrite {url正则} {replacement} {flag};
- flag
- last 完成 rewrite重新开始匹配
- break 重写后不再匹配后续 rewrite
- redirect 返回 302 临时重定向
- permanent 返回 301 永久重定向
# if
- if(condition){...}
- false 字符串为空或以 0 开头都是
- = != 变量比较
- ~ !~ 区分大小写正则是否匹配
- ~* !~* 不区分大小写是否匹配
- -f !-f 判断文件是否存在
- -d !-d 判断目录是否存在
- -e !-e 判断文件、目录、链接是否存在
- -x !-x 判断可执行文件是否存在
# location
- = 精确匹配
- ^~ 开头匹配指定字符串,不是正则,匹配符合后停止搜索
- ~ 区分大小写的正则匹配,匹配符合后继续向下搜索
- ~`*` 不区分大小写的正则匹配,匹配符合后继续向下搜索
- / 通用匹配,可匹配任何请求,匹配后继续向下搜索
# try_files
- try_files {file} ... {uri}
- try_files {file} ... ={code}
- try_files {file} ... {location_name}
# 客户端访问控制
- deny all 拒绝全部访问
- deny 192.168.1.0/24 拒绝指定网段
- deny 192.168.1.2 拒绝指定ip
- allow all 允许全部访问(默认)
- allow 192.168.1.0/24 允许指定网段
- allow 192.168.1.2 允许指定ip
# 配置 web 访问目录
```bash
location / {
root /var/www/html/;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
```
# 下载
```nginx
location ^~ /attachment/ {
root /data/;
# alias /data/attachment/;
add_header Content-Disposition: 'attachment;';
}
```
# 浏览目录文件
```nginx
location ^~ /share/ {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
```
# 反向代理负载均衡
- /etc/nginx/conf.d/upstream.conf
```nginx
http {
upstream tomcat {
#ip_hash;
server 192.168.1.201:8443 fail_timeout=32s;
server 192.168.1.202:8443 fail_timeout=32s;
server 192.168.1.203:8443 backup fail_timeout=32s;
keepalive 300;
}
```
- /etc/nginx/conf.d/80.conf
```nginx
server {
listen 80;
server_name _;
location ^~ /webapp/ {
proxy_pass http://tomcat;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Host $host;
#proxy_set_header X-Forwarded-Server $host;
client_max_body_size 8m;
client_body_buffer_size 8m;
proxy_connect_timeout 2s;
#proxy_send_timeout 16;
#proxy_read_timeout 16;
proxy_buffer_size 64k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
#proxy_max_temp_file_size 0;
#add_header 'Access-Control-Allow-Origin' *;
}
}
}
```
# 反向代理 websocket
```nginx
location /websocket/ {
proxy_pass http://127.0.0.1:8002;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
```
# Basic HTTP 认证
- 生成密码文件(用户名是admin密码是123456)
```bash
echo "admin:$(openssl passwd -crypt 123456)" > /etc/nginx/nginx.auth
#或者
htpasswd -c -m /mnt/vdb1/svnrepos/accesspwd gxfp #根据提示输入密码
```
- 修改 nginx 配置http、server 和 location 都可以
```nginx
location / {
auth_basic "Kibana";
auth_basic_user_file /etc/nginx/nginx.auth;
}
```
# 创建 ssl 密钥
```bash
mkdir /etc/nginx/ssl && cd /etc/nginx/ssl
openssl genrsa -out ssl.key 2048
openssl req -new -key ssl.key -days 3650 -out ssl.csr
openssl x509 -req -in ssl.csr -signkey ssl.key -out ssl.crt
```
# https 访问
```nginx
server {
ssl on;
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
```
# http 自动跳转 https有三种配置
- rewrite 服务端重定向
```nginx
server {
listen 80;
server_name www.domain.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
```
- return 客户端重定向
```nginx
server {
listen 80;
server_name www.domain.com;
return 301 https://$server_name$request_uri;
}
```
- error_page 客户端重定向
```nginx
server {
ssl on;
listen 80;
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
error_page 497 https://$server_name$request_uri;
}
```
# http 和 https 共存
```nginx
server {
listen 80;
listen 443 ssl;
server_name www.domain.com;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
```
# nginx 日志配置
- http 常规日志
```
log_format main '$remote_addr - [$time_local] "$request_method $uri" "$args" '
'"-" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
```
- http 登陆日志,打印 post 请求体
```
log_format login '$remote_addr - [$time_local] "$request_method $uri" "$args" '
'"$request_body" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
```
- https 常规日志,从 http_x_forwoarded_for 中获取请求源地址
```
log_format smain '$http_x_forwarded_for - [$time_local] "$request_method $uri" "$args" '
'"-" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "-"';
```
- https 登陆日志,从 http_x_forwoarded_for 中获取请求源地址,并打印 post 请求体
```
log_format slogin '$http_x_forwarded_for - [$time_local] "$request_method $uri" "$args" '
'"$request_body" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "-"';
```
# 常用全局配置
```nginx
events {
use epoll;
multi_accept on;
worker_connections 10240;
}
http {
access_log /var/log/nginx/access.log main;
gzip on;
sendfile on;
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
keepalive_timeout 65;
types_hash_max_size 2048;
}
```
Reference in New Issue View Git Blame Copy Permalink