摘要
nginx常用配置参考(重定向,全局https,SSL配置,反向代理配置,完整参数参考,编译参数参考)
1、重定向,301重定向
server { listen 80; server_name xinac.cn; # 如果使用 xinac.cn 直接访问,加前缀跳转 if ($host = 'xinac.cn'){ return 301 https://www.xinac.cn$request_uri; }}2、全局https
server {listen 80;server_name www.xinac.cn;# 单域名重定向if ($host = 'www.xinac.cn'){return 301 https://www.xinac.cn$request_uri;}# 全局非 https 协议时重定向if ($scheme != 'https') {return 301 https://$host$request_uri;}# 或者全部重定向return 301 https://$host$request_uri;# 以上配置选择自己需要的即可,不用全部加}
3、SSL配置
访问 https://myssl.com/ 可以检测https配置的安全性
网站 https://www.ssllabs.com/ssltest/index.html 也可以测试
按以下推荐配置,可以达到 A+ 级
listen 443 ssl http2 default_server; #http2支持,nginx1.9+支持server_name www.xinac.cn;# nginx/1.15.0 以上使用 listen 443 ssl 代替 listen 443 和 ssl on# ssl on;# 证书路径ssl_certificate /etc/letsencrypt/live/xinac.cn/fullchain.pem;# 私钥路径ssl_certificate_key /etc/letsencrypt/live/xinac.cn/privkey.pem;ssl_session_cache shared:SSL:10m;ssl_session_timeout 30m;# 浏览器已支持TLSv1.3,建议加上# TLSv1和TLSv1.1即将废弃,如果不需要支持IE和XP建议去掉# IE8-10/Win7需要TLSv1.0;IE8以下需要SSL3和单证书ssl_protocols TLSv1.2 TLSv1.3;# on由服务器决定加密算法,off由浏览器决定# 推荐使用on,更安全,对服务器性能有少量影响ssl_prefer_server_ciphers on;# 使用此套接字加密,推荐配置ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;# HSTS(ngx_http_headers_module is required) (180d)# 严格传输安全:即在时间过期之前,每次访问HTTP站点时,由客户端直接跳转到HTTPS站点# 设置后,该网站的HTTP站点无法打开,只能等待过期或禁用配置后清空浏览器缓存# 启用后注意保持证书不过期,证书过期后网站可能无法访问add_header Strict-Transport-Security "max-age=15552000" always;# 开启 OCSP Stapling,作用:由服务器在线查询证书吊销情况# 默认是由浏览器在线查询,由服务器查询效率更高ssl_stapling on;# OCSP Stapling 验证开启ssl_stapling_verify on;# OCSP Stapling 的证书位置(完整的证书链,可选)# ssl_trusted_certificate /etc/letsencrypt/live/xinac.cn/chain.pem;# 配置用于查询 OCSP 服务器的DNS(可选)# resolver 223.5.5.5 223.6.6.6 valid=300s;# 查询域名超时时间(可选)# resolver_timeout 5s;
4、反向代理配置
# 负载均衡,可以添加多个服务器,一般配合反代一起用upstream tomcat_cms {ip_hash;server 127.0.0.1:8801 weight=3 max_fails=3 fail_timeout=100s;# server 127.0.0.1:8802 weight=2 max_fails=3 fail_timeout=100s;# server 127.0.0.1:8803 weight=1 max_fails=3 fail_timeout=100s;}location / {# 设置主机头和客户端真实地址,以便服务器获取客户端真实IPproxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header REMOTE-HOST $remote_addr;# WebSocket支持proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";proxy_connect_timeout 15s;proxy_read_timeout 60s;proxy_send_timeout 30s;# 禁用缓存,根据需要配# proxy_buffering off;# 错误自定义选项,由后端服务响应错误码设为off,由nginx响应错误信息设为onproxy_intercept_errors on;# 此项可配负载服务器,或直接写内部访问地址# proxy_pass http://127.0.0.1:5212;proxy_pass http://tomcat_cms;}
5、nginx完整配置参考(带ssl)
user nginx;worker_processes auto;error_log /var/log/nginx/error.log;pid /var/run/nginx.pid;# Load dynamic modules. See /usr/share/nginx/README.dynamic.# include /usr/share/nginx/modules/*.conf;events {worker_connections 51200;multi_accept on;}http {#日志格式化,main是名称,可选#log_format main '$status $remote_addr - $remote_user [$time_local] \n "$request" ''$body_bytes_sent "$http_referer" ''\n "$http_user_agent" "$http_x_forwarded_for" -*-';#使用格式化的日志#access_log /var/log/nginx/access.log main;sendfile on;tcp_nopush on;tcp_nodelay on;keepalive_timeout 65;types_hash_max_size 2048;server_tokens off; #隐藏nginx版本号# 客户端最大上传文件大小,根据需要配置client_max_body_size 100M;client_body_buffer_size 256k;#gzip相关配置gzip on;gzip_http_version 1.0;gzip_disable "MSIE [1-6].";gzip_types text/plain application/x-javascript text/css text/javascript;gzip_min_length 1k;gzip_buffers 4 16k;gzip_comp_level 3;gzip_vary on;fastcgi_intercept_errors on;include /etc/nginx/mime.types;default_type application/octet-stream;# 禁止IP直接访问,可以跳转或403server {listen 80 default_server;server_name _;return 301 https://www.xinac.cn;}# 负载均衡,可以添加多个服务器upstream tomcat_cms {ip_hash;server 127.0.0.1:8801 weight=3 max_fails=3 fail_timeout=100s;# server 127.0.0.1:8802 weight=2 max_fails=3 fail_timeout=100s;# server 127.0.0.1:8803 weight=1 max_fails=3 fail_timeout=100s;}# 配置以下域名,由http跳转到httpsserver {listen 80;server_name www.xinac.cn;#将所有http请求重定向到httpsreturn 301 https://$host$request_uri;}# 使用非https时,可自定义端口,只需要把SSL相关配置去掉server {listen 80;server_name bing.xinac.net;......}server {listen 443 ssl http2 default_server;server_name www.xinac.cn;# HTTPS详细配置说明参见第3部分# ssl on;ssl_certificate /etc/letsencrypt/live/xinac.cn/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/xinac.cn/privkey.pem;ssl_session_cache shared:SSL:10m;ssl_session_timeout 30m;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;add_header Strict-Transport-Security "max-age=15552000" always;ssl_stapling on;ssl_stapling_verify on;# ssl_trusted_certificate /etc/letsencrypt/live/xinac.cn/chain.pem;# resolver 223.5.5.5 223.6.6.6 valid=300s;# resolver_timeout 5s;#禁止访问的文件或目录location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md){return 404;}#一键申请SSL证书验证目录相关设置location ~ \.well-known{allow all;}location /WEB-INF {deny all;}location ~ /\.ht {deny all;}# 静态资源过期时间,可选(可能会对页面样式有影响)#location ~* \.(gif|jpg|jpeg|png|bmp|swf|ico)$ {# expires 30d;#}# nginx统计页面#location /nginx_status {# stub_status on;# access_log off;#}# 这里可以定义静态访问页面location /error {alias /data/wwwroot/web_static/error/;index index.html index.htm 404.html;}# 还可以定义静态文件下载站location /download {alias /data/wwwroot/web_static/download/; #目录autoindex on; #自动索引autoindex_exact_size off; #文件大小显示autoindex_localtime on; # 文件修改时间}# 站点配置location / {#设置主机头和客户端真实地址,以便服务器获取客户端真实IPproxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header REMOTE-HOST $remote_addr;# WebSocket支持proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "Upgrade";# 禁用缓存# proxy_buffering off;# 使用nginx中定义的全局错误页proxy_intercept_errors on;proxy_pass http://tomcat_cms; #和负载配置的名称一致}##流量控制# limit_conn perserver 300; #并发限制# limit_conn perip 25; #单IP限制# limit_rate 512k; #流量限制KB#HTTP_TO_HTTPS_START#if ($server_port !~ 443){# rewrite ^(/.*)$ https://$host$1 permanent;#}#HTTP_TO_HTTPS_END# 定义错误页面error_page 404 /404.html;error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}location = /404.html {root html;}# 定义全局ico文件location = /favicon.ico {root /data/wwwroot;log_not_found off;access_log off;}# 定义robots.txt文件location = /robots.txt {alias /data/wwwroot/robots.txt;}##禁止指定UA的访问(反爬虫)if ($http_user_agent ~* "python-requests|Java|ApacheBench|Python-urllib*|HttpClient|Scrapy|YandexBot|AhrefsBot|SemrushBot|MJ12bot"){return 403;}}}# 建议将配置文件分模块,使用include指令配置# 如:include /etc/nginx/conf.d/*.conf;
6、nginx编译参数
# 生产环境建议编译参数:./configure --user=www --group=www \--prefix=/usr/local/nginx \--with-http_stub_status_module --with-http_ssl_module \--with-http_gzip_static_module --with-http_sub_module \--with-pcre# 常用编译参考参数:./configure --user=nginx --group=nginx \--prefix=/usr/local/nginx \--conf-path=/etc/nginx/nginx.conf \--error-log-path=/var/log/nginx/error.log \--http-log-path=/var/log/nginx/access.log \--pid-path=/var/run/nginx/nginx.pid \--lock-path=/var/lock/nginx.lock \--with-http_stub_status_module --with-http_ssl_module \--with-http_gzip_static_module --with-http_sub_module \--with-http_v2_module --with-http_mp4_module --with-http_flv_module \--http-client-body-temp-path=/var/tmp/nginx/client \--http-proxy-temp-path=/var/tmp/nginx/proxy \--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi \--with-pcre --with-debug# 宝塔面板默认编译参数:nginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)built with OpenSSL 1.1.1e 17 Mar 2020TLS SNI support enabledconfigure arguments: --user=www --group=www --prefix=/www/server/nginx --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx-sticky-module --with-openssl=/www/server/nginx/src/openssl --with-pcre=pcre-8.43 --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --add-module=/www/server/nginx/src/nginx-dav-ext-module# yum install nginx 使用的编译参数:nginx version: nginx/1.10.3built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)built with OpenSSL 1.0.1e-fips 11 Feb 2013TLS SNI support enabledconfigure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E'
PS:
1、关于 return 301 ... 和 rewrite ... permanent
两者都是301重定向的效果。rewrite使用了 ngx_http_rewrite_module 模块,适用于复杂的情况。重定向这种使用 301 效果更好。
return 301 https://$host$request_uri;rewrite ^(.*)$ https://$host$1 permanent;
2、301和302
301是永久重定向,搜索引擎收录重定向之后的网址;302是临时重定向,收录当前网址。尽量用301,网站临时调整用302。
