web服务nginx的安装与常用配置

行云流水
2022-05-13 / 0 评论 / 196 阅读 / 正在检测是否收录...

前言

Nginx (engine x) 是一个高性能的HTTP和反向代理web服务器。其特点是占有内存少,并发能力强,事实上nginx的并发能力确实在同类型的网页服务器中表现较好,使用方面。

精彩文章:

基本使用

安装

#安装
yum -y install nginx 

## 日志目录
mkdir /data/log/nginx/ && chown -R nginx:nginx /data/log/nginx/

## 缓存目录
mkdir -p /var/cache/nginx/ && chown -R nginx:nginx /var/cache/nginx/

配置文件

user nobody;
worker_processes auto;  #nginx对外提供web服务时的worker进程数
error_log /data/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;  #设置可由一个worker进程同时打开的最大连接数
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /data/log/nginx/access.log  main buffer=32k flush=30s;

    server_tokens       off; #关闭在错误页面中的nginx版本数字
    
    client_max_body_size 100m;

    sendfile            on;  #可以让sendfile函数发挥作用。sendfile函数可以在磁盘和TCP socket之间互相拷贝数据(或任意两个文件描述符)
    tcp_nopush          on;  #告诉nginx在一个数据包里发送所有头文件,而不一个接一个的发送
    tcp_nodelay         on;  #不缓存数据
    
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    #ssl 配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_stapling on; 
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=63072000; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    #nginx缓存
    fastcgi_cache_path /var/cache/nginx/  levels=1:2 keys_zone=wordpress:10m inactive=30m use_temp_path=off;
    fastcgi_cache_key $request_method$scheme$host$request_uri;
    fastcgi_cache_use_stale error timeout invalid_header updating http_500;
    fastcgi_cache_valid 200 301 302 10h;
    fastcgi_cache_valid 404 10m;
    fastcgi_ignore_headers Expires Set-Cookie Vary;

    #启动gzip
    gzip on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_comp_level 7;
    gzip_types
        text/css
        text/plain
        text/javascript
        application/javascript
        application/json
        application/x-javascript
        application/xml
        application/xml+rss
        application/xhtml+xml
        application/x-font-ttf
        application/x-font-opentype
        application/vnd.ms-fontobject
        image/svg+xml
        image/x-icon
        application/rss+xml
        application/atom_xml
        image/jpeg
        image/gif
        image/png
        image/icon
        image/bmp
        image/jpg;
    gzip_vary on;

    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

启动服务

systemctl enable --now nginx

# 重载配置
nginx -s reload

# 查看当前生效配置
nginx  -T

高级用法

泛域名强制跳转

rewrite.conf
server {
    listen 80;
    server_name *.chreagent.com;
    return 301 https://$http_host$request_uri;
}

多级代理获取用户真实IP地址

fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;

#新增内容
set_real_ip_from  100.64.0.0/10; //阿里保留地址段
set_real_ip_from  101.89.27.156;  //腾讯cdn
set_real_ip_from  101.89.27.209;
set_real_ip_from  101.89.32.18;
set_real_ip_from  101.89.34.154;
set_real_ip_from  101.89.34.203;
set_real_ip_from  101.89.34.214;
set_real_ip_from  101.89.34.219;
set_real_ip_from  101.89.34.223;
set_real_ip_from  101.89.34.225;
set_real_ip_from  101.89.34.226;
set_real_ip_from  101.89.34.231;
set_real_ip_from  101.89.34.239;
set_real_ip_from  101.89.34.241;
set_real_ip_from  101.89.34.243;
set_real_ip_from  101.89.34.244;
set_real_ip_from  101.89.34.55;
set_real_ip_from  101.91.24.25;
set_real_ip_from  101.91.24.37;
set_real_ip_from  116.128.128.87;
set_real_ip_from  116.128.128.91;
set_real_ip_from  116.128.128.92;
set_real_ip_from  123.151.144.103;
set_real_ip_from  123.151.144.107;
set_real_ip_from  123.151.144.114;
set_real_ip_from  123.151.144.18;
set_real_ip_from  220.194.88.144;
set_real_ip_from  220.194.88.217;
set_real_ip_from  220.194.88.252;
set_real_ip_from  220.194.88.254;
set_real_ip_from  223.166.151.125;
set_real_ip_from  58.251.121.72;
set_real_ip_from  58.251.121.81;
set_real_ip_from  58.251.121.90;
set_real_ip_from  58.251.121.93;
set_real_ip_from  59.36.117.183;
set_real_ip_from  59.36.119.251;
set_real_ip_from  59.36.120.102;
set_real_ip_from  59.36.120.233;
set_real_ip_from  59.36.95.43;
set_real_ip_from  59.36.95.48;
set_real_ip_from  61.151.164.124;
set_real_ip_from  61.151.164.190;
set_real_ip_from  61.151.164.217;
set_real_ip_from  61.151.164.218;
set_real_ip_from  61.151.164.63;
set_real_ip_from  127.0.0.1;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

反向代理配置示例

包括wss反代配置"
server {
    listen 443 ssl http2;
    server_name mon.itbunan.xyz;
    server_tokens off;
    ssl_certificate /etc/nginx/cert/mon.itbunan.xyz_bundle.crt;
    ssl_certificate_key /etc/nginx/cert/mon.itbunan.xyz.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    location /ws {
        proxy_redirect off;
        proxy_pass http://172.17.0.10:8008;
        proxy_set_header Host $host;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr:$remote_port;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
    }


    location / {
      proxy_pass http://172.17.0.10:8008;
      proxy_set_header Host $host;
      proxy_set_header Cookie $http_cookie;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $http_host;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_cookie_path / "/; httponly; secure; SameSite=Lax";
      proxy_redirect http:// https://;
      add_header Content-Security-Policy upgrade-insecure-requests;
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET,POST,DELETE';
      add_header 'Access-Control-Allow-Header' 'Content-Type,*';

    }
  }

基于客户端IP做并发访问控制

在主配置文件内添加
        # 针对原始用户 IP 地址做限制
        ## 用户的 IP 地址 $binary_remote_addr 作为 Key,每个 IP 地址最多有 50 个并发连接
        ## 你想开 几千个连接 刷死我? 超过 50 个连接,直接返回 503 错误给你,根本不处理你的请求了
        limit_conn_zone $binary_remote_addr  zone=TotalConnLimitZone:20m ;
        limit_conn  TotalConnLimitZone  50;
        limit_conn_log_level notice;


        ## 针对原始用户 IP 地址做限制
        ## 用户的 IP 地址 $binary_remote_addr 作为 Key,每个 IP 地址每秒处理 10 个请求
        ## 你想用程序每秒几百次的刷我,没戏,再快了就不处理了,直接返回 503 错误给你
        limit_req_zone $binary_remote_addr  zone=ConnLimitZone:20m  rate=10r/s;
        #limit_req zone=ConnLimitZone burst=10 nodelay; #如果开启此条规则,burst=10的限制将会在nginx全局生效
        limit_req_log_level notice;
配置需要限制访问频率的server
## 具体服务器配置

server {

listen 80;

location ~ \.php$ {

## 最多 5 个排队, 由于每秒处理 10 个请求 + 5个排队,你一秒最多发送 15 个请求过来,再多就直接返回 503 错误给你了

limit_req zone=ConnLimitZone burst=5 nodelay;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

include fastcgi_params;

}
利用计划任务自动更新
#每小时58分更新一次
58 * * * *  /usr/bin/sh  /opt/scripts/add_blackip_for_ddos.sh > /dev/null 2>&1

#没3分钟更新一次
*/3  * * * *  /usr/bin/sh  /opt/scripts/add_blackip_for_ddos_per_min.sh > /dev/null 2>&1
add_blackip_for_ddos.sh 脚本内容
#!/bin/bash
h_time=`env LC_ALL=en_US.en date '+%e/%b/%G:%H'`
zjlog='/data/log/nginx/itbunan_access.log'
conf='/www/server/panel/vhost/nginx/blackip.conf'


#筛选攻击IP
tail -n  5000000 $zjlog  | grep "$h_time" |awk '{print  $1}'| sort -k 1 | uniq -c | sort -rnk 1 | grep -v '::' > /tmp/zj_blackip.txt
cat /tmp/zj_blackip.txt | awk '{if($1>400)print "deny "$2";"}' > $conf
add_blackip_for_ddos_per_min.sh 脚本内容
#!/bin/bash
h_time=`env LC_ALL=en_US.en date '+%e/%b/%G:%H'`
zjlog='/data/log/nginx/itbunan_access.log'
conf='/www/server/panel/vhost/nginx/blackip.conf'


#筛选攻击IP
tail -n  5000000 $zjlog  | grep "$h_time" |awk '{print  $1}'| sort -k 1 | uniq -c | sort -rnk 1 | grep -v '::' > /tmp/zj_blackip.txt
cat /tmp/zj_blackip.txt | awk '{if($1>400)print "deny "$2";"}' > $conf

调试lua脚本

修改nginx配置文件
#error_log  /home/wwwlogs/nginx_error.log  crit;
error_log /home/wwwlogs/nginx_error.log debug;

网关全站置灰

# 修改配置文件nginx.conf
http {
    sub_filter  '</head>'  '<style type="text/css">html {-webkit-filter: grayscale(.95);}</style></head>';
    sub_filter_once on;
    ...
}

动静分离

server {  
  listen       80;  
  server_name  localhost;  

  location / {  
      root   e:wwwroot;  
      index  index.html;  
  }  

  # 所有静态请求都由nginx处理,存放目录为html  
  location ~ .(gif|jpg|jpeg|png|bmp|swf|css|js)$ {  
      root    e:wwwroot;  
  }  

  # 所有动态请求都转发给tomcat处理  
  location ~ .(jsp|do)$ {  
      proxy_pass  http://test;  
  }  

  error_page   500 502 503 504  /50x.html;  
  location = /50x.html {  
      root   e:wwwroot;  
  }  
}  

防盗链

location ~* \.(gif|jpg|png|bmp)$ {
    valid_referers none blocked *.ttlsa.com server_names ~\.google\. ~\.baidu\.;
    if ($invalid_referer) {
        return 403;
        #rewrite ^/ http://www.ttlsa.com/403.jpg;
    }
}

FAQ

清除缓存

rm -rf /var/cache/nginx/*

隐藏nginx版本号

# 修改配置文件,添加
server_tokens off;

评论 (0)

取消
只有登录/注册用户才可评论