Nginx常用配置
代理静态文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| server { listen 10086; server_name localhost; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_redirect off; } location /data/ { alias '/usr/local/data'; //这里是重点,就是代理这个文件夹 , 访问 http://localhost:10086/data/下面的资源就是访问/usr/local/data文件夹的资源 expires 7d; } }
|
反向代理
1 2 3 4 5 6 7 8 9
| server { listen 80; server_name www.123.com;
location / { proxy_pass http://127.0.0.1:8080; index index.html index.htm index.jsp; } }
|
负载均衡
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| http{ upstream myproject{ ip_hash; server 125.219.42.4 fail_timeout=60s; server 172.31.2.183; } server{ listen 80; location / { proxy_pass http://myproject; }
} }
|
跨域配置
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| server { listen 80; server_name test.cross.com;
if ( $host ~ (.*).cross.com){ set $domain $1; } add_header Access-Control-Allow-Credentials true; add_header Access-Control-Allow-Origin http://static.enjoy.com; add_header Access-Control-Allow-Headers 'x-requested-with,content-type,Cache-Control,Pragma,Date,x-timestamp'; add_header Access-Control-Allow-Methods 'POST,GET,OPTIONS,PUT,DELETE'; add_header Access-Control-Expose-Headers 'WWW-Authenticate,Server-Authorization'; add_header P3P 'policyref="/w3c/p3p.xml", CP="NOI DSP PSAa OUR BUS IND ONL UNI COM NAV INT LOC"'; if ($request_method = 'OPTIONS') { return 204; } }
|
资源压缩
1 2 3 4 5 6 7 8 9 10 11
| location ~ /(.*)\.(html|js|css|png)$ { gzip on; gzip_types application/javascript text/css image/jpeg image/png image/gif; gzip_min_length 1024; gzip_buffers 4 1k; gzip_http_version 1.0; gzip_vary off; gzip_comp_level 1; root /etc/nginx/html/gzip; }
|
防盗链
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| location ~* \.(jpg|jpeg|png|gif|bmp|swf|rar|zip|doc|xls|pdf|gz|bz2|mp3|mp4|flv)$ expires 30d; valid_referers none blocked 192.168.0.1 *.google.com; if ($invalid_referer) { rewrite ^/ https://site.com/403.jpg; } root /usr/share/nginx/img; }
|
以上配置主要看 valid_referers,这个变量代表只允许网址访问,上面配置中允许 IP 为 192.168.0.1 和 Google 搜索引擎访问图片该服务下的资源,否则就重定向到一张默认图片
配置SSL
申请证书
在这里,我直接申请腾讯云的免费证书。这里需要注意下,这亚洲诚信机构颁发的免费证书只能一个域名使用,子域名那些需要另外申请。别说,这腾讯里面申请还挺快的,十多分钟就通过了。下载的是一个zip文件,解压后打开里面的Nginx文件夹,把1_XXX.com_bundle.crt跟2_XXX.com.key文件复制下来。
查看配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events { worker_connections 1024; }
http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf; }
|
这是全局配置。为了更好管理,我们还是在最后一行声明的/etc/nginx/conf.d文件夹里进行子项目配置。
修改default.conf
打开里面的default.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| http{ server{ listen 443; server_name baiyp.com; ssl on; ssl_certificate /etc/ssl/1_baofeidyz.com_bundle.crt; ssl_certificate_key /etc/ssl/2_baofeidyz.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { root /usr/local/service/ROOT; index index.html; } } server{ listen 80; server_name baofeidyz.com; rewrite ^/(.*)$ https://baofeidyz.com:443/$1 permanent; }
}
|
重启后就可以测试了