Nginx配置文件结构
全局块:配置影响nginx全局的指令。一般有运行nginx服务器的用户组,nginx进程pid存放路径,日志存放路径,配置文件引入,允许生成worker process数等。
events块:配置影响nginx服务器或与用户的网络连接。有每个进程的最大连接数,选取哪种事件驱动模型处理连接请求,是否允许同时接受多个网路连接,开启多个网络连接序列化等。
http块:可以嵌套多个server,配置代理,缓存,日志定义等绝大多数功能和第三方模块的配置。如文件引入,mime-type定义,日志自定义,是否使用sendfile传输文件,连接超时时间,单连接请求数等。
server块:配置虚拟主机的相关参数,一个http中可以有多个server。
location块:配置请求的路由,以及各种页面的处理情况。
stream块:配置TCP代理。
下面给大家上一个配置文件,作为理解,
线上配置
Nginx主配置文件
nginx.conf
$ sudo vim /usr/local/nginx/conf/nginx.conf user nginx nginx; worker_processes auto; ## Binds worker processes to the sets of CPUs. ## Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes. ## By default, worker processes are not bound to any specific CPUs. worker_cpu_affinity auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; ## Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 51200; events { use epoll; ## Sets the maximum number of simultaneous connections that can be opened by a worker process. ## It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients. ## Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile. ## maxclient = worker_processes * worker_connections / cpu_number worker_connections 30000; } http { include mime.types; default_type application/octet-stream; # log_format weblog '$http_x_forwarded_for $remote_port "$request" $status [$time_local] ' # '"$http_user_agent" "$http_referer" $body_bytes_sent ' # '$remote_addr $gzip_ratio'; log_format weblog '{"time_local":"$time_local",' '"http_host":"$http_host",' '"remote_addr":"$remote_addr",' '"remote_port":"$remote_port",' '"remote_user":"$remote_user",' '"request":"$request",' '"status":"$status",' '"request_time":"$request_time",' '"request_body":"$request_body",' '"body_bytes_sent":"$body_bytes_sent",' '"http_referer":"$http_referer",' '"upstream_addr":"$upstream_addr",' '"upstream_response_time":"$upstream_response_time",' '"http_x_forwarded_for":"$http_x_forwarded_for",' '"scheme":"$scheme",' '"gzip_ratio":"$gzip_ratio",' '"http_user_agent":"$http_user_agent"' '}'; sendfile on; server_tokens off; tcp_nopush on; tcp_nodelay on; keepalive_timeout 60; request_pool_size 4k; ## Allows accurate tuning of per-connection memory allocations. ## This directive has minimal impact on performance and should not generally be used. ## By default, the size is equal to 256 bytes on 32-bit platforms and 512 bytes on 64-bit platforms. connection_pool_size 512; client_header_timeout 3m; client_body_timeout 3m; send_timeout 3m; client_header_buffer_size 256k; large_client_header_buffers 4 1024k; client_max_body_size 10m; client_body_buffer_size 256k; output_buffers 4 32k; postpone_output 1460; server_names_hash_bucket_size 128; fastcgi_connect_timeout 180s; fastcgi_send_timeout 180s; fastcgi_read_timeout 180s; fastcgi_buffer_size 2048k; fastcgi_buffers 4 1024k; fastcgi_busy_buffers_size 2048k; fastcgi_temp_file_write_size 2048k; gzip on; gzip_http_version 1.1; gzip_comp_level 2; gzip_min_length 1100; gzip_buffers 16 8k; gzip_vary on; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css application/json text/xml application/xml application/xml+rss text/javascript application/javascript application/x-javascript; ## The following includes are specified for virtual hosts include vhosts/*.conf; } stream { log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; # access_log off; access_log /var/log/nginx/tcp-access.log proxy ; # open_log_file_cache off; open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2; include stream/*.ini; }
Nginx https配置(这里以 Nginx静态服务配置为例)
https.conf
server { listen 80 default_server; listen [::]:80 default_server; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. return 301 https://$host$request_uri; } server { listen 443 ssl default; # listen [::]:443 ssl; server_name XXXX.com www.XXXX.com; root /data/wwwroot/XXXX.com/webroot; index index.shtml index.html; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate /etc/letsencrypt/live/XXXX.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/XXXX.com/privkey.pem; ## Specifies that server ciphers should be preferred over client ciphers when the SSLv3 and TLS protocols are used. ssl_prefer_server_ciphers on; # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ## openssl dhparam -out /usr/local/nginx/sslkey/dh_ssl/nginx_dh_2048.pem 2048 ssl_dhparam /usr/local/nginx/sslkey/dh_ssl/nginx_dh_2048.pem; ## The special value auto (1.11.0) instructs nginx to use a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher, or prime256v1 with older versions. ## Prior to version 1.11.0, the prime256v1 curve was used by default. ssl_ecdh_curve auto; ## This will create a cache shared between all worker processes. ## The cache size is specified in bytes (in this example: 50 MB). ## According to the Nginx documentation can 1MB store about 4000 sessions, so for this example, we can store about 200000 sessions, and we will store them for 180 minutes. ## If you expect more traffic, increase the cache size accordingly. ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # ssl_session_ticket_key /usr/local/nginx/sslkey/tls_session/tls_session_ticket.key; ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs. # ssl_trusted_certificate /path/to/signed_cert_plus_intermediates; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssi on; ssi_silent_errors off; ssi_types text/shtml; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; access_log off; } location = /favicon.ico { rewrite (.*) /static/favicon.ico; } # location = /robots.txt { # rewrite (.*) /static/robots.txt; # } location / { add_header Cache-Control no-cache; ## HSTS # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header Strict-Transport-Security "max-age=63072000"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; } # error_page 404 /static/404.html; access_log /data/httplog/XXXX.com_access_ssl.log weblog; error_log /data/httplog/XXXX.com_error_ssl.log; }
Nginx http配置(这里以 Nginx静态服务配置为例)
http.conf
server { listen 80; server_name analysis-ik.XXXX.com; index index.html index.htm index.php; root /data/wwwroot/analysis-ik.XXXX.com/webroot; location = /favicon.ico { log_not_found off; access_log off; } location ~* \.(gif|jpg|jpeg|css|js|bmp|png)$ { expires max; } location /status { stub_status on; access_log off; } location / { add_header Cache-Control no-cache; } if (-d $request_filename){ rewrite ^/(.*)([^/])$ http://$host/$1$2/ permanent; } error_log /data/httplogs/analysis-ik.XXXX.com-error.log; access_log /data/httplogs/analysis-ik.XXXX.com-access.log weblog; }
参考文档
http://nginx.org/en/docs/configure.html