1. 全局块:配置影响nginx全局的指令。一般有运行nginx服务器的用户组,nginx进程pid存放路径,日志存放路径,配置文件引入,允许生成worker process数等。

  2. events块:配置影响nginx服务器或与用户的网络连接。有每个进程的最大连接数,选取哪种事件驱动模型处理连接请求,是否允许同时接受多个网路连接,开启多个网络连接序列化等。

  3. http块:可以嵌套多个server,配置代理,缓存,日志定义等绝大多数功能和第三方模块的配置。如文件引入,mime-type定义,日志自定义,是否使用sendfile传输文件,连接超时时间,单连接请求数等。

  4. server块:配置虚拟主机的相关参数,一个http中可以有多个server。

  5. location块:配置请求的路由,以及各种页面的处理情况。

  6. stream块:配置TCP代理。




  • nginx.conf

    $ sudo vim /usr/local/nginx/conf/nginx.conf
    user                  nginx nginx;
    worker_processes      auto;
    ## Binds worker processes to the sets of CPUs.
    ## Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes.
    ## By default, worker processes are not bound to any specific CPUs.
    worker_cpu_affinity   auto;
    error_log             /var/log/nginx/error.log  notice;
    pid                   /var/run/;
    ## Specifies the value for maximum file descriptors that can be opened by this process.
    worker_rlimit_nofile  51200;
        use epoll;
        ## Sets the maximum number of simultaneous connections that can be opened by a worker process.
        ## It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients.
        ## Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile.
        ## maxclient = worker_processes * worker_connections / cpu_number
        worker_connections 30000;
        include       mime.types;
        default_type  application/octet-stream;
        # log_format    weblog  '$http_x_forwarded_for $remote_port "$request" $status [$time_local] '
        #                        '"$http_user_agent" "$http_referer" $body_bytes_sent '
        #                        '$remote_addr $gzip_ratio';
        log_format weblog  '{"time_local":"$time_local",'
        sendfile           on;
        server_tokens      off;
        tcp_nopush         on;
        tcp_nodelay        on;
        keepalive_timeout  60;
        request_pool_size  4k;
        ## Allows accurate tuning of per-connection memory allocations. 
        ## This directive has minimal impact on performance and should not generally be used. 
        ## By default, the size is equal to 256 bytes on 32-bit platforms and 512 bytes on 64-bit platforms.
        connection_pool_size            512;
        client_header_timeout           3m;
        client_body_timeout             3m;
        send_timeout                    3m;
        client_header_buffer_size       256k;
        large_client_header_buffers     4 1024k;
        client_max_body_size            10m;
        client_body_buffer_size         256k;
        output_buffers                  4 32k;
        postpone_output                 1460;
        server_names_hash_bucket_size   128;
        fastcgi_connect_timeout        180s;
        fastcgi_send_timeout           180s;
        fastcgi_read_timeout           180s;
        fastcgi_buffer_size            2048k;
        fastcgi_buffers                4 1024k;
        fastcgi_busy_buffers_size      2048k;
        fastcgi_temp_file_write_size   2048k;
        gzip                  on;
        gzip_http_version     1.1;
        gzip_comp_level       2;
        gzip_min_length       1100;
        gzip_buffers          16 8k;
        gzip_vary             on;
        gzip_proxied          expired no-cache no-store private auth;
        gzip_types            text/plain text/css application/json text/xml application/xml application/xml+rss text/javascript application/javascript application/x-javascript;
        ## The following includes are specified for virtual hosts
        include          vhosts/*.conf;
    stream {
        log_format proxy '$remote_addr [$time_local] '
                    '$protocol $status $bytes_sent $bytes_received '
                    '$session_time "$upstream_addr" '
                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
        # access_log off;
        access_log /var/log/nginx/tcp-access.log proxy ;
        # open_log_file_cache off;
        open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2;
        include          stream/*.ini;

Nginx https配置(这里以 Nginx静态服务配置为例)

  • https.conf

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://$host$request_uri;
        listen  443 ssl default;
        # listen [::]:443 ssl;
        root  /data/wwwroot/;
        index index.shtml index.html;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_certificate     /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        ## Specifies that server ciphers should be preferred over client ciphers when the SSLv3 and TLS protocols are used.
        ssl_prefer_server_ciphers on;
        # ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ## Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ## openssl dhparam -out /usr/local/nginx/sslkey/dh_ssl/nginx_dh_2048.pem 2048
        ssl_dhparam /usr/local/nginx/sslkey/dh_ssl/nginx_dh_2048.pem;
        ## The special value auto (1.11.0) instructs nginx to use a list built into the OpenSSL library when using OpenSSL 1.0.2 or higher, or prime256v1 with older versions.
        ## Prior to version 1.11.0, the prime256v1 curve was used by default.
        ssl_ecdh_curve auto;
        ## This will create a cache shared between all worker processes.
        ## The cache size is specified in bytes (in this example: 50 MB).
        ## According to the Nginx documentation can 1MB store about 4000 sessions, so for this example, we can store about 200000 sessions, and we will store them for 180 minutes.
        ## If you expect more traffic, increase the cache size accordingly.
        ssl_session_timeout  1d;
        ssl_session_cache    shared:SSL:50m;
        ssl_session_tickets      off;
        # ssl_session_ticket_key /usr/local/nginx/sslkey/tls_session/tls_session_ticket.key;
        ssl_stapling          on;
        ssl_stapling_verify   on;
        ## verify chain of trust of OCSP response using Root CA and Intermediate certs.
        # ssl_trusted_certificate /path/to/signed_cert_plus_intermediates;
        resolver   valid=300s;
        resolver_timeout    5s;
        ssi                 on;
        ssi_silent_errors   off;
        ssi_types           text/shtml;
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
            expires     30d;
            access_log  off;
        location = /favicon.ico {
            rewrite (.*) /static/favicon.ico;
        # location = /robots.txt {
        #     rewrite (.*) /static/robots.txt;
        # }
        location / {
            add_header Cache-Control no-cache;
            ## HSTS
            # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
            add_header Strict-Transport-Security "max-age=63072000";
            add_header X-Frame-Options DENY;
            add_header X-Content-Type-Options nosniff;
        # error_page 404 /static/404.html;
        access_log  /data/httplog/XXXX.com_access_ssl.log weblog;
        error_log   /data/httplog/XXXX.com_error_ssl.log;

Nginx http配置(这里以 Nginx静态服务配置为例)

  • http.conf

        listen       80;
        index index.html index.htm index.php;
        root  /data/wwwroot/;
        location = /favicon.ico {
            log_not_found off;
            access_log off;
        location ~* \.(gif|jpg|jpeg|css|js|bmp|png)$ {
            expires  max;
        location /status {
            stub_status on;
            access_log off;
        location / {
            add_header Cache-Control no-cache;
        if (-d $request_filename){
            rewrite ^/(.*)([^/])$ http://$host/$1$2/ permanent;
        error_log  /data/httplogs/;
        access_log  /data/httplogs/ weblog;