Nginx 配置速查
Nginx 常用配置速查:反向代理、负载均衡、HTTPS、缓存、安全等
基本命令(5)
启动 Nginx
启动 Nginx 服务
# 启动
nginx
# 或
systemctl start nginx停止 Nginx
停止 Nginx 服务
# 优雅停止
nginx -s quit
# 立即停止
nginx -s stop
# 或
systemctl stop nginx重新加载配置
不停机重载配置文件
nginx -s reload
# 或
systemctl reload nginx测试配置
检查配置文件语法是否正确
nginx -t
# 输出配置文件路径
nginx -T查看版本
查看 Nginx 版本和编译信息
nginx -v # 版本
nginx -V # 版本+编译参数基础配置(3)
主配置结构
nginx.conf 基本结构
# /etc/nginx/nginx.conf
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# 引入站点配置
include /etc/nginx/conf.d/*.conf;
}静态文件服务
最简单的静态网站配置
server {
listen 80;
server_name example.com;
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}Gzip 压缩
开启 Gzip 减少传输量
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/javascript
application/json
application/javascript
image/svg+xml;虚拟主机(2)
基于域名
不同域名指向不同站点
# site-a.conf
server {
listen 80;
server_name a.example.com;
root /var/www/site-a;
}
# site-b.conf
server {
listen 80;
server_name b.example.com;
root /var/www/site-b;
}基于端口
不同端口提供不同服务
server {
listen 8001;
server_name localhost;
root /var/www/app1;
}
server {
listen 8002;
server_name localhost;
root /var/www/app2;
}反向代理(4)
基本反向代理
将请求转发到后端服务
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}WebSocket 代理
支持 WebSocket 连接
location /ws {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}路径转发
按 URL 路径分发到不同后端
location /api/ {
proxy_pass http://127.0.0.1:8080/;
}
location /admin/ {
proxy_pass http://127.0.0.1:9090/;
}
location / {
root /var/www/frontend;
try_files $uri $uri/ /index.html;
}超时设置
配置代理超时参数
location /api/ {
proxy_pass http://backend;
proxy_connect_timeout 60s;
proxy_read_timeout 300s;
proxy_send_timeout 60s;
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 16k;
}负载均衡(4)
轮询(默认)
请求依次分发到各服务器
upstream backend {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
server {
listen 80;
location / {
proxy_pass http://backend;
}
}加权轮询
按权重分配请求比例
upstream backend {
server 192.168.1.10:8080 weight=5;
server 192.168.1.11:8080 weight=3;
server 192.168.1.12:8080 weight=2;
}IP Hash
同一 IP 固定访问同一后端
upstream backend {
ip_hash;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
}健康检查
自动剔除故障服务器
upstream backend {
server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.12:8080 backup; # 备用服务器
}HTTPS/SSL(3)
HTTPS 配置
配置 SSL 证书启用 HTTPS
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /var/www/html;
}
}HTTP 跳转 HTTPS
强制所有请求使用 HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}Let's Encrypt 证书
用 Certbot 申请免费证书
# 安装 certbot
sudo apt install certbot python3-certbot-nginx
# 申请证书(自动配置 Nginx)
sudo certbot --nginx -d example.com
# 续期
sudo certbot renew缓存配置(2)
静态文件缓存
为静态资源设置浏览器缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}代理缓存
缓存后端响应
proxy_cache_path /tmp/nginx_cache levels=1:2
keys_zone=my_cache:10m max_size=1g
inactive=60m;
server {
location /api/ {
proxy_pass http://backend;
proxy_cache my_cache;
proxy_cache_valid 200 10m;
proxy_cache_valid 404 1m;
add_header X-Cache-Status $upstream_cache_status;
}
}安全配置(4)
限流
限制请求速率防止滥用
# 定义限流区域
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
}IP 黑白名单
限制或允许特定 IP 访问
location /admin/ {
allow 192.168.1.0/24;
allow 10.0.0.1;
deny all;
}安全响应头
添加常用安全 HTTP 头
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;隐藏版本号
不在响应头暴露 Nginx 版本
server_tokens off;日志配置(3)
访问日志
配置访问日志格式和路径
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;错误日志
配置错误日志级别
# 级别: debug/info/notice/warn/error/crit
error_log /var/log/nginx/error.log warn;关闭特定日志
关闭静态资源的访问日志
location ~* \.(js|css|png|jpg|gif|ico)$ {
access_log off;
}常见问题(3)
SPA 路由配置
Vue/React 单页应用路由
location / {
root /var/www/dist;
index index.html;
try_files $uri $uri/ /index.html;
}跨域 CORS
配置跨域允许
location /api/ {
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
add_header Access-Control-Allow-Headers 'Content-Type, Authorization';
if ($request_method = OPTIONS) {
return 204;
}
proxy_pass http://backend;
}文件上传大小
调大上传文件限制
# 全局或 server/location 内
client_max_body_size 100M;