posts
Nginx 配置
常用 Nginx 配置片段合集:SSL 证书、动静分离、直接返回文本、location 重写等。
SSL证书
server {
listen 443 ssl;
server_name web.guosen.com.cn;
ssl_certificate /usr/local/sdata/nginx/ssl/web.guosen.com.cn.cer;
ssl_certificate_key /usr/local/sdata/nginx/ssl/web.guosen.com.cn.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
}
直接返回内容
location = /abc/.wel-know {
default_type text/plain;
return 200 'testbbbbbbbbbbbbbbbbbbbbbbbb';
}
这样在访问 /abc/.wel-know 的时候就会直接返回 testbbbbbbbbbbbbbbbbbbbbbbbb了, 可以用来SSL验证
Nginx动静分离配置
server {
listen 80;
# 监听的域名
server_name local.momas.cc;
# /index.html -> /
if ($request_uri ~* "^(.*/)index\.html$") {
return 301 $1;
}
# 首页
location = / {
root html/local.momas.cc;
}
# 静态资源文件夹
location ^~ /static {
root html/static;
}
# 拦截静态资源文件
location ~ .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|js|css)$ {
root html/local.momas.cc;
}
# 虚拟主机1,使用指定url匹配
location /vhost1 {
proxy_pass http://localhost:8080;
}
# 虚拟主机2,使用指定url匹配
location /vhost2 {
proxy_pass http://localhost:7070;
}
}
# 拒绝所有异常地址访问,例如ip地址直接访问
server {
listen 80 default_server;
server_name _;
location / {
return 404;
}
}
可能有用的配置
try_files $uri $uri/ /index.html /index.html?$query_string;
示例
server {
listen 9527;
server_name localhost 127.0.0.1;
location / {
root html/dist;
index index.html index.htm;
add_header 'Access-Control-Allow-Origin' 10.1.18.8:8080;
# 允许携带cookie请求
add_header 'Access-Control-Allow-Credentials' 'true';
# 允许跨域请求的方法:GET,POST,OPTIONS,PUT
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT';
# 允许请求时携带的头部信息,*表示所有
add_header 'Access-Control-Allow-Headers' *;
# 允许发送按段获取资源的请求
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
# 一定要有!!!否则Post请求无法进行跨域!
# 在发送Post跨域请求前,会以Options方式发送预检请求,服务器接受时才会正式请求
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
# 对于Options方式的请求返回204,表示接受跨域请求
return 204;
}
}
# backend
location /ops {
proxy_pass http://10.1.18.8:8080;
# CORS config start
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods '*';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
if ($request_method = 'OPTIONS') {
return 204;
}
# CORS config end
}
}
参考资料
WebSocket
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 127.0.0.1:8086;
}
server {
listen 80;
server_name _;
location / {
proxy_pass http://websocket;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
参考
http跳https
server {
# 监听的端口
listen 80 default_server;
# 监听的域名, _表示所有域名
server_name _;
# 把所有请求重写到https
rewrite ^(.*)$ https://$host$1 permanent;
# 当服务器只支持https的时候, 就会返回497, 这个时候可以重定向到https
error_page 497 https://$server_name$request_uri;
# 所有访问80端口的请求都返回497
location / {
return 497;
}
}
技术思路
- 使用Nginx的rewrite
- 使用301状态码重定向
- 使用497状态码抛出错误并重定向
- 返回一个带meta标签的html, 使用meta刷新功能指向https域名
参考资料
负载均衡
# 代办点后端,要配置在server节点外
upstream hospital_agent_service {
server 172.16.254.149:9003 weight=1;
server 10.81.244.131:9003 weight=1;
}
server {
# 代办点导入药品接口
location = /hospital-agent-service/drug-agent-import/upload2 {
# CORS start
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods '*';
add_header Access-Control-Allow-Headers '*';
if ($request_method = 'OPTIONS') {
return 204;
}
# CORS end
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://hospital_agent_service/drug-agent-import/upload2;
}
}
反向代理转发
# /xhapi/addRp -> http://172.16.218.36:9001/hospital-xinghao-service/prescription/add
location ^~ /xhapi/addRp {
proxy_pass http://172.16.218.36:9001/hospital-xinghao-service/prescription/add;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
jenkins
server {
server_name jenkins.medtpa.me;
listen 80;
listen 443;
location / {
proxy_pass http://localhost:10000;
proxy_read_timeout 90;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
# Jenkins
server {
listen 80;
server_name jenkins.gzch120.com;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the It appears that your reverse proxy set up is broken error.
proxy_pass http://127.0.0.1:2001;
proxy_read_timeout 90;
# proxy_redirect http://127.0.0.1:2001 https://jenkins.gzch120.com;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
# workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
add_header 'X-SSH-Endpoint' 'jenkins.gzch120.com:50022' always;
}
}
静态资源
server {
listen 80;
listen 443;
server_name sw-ui.medtpa.me;
location / {
root html/sw-ui.medtpa.me;
index index.html;
}
# suffix 指定后缀
location ~* \.(mp4)$ {
root /kingseok/data/media-163;
}
}
CORS
server {
listen 80;
server_name open.medtpa.me;
location ^ /open/file/ {
alias /kingseok/data/pdf/;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods '*';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
if ($request_method = 'OPTIONS') {
return 204;
}
}
}
SSL
server {
listen 443 ssl;
server_name api.agentpc.medtpa.me;
ssl_certificate /etc/nginx/ssl/api.agentpc.medtpa.me.pem;
ssl_certificate_key /etc/nginx/ssl/api.agentpc.medtpa.me.key;
location / {
proxy_pass http://localhost:7071;
# upload file size 上传文件体积最大6M
client_max_body_size 6M;
}
}
ssl 证书验证
建议把证书放到nginx配置文件目录下
./ssl文件夹内
# crp 药师审方系统
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name test.crp.gzch120.com;
ssl_certificate ssl/test.crp.gzch120.com.pem;
ssl_certificate_key ssl/test.crp.gzch120.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 1m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location ^~ /.well-known/pki-validation/ {
return 200 'abcdxxxxxxx';
}
location / {
root /usr/share/nginx/html/test.crp.gzch120.com;
}
}
- Configuring HTTPS servers
- 配置https时,no “ssl_certificate” is defined in server listening on SSL port while SSL handshaking
- ssl的匹配先于server的匹配Nginx 单IP下 配置多个server https 启示录
重写URL
server {
listen 80 default_server;
listen 443 ssl;
server_name _;
ssl_certificate ssl/momas.cc.crt;
ssl_certificate_key ssl/momas.cc.key;
rewrite ^(.*)$ https://$host$1 permanent;
error_page 497 https://$server_name$request_uri;
location / {
return 444;
}
}
防盗链配置
location /download {
# 加入至指定location 即可实现
valid_referers none blocked *.momas.cc;
if ($invalid_referer) {
return 403;
}
}
下载限速:
location /download {
# 限制每S下载速度
limit_rate 1m;
# 超过30 之 后在下载
limit_rate_after 30m;
}
创建IP黑名单
该配置不可直接复制使用
#封禁指定IP
deny 192.168.0.1;
allow 192.168.0.1;
#开放指定IP 段
allow 192.168.0.0/24;
#封禁所有
deny all;
#开放所有
allow all;
# 创建黑名单文件
echo 'deny 192.168.0.132;' >> balck.ip
#http 配置块中引入 黑名单文件
include black.ip;
传递真实ip
set_real_ip_from 192.168.1.0/24;
set_real_ip_from 192.168.2.1;
set_real_ip_from 2001:0db8::/32;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
支持PHP
先安装并启动php-fpm服务,然后让nginx把所有请求都转发给php-fpm服务, php-fpm默认运行端口为9000
#surpport php
server {
listen 80;
server_name blog.momas.cc;
root /usr/local/webContent/blog.momas.cc;
location ~* \.(js|css|svg)?$ { expires 12h; }
location ~* \.(gif|jpg|jpeg|png|ico|bmp|swf)$ { expires 30d; }
location / {
# root /usr/local/webContent/blog.momas.cc; #point to php root
fastcgi_pass 127.0.0.1:9000; #php-fpm default 9000
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/webContent/blog.momas.cc/$fastcgi_script_name;
include fastcgi_params;
}
}
自定义错误页
在server节点中添加
error_page 404 = /404.html, 可以把web根目录下的404.html文件设置为404错误页面
server {
listen 80;
server_name momas.cc;
error_page 404 = /404.html;
error_page 500 502 503 504 = /50x.html;
location / {
root /usr/local/webContent/momas.cc;
index index.html index.htm;
}
}
错误日志的设置
- 语法:error_log /path/file level;
- 默认:error_log logs/error.log error;
- level是日志的输出级别,取值范围是debug、info、notice、warn、error、crit、alert、emerg,