Nginx静态服务
静态资源类型
Nginx 作为静态资源 Web 服务器部署配置, 传输⾮常的⾼效, 常常⽤于静态资源处理, 请求, 动静分离
静态资源配置语法
1.⽂件读取⾼效 sendfile
Syntax: sendfile on | off;
Default: sendfile off;
Context: http, server, location, if in location
2.提⾼⽹络传输效率 tcp_nopush
Syntax: tcp_nopush on | off;
Default: tcp_nopush off;
Context: http, server, location
作⽤: sendfile开启情况下, 提⾼⽹络包的`传输效率`
3.与 tcp_nopush 之对应的配置 tcp_nodelay
Syntax: tcp_nodelay on | off;
Default: tcp_nodelay on;
Context: http, server, location
作⽤: 在keepalive连接下,提⾼⽹络的传输'实时性'
静态资源⽂件压缩
1. gzip 压缩配置语法
Syntax: gzip on | off;
Default: gzip off;
Context: http, server, location, if in location
作⽤: 传输压缩
2. gzip 压缩⽐率配置语法
Syntax: gzip_comp_level level;
Default: gzip_comp_level 1;
Context: http, server, location
作⽤: 压缩本身⽐较耗费服务端性能
Nginx 的 `gzip_comp_level` 配置项⽤于设置 Gzip 压缩的压缩级别,可选配置值为 1 到 9,数字越⼤表示压
缩级别越⾼,压缩效果也更好,但相应地会消耗更多的 CPU 资源。
具体来说,每个数字对应的压缩级别如下:
- 1:适合进⾏最快的压缩,但压缩⽐例最低。
- 2:适合进⾏快速压缩,但压缩⽐例略低。
- 3:适合进⾏快速压缩,压缩⽐例⼀般。
- 4:适合进⾏⼀般压缩,压缩⽐例较⾼。
- 5:适合进⾏⼀般压缩,压缩⽐例更⾼。
- 6:适合进⾏较强压缩,但⽐ 5 级慢⼀些,压缩⽐例更⾼。
- 7:适合进⾏较强压缩,但⽐ 6 级慢⼀些,压缩⽐例⾮常⾼。
- 8:适合进⾏⾮常强压缩,但⽐ 7 级慢⼀些,压缩⽐例极⾼。
- 9:适合进⾏最强压缩,但⽐ 8 级慢很多,压缩⽐例最⾼。
默认值为 1,即最快速度进⾏压缩,但压缩⽐例最低,因此在实际应⽤中需要根据实际情况来进⾏调整。例如,对于⾼
带宽、低 CPU 资源的⽹络应⽤来说,可以尝试使⽤较低的压缩级别;⽽对于低带宽、⾼ CPU 资源的⽹络应⽤来说,
可以尝试使⽤较⾼的压缩级别以获取更好的压缩效果。
3. gzip 压缩协议版本
Syntax: gzip_http_version 1.0 | 1.1;
Default: gzip_http_version 1.1;
Context: http, server, location
作⽤: 压缩使⽤在http哪个协议, 主流版本1.1
4.扩展压缩模块
Syntax: gzip_static on | off | always;
Default: gzip_static off;
Context: http, server, location
作⽤: 预读gzip功能
5.图⽚压缩案例
[root@Nginx conf.d]# mkdir -p /soft/code/images
[root@Nginx conf.d]# cat static_server.conf
server {
listen 80;
server_name static.wingsredevsecops.top;
sendfile on;
access_log /var/log/nginx/static_access.log main;
location ~ .*\.(jpg|gif|png)$ {
gzip on;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/plain application/json application/x-javascript
application/css application/xml application/xml+rss text/javascript application/xhttpd-php image/jpeg image/gif image/png;
root /soft/code/images;
}
}
6.⽂件压缩案例
[root@Nginx conf.d]# mkdir -p /soft/code/doc
[root@Nginx conf.d]# cat static_server.conf
server {
listen 80;
server_name static.wingsredevsecops.top;
sendfile on;
access_log /var/log/nginx/static_access.log main;
location ~ .*\.(txt|xml)$ {
gzip on;
gzip_http_version 1.1;
gzip_comp_level 1;
gzip_types text/plain application/json application/x-javascript application/css
application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg
image/gif image/png;
root /soft/code/doc;
}
}
静态资源浏览器缓存
HTTP协议定义的缓存机制(如: Expires; Cache-control 等)
1.浏览器⽆缓存
浏览器请求->⽆缓存->请求WEB服务器->请求响应->呈现
2.浏览器有缓存
浏览器请求->有缓存->校验过期->是否有更新->呈现
校验是否过期 Expires HTTP1.0, Cache-Control(max-age) HTTP1.1
协议中Etag头信息校验 Etag ()
Last-Modified头信息校验 Last-Modified (具体时间)
1.缓存配置语法 expires
Syntax: expires [modified] time;
expires epoch | max | off;
Default: expires off;
Context: http, server, location, if in location
作⽤: 添加Cache-Control Expires头
2.配置静态资源缓存
static_server.conf
location ~ .*\.(js|css|html)$ {
root /soft/code/images;
expires 1h;
}
location ~ .*\.(jpg|gif|png)$ {
root /soft/code/images;
expires 7d;
}
3.开发代码没有正式上线时, 希望静态⽂件不被缓存
//取消js css html等静态⽂件缓存
location ~ .*\.(css|js|swf|json|mp4|htm|html)$ {
add_header Cache-Control no-store;
add_header Pragma no-cache;
}
静态资源跨域访问
Nginx 跨域访问配置
Syntax: add_header name value [always];
Default: —
Context: http, server, location, if in location
Access-Control-Allow-Origin
1.准备 html ⽂件
//在origin.wingsredevsecops.top⽹站添加跨越访问⽂件
[root@Nginx ~]# cat /soft/code/origin/http_origin.html
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>测试ajax和跨域访问</title>
<script src="http://libs.baidu.com/jquery/2.1.4/jquery.min.js"></script>
</head>
<script type="text/javascript">
$(document).ready(function(){
$.ajax({
type: "GET",
url: "http://wing.com",
success: function(data) {
alert("sucess!!!");
},
error: function() {
alert("fail!!,请刷新再试!");
}
});
});
</script>
<body>
<h1>测试跨域访问</h1>
</body>
</html>
2.配置 Nginx 跨域访问
//运⾏origin.wingsredevsecops.top域名跨域访问
[root@180-143 conf.d]# cat origin.conf
server {
listen 80;
server_name origin.wingsredevsecops.top;
sendfile on;
access_log /var/log/nginx/kuayu.log main;
location ~ .*\.(html|htm)$ {
root /soft/code/origin;
}
}
wing.conf
server {
listen 80;
server_name wing.com;
root /soft/code/wing.com/;
index index.html index.htm;
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Credentials: true;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,UserAgent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
静态资源防盗链
盗链指的是在⾃⼰的界⾯展示不在⾃⼰服务器上的内容,通过技术⼿段获得他⼈服务器的资源地址,绕过别⼈资源
展示⻚⾯,在⾃⼰⻚⾯向⽤户提供此内容,从⽽减轻⾃⼰服务器的负担,因为真实的空间和流量来⾃别⼈服务器
防盗链设置思路: 区别哪些请求是⾮正常⽤户请求
基于 http_refer 防盗链配置模块
Syntax: valid_referers none | blocked | server_names | string ...;
Default: —
Context: server, location
refer.conf
server {
listen 80;
server_name refer.wingsredevsecops.top ;
root /soft/code/refer/;
index index.html index.htm;
}
1.准备html⽂件
<html>
<head>
<meta charset="utf-8">
<title>pachong</title>
</head>
<body style="background-color:red;">
<img src="http://static.wingsredevsecops.top/gzip_image.png">
</body>
</html>
2.启动防盗链
static_server.conf
//⽀持IP、域名、正则⽅式
location ~ .*\.(jpg|gif|png)$ {
valid_referers none blocked static.wingsredevsecops.top;
if ($invalid_referer) {
return 403;
}
root /soft/code/images;
}
3.验证
//伪造协议头访问
Wing-MacBook-Pro:~ egrep $ curl -e "http://www.baidu.com" -I
static.wingsredevsecops.top/gzip_image.png
HTTP/1.1 403 Forbidden
Server: nginx/1.24.0
Date: Fri, 14 Apr 2023 11:41:40 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
//伪造协议头访问
Wing-MacBook-Pro:~ egrep $ curl -v -e "http://10.1.106.70" -I
http://10.1.106.70/gzip_image.png
* Trying 10.1.106.70:80...
* Connected to 10.1.106.70 (10.1.106.70) port 80 (#0)
> HEAD /gzip_image.png HTTP/1.1
> Host: 10.1.106.70
> User-Agent: curl/7.85.0
> Accept: */*
> Referer: http://10.1.106.70
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.24.0
Server: nginx/1.24.0
< Date: Fri, 14 Apr 2023 11:42:59 GMT
Date: Fri, 14 Apr 2023 11:42:59 GMT
< Content-Type: image/png
Content-Type: image/png
< Content-Length: 173805
Content-Length: 173805
< Last-Modified: Sun, 02 Apr 2023 11:58:37 GMT
Last-Modified: Sun, 02 Apr 2023 11:58:37 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "64296ded-2a6ed"
ETag: "64296ded-2a6ed"
< Accept-Ranges: bytes
Accept-Ranges: bytes
<
* Connection #0 to host 10.1.106.70 left intact
浙公网安备 33010602011771号