nginx的优化

配置文件：nginx.conf

#user  nobody;

worker_processes  4;

#worker_cpu_affinity 01 10;

#worker_cpu_affinity 0001 0010 0100 1000;

#worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;

#worker_rlimit_nofile 65535;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

events {

worker_connections  20480;

}

http {

         include       mime.types;

         default_type  application/octet-stream;

         server_tokens off;

         sendfile on;    #开启高效传输 防止IO阻塞

         tcp_nopush on;   #减少网络报文数量

         tcp_nodelay on;  #提高IO性能

         keepalive_timeout 6000;

         client_header_timeout 1000;

         client_body_timeout 6000;

         reset_timedout_connection on;

         send_timeout 6000;

         charset UTF-8;

         gzip on;

         gzip_disable "msie6";

         gzip_proxied any;

         gzip_min_length 1000;

         gzip_comp_level 6;  # 压缩比率 9最大 消耗CPU

         gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

 

         open_file_cache max=100000 inactive=20s;

         open_file_cache_valid 30s;

         open_file_cache_min_uses 2;

         open_file_cache_errors on;

         client_header_buffer_size 1024k;

         large_client_header_buffers 4 1024k;

         add_header Access-Control-Allow-Origin *;

         add_header Access-Control-Allow-Headers X-Requested-With;

         add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

 

include  extras/*.conf;

}

Vhosts配置：

server {

    listen 80;

    server_name cqjd.yhjyzx.com;

rewrite ^/(.*) https://$server_name$request_uri? permanent;  #http跳转https

}

 

ssl证书server块配置：

    listen       443 default ssl; #页面显示ssl_error协议错误时 增加default ssl

    server_name  www.xxxx.com;

    client_max_body_size 1000m;

    ssl_certificate     证书.pem;

    ssl_certificate_key  证书.key;

 

    ssl_session_cache    shared:SSL:1m;

    ssl_session_timeout  5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers  ECDH:AESGCM:HIGH:RSA+3DES:!RC4:!DH:!MD5:!aNULL:!eNULL;

    ssl_prefer_server_ciphers  on;

静态文件正则加载：

  location ~ ^/(plugins|js|styles)/ {

      root   /usr/local/nginx/html/staticfile/;

      autoindex on;

 expires  30d;  #降低网站带宽 加快访问速度

 }

 

location块配置：

      #禁止浏览器直接访问

      # internal;

limit_rate 2048k;

 

Url字段匹配正则：   http://127.0.0.1/$values/xxxx

    location / {

        add_header Access-Control-Allow-Origin *;

        root  /data/java/statisui/bidderui;

        error_page 405 =200 http://$host$request_uri;

        try_files $uri $uri/ @rewrites;

    }

    location @rewrites {

        rewrite ^(.*)$ /index.html last;

    }

Websockt 添加nginx:  添加在proxy_pass的下边 有时会报错

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "Upgrade";

 

添加nginx会去掉带有下划线的Header键值

在nginx里的 nginx.conf文件中配置http的部分添加 ： underscores_in_headers on;（默认值是off）

 

添加html显示  在location / 模块下新增

   if ($request_filename ~* .*\.(?:htm|html)$)
   {
    add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
    }

 

Nginx 设置缓存静态资源：location 块平级

     location ~ .*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$

    {

        expires      1h;

    }

 

不安全的方法：

OPTIONS method is enabled
    ```
        if ($request_method = OPTIONS ) {
                return 403;
        }
        if ($request_method = TRACE ) {
                return 403;
        }
    ```

 

 2.  1. Clickjacking: X-Frame-Options header missing  
  ```
  add_header X-Frame-Options SAMEORIGIN;