Nginx基本配置

以下是一个标准的 Nginx反向代理配置模板，包含安全加固和性能优化参数，适用于大多数Web应用场景：

nginx

# 全局配置
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
    use epoll;
    multi_accept on;
}

http {
    # 基础配置
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;  # 隐藏Nginx版本信息

    # SSL优化参数
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;

    # 日志格式
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    # GZIP压缩
    gzip on;
    gzip_min_length 1k;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml;

    # 反向代理核心配置
    server {
        listen 80;
        server_name your-domain.com;
        return 301 https://$host$request_uri;  # 强制HTTPS
    }

    server {
        listen 443 ssl http2;
        server_name your-domain.com;

        # SSL证书配置
        ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

        # 安全头配置
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;

        # 静态文件缓存
        location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
            expires 365d;
            add_header Cache-Control "public, immutable";
            proxy_pass http://backend;
            proxy_cache proxy_cache;
            proxy_cache_valid 200 304 12h;
        }

        # 反向代理主配置
        location / {
            proxy_pass http://backend;  # 后端服务器地址
            
            # 基础代理头设置
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # 超时控制
            proxy_connect_timeout 60s;
            proxy_send_timeout 600s;
            proxy_read_timeout 600s;
            proxy_buffer_size 4k;
            proxy_buffers 8 16k;

            # WebSocket支持
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }

        # 健康检查端点
        location /health-check {
            access_log off;
            return 200 "OK";
            add_header Content-Type text/plain;
        }

        # 禁止敏感路径访问
        location ~* /(\.git|\.env|config|backup) {
            deny all;
            return 403;
        }
    }

    # 后端服务器组定义
    upstream backend {
        server 192.168.1.100:8080 weight=5;  # 主节点
        server 192.168.1.101:8080 backup;     # 备用节点
        keepalive 32;
    }

    # 缓存配置
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=proxy_cache:10m inactive=60m;
}

核心配置说明

配置项	作用说明
`proxy_set_header`	透传客户端真实IP和协议信息
`proxy_http_version`	支持WebSocket协议升级
`ssl_protocols`	禁用老旧SSL协议（仅启用TLSv1.2+）
`add_header`	安全响应头防御XSS/点击劫持等攻击
`proxy_cache`	静态资源缓存减少后端负载
`keepalive`	长连接复用提升性能
`health-check`	提供健康检查接口用于负载均衡监控

快速使用

替换以下占位符：
- your-domain.com ➔ 实际域名
- /etc/letsencrypt/... ➔ 真实证书路径
- 192.168.1.100:8080 ➔ 后端服务地址
验证配置：

bash

sudo nginx -t

重载配置：

bash

sudo systemctl reload nginx

高级调优建议

安全增强：

nginx

# 限制请求体大小
client_max_body_size 10m;

# 防DDoS配置
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

性能优化：

nginx

# 启用Brotli压缩
brotli on;
brotli_types text/plain text/css application/json application/javascript;

# 调整文件描述符限制
worker_rlimit_nofile 65535;

日志分析：

nginx

# 独立记录慢请求
log_format slow '$remote_addr - $request [$time_local] $upstream_response_time';
access_log /var/log/nginx/slow.log slow buffer=32k flush=5m;

posted @ 2025-03-05 13:53 低端逆袭阅读(100) 评论(0) 收藏举报

刷新页面返回顶部

jyokeisen

Nginx基本配置

核心配置说明

快速使用

高级调优建议

公告

jyokeisen

Nginx基本配置

​核心配置说明

​快速使用

​高级调优建议

公告

核心配置说明

快速使用

高级调优建议