Linux - Nginx 配置优化
# 主要配置文件 #user nobody; worker_processes auto; #自动根据cpu分配多少个worker进程 worker_rlimit_nofile 65535; #worker进程打开的最大值,同ulimit或者/etc/security/limits一起取最小值,如果service启动,需要注意LimitNOFILE的取值,反正取之间最小值 worker_priority -20; #进程优先级,-20最高 worker_cpu_affinity auto; # CPU亲缘性,避免CPU来回切换,自动绑定CPU #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 100000; #最大worker链接数,同上面limits文件一样取值 accept_mutex on; #惊群,高并发off,低并发on multi_accept on; #开启时,每个worker接收多个网络链接 } http { include mime.types; #支持的文件类型 default_type application/octet-stream; #在mime.types找不到,用这个默认类似 #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; server_tokens off; #不显示nginx版本,也可自己源码编译,nginx.h更改自己的版本 sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 60 65; # 保持链接时间,前者是实际时间,后者是用户看到的时间 #访问日志格式改为json格式,为后面ELK配合使用 log_format access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' #总的处理时间 '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' #后端应用服务器处理时间 '"http_host":"$host",' '"uri":"$uri",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}'; # 子配置文件,关于多主机server配置 include /apps/nginx/conf.d/*.conf; }
主机www.noise.org
server { listen 80; # HSTS 配置 listen 443 ssl; ssl_certificate /data/certs/noisedu.cn.pem; ssl_certificate_key /data/certs/noisedu.cn.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; # 主机名 server_name www.noise.org; # 错误日志 error_log /data/nginx_error.log; # 定制错误页面 error_page 500 502 503 504 404 /error.html; location /error.html { alias /data/error/index.html; } location /images { root /data; index index.html index.htm; # 关images访问日志 access_log /data/www/access_json.log access_json; # 自动转换http为https if ( $scheme = http ) { rewrite ^/(.*)$ https://www.noise.org/$1 redirect; } } # 状态页 location /status { stub_status; auth_basic "admin log"; auth_basic_user_file /apps/nginx/conf.d/.htpasswd; } location /list { alias /etc/; autoindex on; # 开启下载list autoindex_localtime on; # 开启本地时间同步 autoindex_exact_size off; # 不精确大小 gzip on; # 自动压缩 gzip_comp_level 9; # 压缩比,最大9 gzip_min_length 10k; # 最小压缩大小,小于则不压缩 gzip_types * # 压缩类型,默认为text/html, 星号为mime.type文件中的全部类型 gzip_vary on; # 响应首部是否加上Vary: Accept-Encoding } #location / { #root /data/music; # 多文件尝试访问,访问不到则返回500错误 #try_files $uri $uri.html /about/default.html; #} # 第三方模块 - http://github.com/openresty/echo-nginx-module.git location /echo { echo $remote_user; default_type text/html; echo "hello world,main-->"; echo $remote_addr ; echo_reset_timer; echo "took $echo_timer_elapsed sec for total."; } }
主机mobile.noise.org
server { listen 80; server_name mobile.noise.org; location /images { alias /data/mobile/; index index.html index.htm; allow 10.0.0.15; deny all; } }
访问
[15:39:19 root@centos8 ~]#curl -I http://www.noise.org/status HTTP/1.1 401 Unauthorized Server: nginx/1.20.0 Date: Sat, 17 Jul 2021 07:39:27 GMT Content-Type: text/html Content-Length: 179 Connection: keep-alive WWW-Authenticate: Basic realm="admin log" [16:44:12 root@centos8 ~]#curl -I http://mobile.noise.org HTTP/1.1 200 OK Server: nginx/1.20.0 Date: Sat, 17 Jul 2021 09:11:17 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Sun, 11 Jul 2021 13:12:18 GMT Connection: keep-alive Keep-Alive: timeout=65 ETag: "60eaee32-264" Accept-Ranges: bytes [18:21:33 root@centos8 ~]#curl -I --insecure https://www.noise.org/images HTTP/1.1 301 Moved Permanently Server: nginx Date: Sat, 17 Jul 2021 10:22:44 GMT Content-Type: text/html Content-Length: 162 Location: https://www.noise.org/images/ Connection: keep-alive Keep-Alive: timeout=65 [18:02:58 root@centos8 ~]#curl --head --compressed http://www.noise.org/list/ld.so.cache HTTP/1.1 200 OK Server: nginx Date: Sat, 17 Jul 2021 10:03:30 GMT Content-Type: application/octet-stream Last-Modified: Sat, 17 Jul 2021 09:18:25 GMT Connection: keep-alive Keep-Alive: timeout=65 ETag: W/"60f2a061-430b" Content-Encoding: gzip [16:44:12 root@centos8 ~]#curl -I http://mobile.noise.org HTTP/1.1 200 OK Server: nginx/1.20.0 Date: Sat, 17 Jul 2021 09:11:17 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Sun, 11 Jul 2021 13:12:18 GMT Connection: keep-alive Keep-Alive: timeout=65 ETag: "60eaee32-264" Accept-Ranges: bytes [15:38:13 root@centos8 ~]#curl -I http://xiaoqiang:123456@www.noise.org/status HTTP/1.1 200 OK Server: nginx/1.20.0 Date: Sat, 17 Jul 2021 07:39:19 GMT Content-Type: text/plain Content-Length: 97 Connection: keep-alive
高级配置 - 7 层代理与4层伪代理(stream)
[16:03:16 root@centos8 ~]#cat /apps/nginx/conf.d/mobile.conf server { listen 80; server_name mobile.noise.org; index index.php index.html; root /data/nginx/mobile; location /main { if ( $scheme = http ) { echo "if---> $scheme"; } if ( $scheme = https ) { echo "if---> $scheme"; } } location ~ \.php$ { root /data/nginx; #fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/run/php-fpm/www.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ ^/(status|ping)$ { fastcgi_pass unix:/run/php-fpm/www.sock; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name; include fastcgi_params; } location /favicon.ico { root /data/nginx/html/pc; expires 365d; } location / { root /data/nginx/mob; index index.html; if (!-e $request_filename){ rewrite .* http://www.noise.org/index.html permanent; } } location /break { rewrite ^/break/(.*) /test/$1 break; } location /last { rewrite ^/last/(.*) /test/$1 last; } location /test { default_type text/plain; return 999 "new test"; } #location /test { # rewrite ^/test/(.*) /last/$1 last; #} location ~ \.(jpg|png|gif)$ { proxy_pass http://10.0.0.18:80; #proxy_cache proxycache; #proxy_cache_key $request_uri; #proxy_cache_valid 200 302 301 10m; #proxy_cache_valid any 5m; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /web { index index.html; proxy_pass http://10.0.0.18:80/; } location /web2 { index index.html; proxy_pass http://10.0.0.18:80; } location /web3 { index index.html; proxy_pass http://backend/; } } ====================================== [16:03:50 root@centos8 ~]#cat /apps/nginx/conf.d/www.conf server { listen 80; server_name www.noise.org; root /data/nginx/www; location /favicon.ico { root /data/nginx/www; expires 365d; } location / { root /data/nginx/wordpress; } } ================================== [16:04:40 root@centos8 ~]#cat /apps/nginx/conf.d/upstream.conf upstream backend { #hash $request_uri consistent; server 10.0.0.18:80 weight=3 max_fails=3 fail_timeout=30s; server 10.0.0.19:80 max_fails=3 fail_timeout=30s; } =================================== [16:05:10 root@centos8 ~]#cat /apps/nginx/conf/nginx.conf #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; proxy_cache_path /data/nginx/proxycache levels=1:1:1 keys_zone=proxycache:20m inactive=120s max_size=1g; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} include /apps/nginx/conf.d/*.conf; }
浙公网安备 33010602011771号