nginx配置模板
nginx配置模板
核心配置模板
user nginx;
worker_processes auto;
#worker_cpu_affinity cpu号; 专用于nginx的服务器,可直接绑定cpu,提高nginx性能
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
worker_rlimit_nofile 1000000;
events {
worker_connections 10000;
}
http {
charset utf-8;
charset_types text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$request_time" -- $upstream_addr $upstream_status "$upstream_response_time"';
log_format acc_json escape=json
'{"@timestamp": "$time_iso8601",'
'"host": "$server_addr",'
'"clientip": "$remote_addr",'
'"size": "$body_bytes_sent",'
'"responsetime": "$request_time",'
'"upstreamtime": "$upstream_response_time",'
'"upstreamhost": "$upstream_addr",'
'"upstream_code": "$upstream_status",'
'"http_host": "$host",'
'"request_method": "$request_method",'
'"uri": "$uri",'
'"xff": "$http_x_forwarded_for",'
'"referer": "$http_referer",'
'"tcp_xff": "$proxy_protocol_addr",'
'"request_body": "$request_body",'
'"http_user_agent": "$http_user_agent",'
'"status": "$status"}';
access_log /var/log/nginx/access.log main;
tcp_nopush on;
tcp_nodelay on;
sendfile on;
sendfile_max_chunk 4m;
aio on;
directio 4m;
aio_write on;
send_timeout 60s;
server_names_hash_bucket_size 512;
server_name_hash_max_size 512;
large_client_header_buffers 4 64k;
types_hash_max_size 4096;
server_tokens off;
keepalive_timeout 120;
keepalive_requests 100;
# limit_req_zone $binary_remote_addr zone=cip:10m rate=50r/s;
# limit_conn_zone $binary_remote_addr zone=con_ip:125m;
client_body_temp_path /dev/shm/ngx-client 1 2 2;
client_header_buffer_size 32k;
client_header_timeout 60s;
client_body_buffer_size 100m;
client_body_timeout 60s;
client_max_body_size 100M;
open_file_cache max=5000 inactive=60s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
expires 3d;
gzip on;
gzip_comp_level 3;
gzip_min_length 1k;
gzip_http_version 1.1;
gzip_types
application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component;
gzip_buffers 16 8k;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
proxy_cache_path /dev/shm/ngx-pcache levels=1:2:2 keys_zone=pcache:128m inactive=1h max_size=500m;
proxy_cache pcache;
proxy_cache_valid 200 301 302 1h;
proxy_cache_valid 404 1m;
proxy_cache_lock_timeout 1m;
proxy_ssl_session_reuse on;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_headers_hash_bucket_size 64;
proxy_temp_file_write_size 128k;
proxy_max_temp_file_size 10M;
proxy_intercept_errors on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 512;
proxy_next_upstream error timeout invalid_header non_idempotent http_503 http_502 http_504 http_404;
fastcgi_connect_timeout 600;
fastcgi_send_timeout 600;
fastcgi_read_timeout 600;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
#配置不允许浏览器在框架或iframe内渲染页面,并避免点击劫持
add_header X-Frame-Options SAMEORIGIN;
#在某些浏览器上禁用内容类型嗅探
add_header X-Content-Type-Options nosniff;
#启用最新 Web 浏览器中内置的跨站点脚本 (XSS) 过滤器
add_header X-XSS-Protection "1; mode=block" ;
#启用内容安全策略(CSP),支持浏览器版本:https://caniuse.com/contentsecuritypolicy
#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
add_header Content-Security-Policy $content_security_policy always;
include /etc/nginx/conf.d/*.conf;
upstream kong {
server 10.10.107.166:8000;
}
}
stream {
include stream/*.conf;
}
子配置文件模板
server {
listen 80 backlog=512 rcvbuf=50m sndbuf=50m;
server_name www.hj.com;
client_header_buffer_size 1k;
limit_req zone=cip_qps burst=10 nodelay;
limit_conn cip_con 10;
if ($scheme != https) { return 301 https://$host$request_uri; }
location / {
# if (!-e $request_filename){
# rewrite (.*) https://$host/index.html;
# }
}
location /img {
valid_referers none blocked server_names ~\.hj.*/img;
if ($invalid_referer) {
return 403 "Forbidden Access";
}
}
location ~* .php$ {
# fastcgi_pass unix:///tmp/fpm.sock;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_index index.php;
}
}
server {
listen 443 ssl;
listen 443 http3 reuseport;
server_name www.hj.com;
client_header_buffer_size 1k;
limit_req zone=cip_qps burst=10 nodelay;
limit_conn cip_con 10;
try_files $uri $uri.html $uri/index.html /index.html;
#ssl配置
ssl_certificate /opt/nginx/conf/conf.d/cert/www.hj.crt;
ssl_certificate_key /opt/nginx/conf/conf.d/cert/www.hj.key;
ssl_protocols sslv2 sslv3 tlsv1.2 tlsv1.3;
ssl_session_cache builtin:1000 shared:ssl_cache:20m;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!MD5;
#自签证书可用,加入证书信任链
#ssl_trusted_certificate /path/to/ca.crt;
ssl_session_timeout 15m;
ssl_session_tickets on;
ssl_prefer_server_ciphers on;
ssl_buffer_size 1400;
#开启 OCSP Stapling 当客户端访问时 NginX 将去指定的证书中查找 OCSP 服务的地址,获得响应内容后通过证书链下发给客户端
ssl_stapling on;
# 启用OCSP响应验证,OCSP信息响应适用的证书
ssl_stapling_verify on;
resolver 8.8.8.8 valid=60s;
resolver_timeout 2s;
#dh算法加密时的私钥
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#配置密码套件和椭圆曲线
#ssl_dyn_rec_enable on;
#ssl_ecdh_curve X25519:P-256;
#HSTS,强制浏览器第一次请求时发起https,相比于在ngx做服务端重定向更快
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
#使用http3/quic,基于udp快速传输,但bug很多
#add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
#add_header QUIC-Status $quic; # Sent when QUIC was used
#允许跨域请求的域,* 代表所有,自定义为:$http_origin
add_header Access-Control-Allow-Origin '*';
#允许带上cookie请求
add_header Access-Control-Allow-Credentials true;
#允许请求的方法,比如 GET,POST,PUT,DELETE,OPTIONS(预检请求),可写*
add_header Access-Control-Allow-Methods 'PUT,POST,GET,DELETE,OPTIONS';
#允许请求的header(跨域预检请求),可写*
add_header Access-Control-Allow-Headers 'Content-Type,Content-Length,Authorization,Accept,X-Requested-With';
#允许发送按段获取资源的请求
add_header Access-Control-Expose-Headers 'Content-Length,Content-Range'
add_header Cross-Origin-Embedder-Policy $coep_policy always;
add_header Cross-Origin-Opener-Policy $coop_policy always;
add_header Cross-Origin-Resource-Policy $corp_policy always;
#预检请求时,允许post请求,不允许则post无法跨域
if ($request_method = 'OPTIONS') {
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain; charset=utf-8';
add_header Content-Length 0;
return 204
}
location / {
proxy_pass http://tomcat;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-real-IP $remote_addr;
proxy_set_header Server-Name $server_name;
add_header Access-Control-Allow-Origin *;
proxy_buffering on; #启用缓冲
proxy_request_buffering on;
proxy_buffers 4 64k; #为每个请求设置缓冲区的数量和大小,默认4 4k/8k
proxy_buffer_size 16k; #设置响应头缓冲区大小
proxy_busy_buffers_size 128k; #后端数据没有完全响应完时,允许将busy状态的缓冲返回给客户端。配置busy状态的缓冲大小,默认为proxy_buffer_size*2
}
location /ngx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location /img {
valid_referers none blocked server_names www.hj.*/img;
if ($invalid_referer) {
return 403 "Forbidden Access";
}
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
deny all;
}
location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
deny all;
}
}
server {
listen 81 http2;
#websocket配置
localtion /websocket {
proxy_pass http://xx;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
}
#grpc配置
localtion /grpc {
default_type application/grpc;
grpc_pass grpc://xx; #grpcs://xx;代表tls
}
}
其他配置
命令行生成dh密码套件
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
校验OCSP开启
openssl s_client -connect www.hj.com:443 -servername www.hj.com -status -tlsextdebug < /dev/null 2>&1 | grep OCSP
curl -w '\n time_namelookup=%{time_namelookup}\n time_connect=%{time_connect}\n time_appconnect=%{time_appconnect}\n time_redirect=%{time_redirect}\n time_pretransfer=%{time_pretransfer}\n time_starttransfer=%{time_starttransfer}\n time_total=%{time_total}\n' -o /dev/null -s https://www.hj.com
浙公网安备 33010602011771号