nginx 常见问题

目录

基于http_x_forwarded_for访问控制白名单

参考博客 : https://cloud.tencent.com/developer/article/1847101
前置:

  • nginx 要有 --with-http_realip_module
map $http_x_forwarded_for $client_ip {
    default $realip_remote_addr;
    "~^-$" $realip_remote_addr;
}
map $client_ip $allowed {
	# 匹配的ip
    ~\s*122.222.110.426$ allow;
    default deny;
}

server {
    listen       80;
    server_name 127.0.0.1;
    root html;
    access_log logs/access.log main;
    error_log  logs/error.log;
    
    location / {
	    #访问控制
        if ( $allowed = 'false' ) {return 403;} 
        try_files $uri @fallback;
    }
}

跨域解决方案

map $http_origin $corsHost {
         default 0;
        "~https://zzzmh.cn" https://zzzmh.cn;
        "~https://chrome.zzzmh.cn" https://chrome.zzzmh.cn;
        "~https://bz.zzzmh.cn" https://bz.zzzmh.cn;
   }


location / {
    # 允许跨域的请求,可以自定义变量$http_origin,*表示所有
    add_header 'Access-Control-Allow-Origin' $corsHost;
    # 允许携带cookie请求
    add_header 'Access-Control-Allow-Credentials' 'true';
    # 允许跨域请求的方法:GET,POST,OPTIONS,PUT
    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT';
    # 允许请求时携带的头部信息,*表示所有
    add_header 'Access-Control-Allow-Headers' *;
    # 允许发送按段获取资源的请求
    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
    # 一定要有!!!否则Post请求无法进行跨域!
    # 在发送Post跨域请求前,会以Options方式发送预检请求,服务器接受时才会正式请求
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        # 对于Options方式的请求返回204,表示接受跨域请求
        return 204;
    }
}

编译

./configure \
"--prefix=/usr/local/nginx" \
" --with-http_realip_module "\
"--with-http_stub_status_module" \
"--without-http_auth_basic_module" \
"--without-http_autoindex_module" \
"--without-http_browser_module" \
"--without-http_empty_gif_module" \
"--without-http_geo_module" \
"--without-http_limit_conn_module" \
"--without-http_limit_req_module" \
"--without-http_map_module" \
"--without-http_memcached_module" \
"--without-http_proxy_module" \
"--without-http_referer_module" \
"--without-http_scgi_module" \
"--without-http_split_clients_module" \
"--without-http_ssi_module" \
"--without-http_upstream_ip_hash_module" \
"--without-http_upstream_keepalive_module" \
"--without-http_upstream_least_conn_module" \
"--without-http_userid_module" \
"--without-http_uwsgi_module" \
"--without-mail_imap_module" \
"--without-mail_pop3_module" \
"--without-mail_smtp_module" \
"--without-poll_module" \
"--without-select_module" \
"--with-cc-opt='-O2'"

常用nginx.conf模板

user  nginx nginx;
worker_processes  auto;

error_log  logs/error.log error;

pid        logs/nginx.pid;
worker_rlimit_nofile    65536;

events
{
    use epoll;
    accept_mutex off;
    worker_connections  65536;
}


http
{
    include       mime.types;
    default_type  text/html;

    charset	UTF-8;
    server_names_hash_bucket_size	128;
    client_header_buffer_size		4k;
    large_client_header_buffers	 4	32k;
    client_max_body_size            8m;

    open_file_cache max=65536  inactive=60s;
    open_file_cache_valid      80s;
    open_file_cache_min_uses   1;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile    on;
    server_tokens off;
    # php 相关
    # fastcgi_temp_path  /tmp/fastcgi_temp;
    # fastcgi_cache_path /tmp/fastcgi_cache levels=1:2 keys_zone=cache_fastcgi:128m inactive=30m max_size=1g;
    # fastcgi_cache_key $request_method://$host$request_uri;
    # fastcgi_cache_valid 200 302 1h;
    # fastcgi_cache_valid 301     1d;
    # fastcgi_cache_valid any     1m;
    # fastcgi_cache_min_uses 1;
    # fastcgi_cache_use_stale error timeout http_500 http_503 invalid_header;

    keepalive_timeout  60;

    gzip  on;
    gzip_min_length	1k;
    gzip_buffers  4	64k;
    gzip_http_version	1.1;
    gzip_comp_level	2;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    server
    {
        listen       80;
        server_name  localhost;
        index        index.html;
        root         /App/web;

        
        location ~ .+\.(gif|jpg|jpeg|png|bmp|swf|txt|csv|doc|docx|xls|xlsx|ppt|pptx|flv)$
        {
            expires 30d;
        }

        location ~ .+\.(js|css|html|xml)$
        {
            expires 30d;
        }

        location /nginx-status
        {
            stub_status on;
            allow 192.168.1.0/24;
            allow 127.0.0.1;
            deny all;
        }
    }
}

内核优化参数

grep -q "net.ipv4.tcp_max_tw_buckets" /etc/sysctl.conf || cat >> /etc/sysctl.conf << EOF
########################################
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 10000
net.ipv4.ip_local_port_range = 1024 65500
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_mem = 786432 1048576 1572864
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.sem = 250 32000 100 128
vm.swappiness = 0
EOF
sysctl -p

超时参数

proxy_send_timeout     后端服务器数据回传时间(代理发送超时时间)
proxy_read_timeout      连接成功后,后端服务器响应时间(代理接收超时时间)
proxy_connect_timeout    nginx连接后端的超时时间,一般不超过75s
posted @ 2023-11-16 11:16  zuozhengjun  阅读(4)  评论(0编辑  收藏  举报