1. 配置虚拟主机:

     server {
         listen 80;
         server_name www.test.com test.com;
         root /usr/local/nginx/html/test;
         location / {
             index index.php;
         }
     }
  2. 浏览文件:

     location / {
         autoindex on;
         autoindex_localtime on;
     }
  3. 支持 php:

     location ~ \.php(.*)$ {
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         fastcgi_param PATH_INFO $1;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include fastcgi_params;
     }
  4. 解决跨域:

     location / {
         add_header 'Access-Control-Allow-Origin' '*';
     }
  5. 设置 index.php 为入口文件:

     location / {
         if (!-e $request_filename) {
             rewrite  ^(.*)$  /index.php?s=/$1  last;
             break;
         }
     }
  6. 防盗链:

     location ~ .*\.(gif|jpg|jpeg|bmp|png)$ {
         valid_referer *.test.com;
         if ($invalid_referer) {
             rewrite ^/ http://www.test.com/404.png;
         }
     }
  7. 动静分离:

     location ~* ^.+.(js|css|htm|html|gif|jpg|jpeg|png|bmp|swf|ioc|rar|zip|txt|flv|mid|doc|ppt|pdf|xls|mp3|wma)$ {
         #  静态站点
     }
     location ~* ^.+.(?![js|css|htm|html|gif|jpg|jpeg|png|bmp|swf|ioc|rar|zip|txt|flv|mid|doc|ppt|pdf|xls|mp3|wma])$ {
         #  动态站点
     }
  8. 反向代理:

     server {
         listen 80;
         server_name jira.job520.net;
         location / {
             proxy_pass http://127.0.0.1:8080;
             proxy_redirect off;
             proxy_set_header Host $host:$server_port;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_read_timeout 90;
         }
     }
  9. 代理 websocket(可配置健康检查):

     upstream test_websocket_proxy {
         server xx.xx.xx.xx:xx;
         server xx.xx.xx.xx:xx;
     }
     ...
     proxy_pass http://test_websocket_proxy;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
  10. 代理 grpc:

    upstream test_grpc_proxy {
        server 192.168.50.160:50052;
        server 192.168.50.160:50053;
    }
    server {
        listen       8181 http2;
        server_name  localhost;
        location / {
            grpc_pass grpc://test_grpc_proxy;
        }
    }
  11. 代理 tcp:

    1. 安装stream模块:
      yum -y install nginx-mod-stream
    2. 修改配置:
      1. /etc/nginx/nginx.conf:
         stream {
             include /etc/nginx/conf.d/*.stream;
         }
      2. /etc/nginx/conf.d/xxx.stream
         server {
             listen 1883;
             proxy_pass 172.21.16.17:1883;
         }
  12. 支持react-router:
    try_files $uri /index.html;

  13. 使用gzip压缩:

    gzip on;
    gzip_min_length 1k;
    gzip_comp_level 2;
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png font/ttf font/otf image/svg+xml;
    gzip_vary on;
    gzip_disable "MSIE [1-6]\.";
    location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ { 
        access_log   off; 
        expires      1h;
    }
    location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
        access_log   off;
        expires      1h;
    }
    location ~* ^.+\.(html|htm)$ {
        expires      1h;
    }
    location ~* ^.+\.(eot|ttf|otf|woff|svg)$ {
        access_log   off;
        expires max;
    }
  14. 白名单设置:

    allow  xx.xx.xx.xx/xx;
    deny  all;
  15. 限制上传文件大小:

    client_max_body_size 8M;
    client_body_buffer_size 128k;
  16. 防止跨目录(限制php只能在指定目录下运行):
    fastcgi_param PHP_VALUE "open_basedir=$document_root";

  17. 限制同一用户请求频率:

    http{
        #定义一个名为 allips 的 limit_req_zone 用来存储 session,大小是 10M 内存,每秒的请求为 20 个
        limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
        server{
            location / {
                limit_req zone=allips burst=5 nodelay;
            }
        }
    }
  18. ssl证书相关:

    server {
        listen 80;
        server_name job520.net www.job520.net;
        return 301 https://www.job520.net$request_uri;
    }
    server {
        listen       443 ssl;
        server_name  www.job520.net;
        ssl_certificate 2479286_www.job520.net.pem;
        ssl_certificate_key 2479286_www.job520.net.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
    }
  19. 检查配置文件语法:
    nginx -t

文档更新时间: 2024-03-24 15:25   作者:lee