Nginx 配置简记
by CUNOE, January 31, 2023
此篇文章用于记录Nginx使用方面的说明
安装Nginx
源码安装
安装编译环境
sudo apt-get install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev libgd-dev libxml2 libxml2-dev uuid-dev libgeoip-dev
到Nginx官网下载源码
wget -O nginx.tar.gz https://nginx.org/download/nginx-1.23.4.tar.gz && tar -xzf nginx.tar.gz && rm nginx.tar.gz && mv nginx-* nginx && cd nginx
设置编译参数
输入以下命令可以查看具体的编译参数
./configure --help
常用的编译参数
./configure --prefix=/usr/local/nginx
make && make install
使用systemctl管理nginx
nginx.service文件编写
[Unit]
Description=nginx - high performance web server.
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reopen
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
通过Apt安装Nginx
sudo apt install -y nginx
通过该方案安装的Nginx默认目录为 /etc/nginx
通过LNMP管理Nginx
LNMP的具体介绍参考官网: https://lnmp.org/
以下命令表示只安装Nginx
wget http://soft.vpser.net/lnmp/lnmp1.9.tar.gz -cO lnmp1.9.tar.gz && tar zxf lnmp1.9.tar.gz && cd lnmp1.9 && sudo bash ./install.sh nginx
LNMP可以通过修改 /path/to/lnmp1.9/lnmp.conf 的nginx相关字段来修改编译参数
使用寄巧(技巧)
本人目前的nginx的编译参数如下
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_ssl_preread_module --with-http_realip_module
nginx.conf
user www www;
worker_processes auto;
worker_cpu_affinity auto;
# 设置log输出位置
error_log /var/log/nginx/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
stream
{
# 上游
upstream ssh {
server 127.0.0.1:6000 max_fails=3 fail_timeout=10s;
}
upstream backend {
server 127.0.0.1:6001 max_fails=3 fail_timeout=10s;
}
# SNI转发
map $ssl_preread_server_name $backend_sni {
ssh.example.com ssh;
default backend;
}
server {
listen 443 reuseport;
ssl_preread on;
proxy_protocol on;
proxy_pass $backend_sni;
}
# 设置日志输出格式
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$ssl_preread_server_name" "$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/stream_access.log proxy;
}
http
{
# 设置远端ip 否则会将sni转发的日志都变成127.0.0.1
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
port_in_redirect off;
include mime.types;
default_type application/octet-stream;
# ws配置
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 1d;
tcp_nodelay on;
# fastcgi相关配置
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
# gzip相关配置
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off;
access_log off;
server
{
listen 80 default_server reuseport;
#listen [::]:80 default_server ipv6only=on;
server_name _;
# 屏蔽未知访问
return 403;
access_log /var/log/nginx/access.log;
}
server
{
listen 127.0.0.1:6001 proxy_protocol default_server;
#listen [::]:6001 default_server ipv6only=on;
server_name _ ;
include cunoe.com-ssl.conf;
# 屏蔽未知访问
return 403;
access_log /var/log/nginx/access.log;
}
# 包括conf.d下的配置文件
include conf.d/*.conf;
}
conf.d/template.conf
server
{
listen 80;
server_name nginx.example.com;
location / {
return 301 https://$host$request_uri;
}
access_log /var/log/nginx/nginx.example.com.log;
}
server
{
listen 127.0.0.1:6001 proxy_protocol ssl http2;
server_name nginx.example.com;
include cunoe.com-ssl.conf;
root /home/webroot/nginx.example.com;
index index.html;
# 网站常用反向代理
location ^~/test/ {
proxy_pass http://127.0.0.1:8080/test/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# ws常用反向代理
location ^~ /ws/ {
client_max_body_size 0;
lingering_close always;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_pass http://127.0.0.1:8080/ws/;
}
# grpc常用反向代理
location ^~ /grpc.Service {
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_socket_keepalive on;
grpc_pass grpc://127.0.0.1:8081;
}
location / {
alias /home/webroot/nginx.example.com;
index index.html;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /var/log/nginx/nginx.example.com.log;
}
Nginx Location 规则
Location的格式如下
location [modifier] [URI] {
...
...
}
Modifier
Nginx对不同的Modifier有不同的优先级,该表按照匹配的优先级排序
Modifier | 名称 | 说明 | Example |
---|---|---|---|
= | 精确匹配 | 最高优先级,路径必须严格等于时才匹配到该语法块 | location = /mod { ... } |
^~ | 路径前缀匹配 | 正则匹配路径前缀且命中后不再进行进一步匹配 | location ^~ /mod { ... } |
~* | 不区分大小写的正则匹配 | 不区分大小写的正则匹配 | location ~* /mod { ... } |
~ | 正则匹配 | 正则匹配 | location ~ /mod { ... } |
none | 普通匹配 | 普通匹配 | location /mod { ... } |