AvatarCUNOE

Nginx 配置简记

此篇文章用于记录Nginx使用方面的说明

安装Nginx

源码安装

安装编译环境

sudo apt-get install -y build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev libgd-dev libxml2 libxml2-dev uuid-dev libgeoip-dev

Nginx官网下载源码

wget -O nginx.tar.gz https://nginx.org/download/nginx-1.23.4.tar.gz && tar -xzf nginx.tar.gz && rm nginx.tar.gz && mv nginx-* nginx && cd nginx

设置编译参数

输入以下命令可以查看具体的编译参数

./configure --help

常用的编译参数

​./configure --prefix=/usr/local/nginx
make && make install

使用systemctl管理nginx

nginx.service文件编写

[Unit]
Description=nginx - high performance web server.
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reopen
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
  
[Install]
WantedBy=multi-user.target

通过Apt安装Nginx

sudo apt install -y nginx

通过该方案安装的Nginx默认目录为

/etc/nginx

通过LNMP管理Nginx

LNMP的具体介绍参考官网: https://lnmp.org/

以下命令表示只安装Nginx

wget http://soft.vpser.net/lnmp/lnmp1.9.tar.gz -cO lnmp1.9.tar.gz && tar zxf lnmp1.9.tar.gz && cd lnmp1.9 && sudo bash ./install.sh nginx

LNMP可以通过修改 /path/to/lnmp1.9/lnmp.conf 的nginx相关字段来修改编译参数

使用寄巧(技巧)

本人目前的nginx的编译参数如下

./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_ssl_preread_module --with-http_realip_module

nginx.conf

user  www www;

worker_processes auto;
worker_cpu_affinity auto;

# 设置log输出位置
error_log  /var/log/nginx/nginx_error.log  crit;

pid        /usr/local/nginx/logs/nginx.pid;

worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept off;
        accept_mutex off;
    }

stream 
    { 
        # 上游
        upstream ssh {
            server 127.0.0.1:6000 max_fails=3 fail_timeout=10s;
        }
        upstream backend {
            server 127.0.0.1:6001 max_fails=3 fail_timeout=10s;
        }

        # SNI转发
        map $ssl_preread_server_name $backend_sni {
            ssh.example.com ssh;
            default backend;
        }


        server {
            listen 443 reuseport;
            ssl_preread     on;
            proxy_protocol  on;
            proxy_pass $backend_sni;
        }

        # 设置日志输出格式
        log_format proxy '$remote_addr [$time_local] '
                    '$protocol $status $bytes_sent $bytes_received '
                    '$session_time "$upstream_addr" '
                    '"$ssl_preread_server_name" "$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
        access_log  /var/log/nginx/stream_access.log proxy;
    }

http
    {
        # 设置远端ip 否则会将sni转发的日志都变成127.0.0.1
        set_real_ip_from 127.0.0.1;
        real_ip_header proxy_protocol;
        port_in_redirect off;

        include       mime.types;
        default_type  application/octet-stream;

        # ws配置
        map $http_upgrade $connection_upgrade {
           default upgrade;
           '' close;
        }

        server_names_hash_bucket_size 128;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile on;
        sendfile_max_chunk 512k;
        tcp_nopush on;

        keepalive_timeout 1d;

        tcp_nodelay on;

        # fastcgi相关配置
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;

        # gzip相关配置
        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        server_tokens off;
        access_log off;

server
    {
        listen 80 default_server reuseport;
        #listen [::]:80 default_server ipv6only=on;
        server_name _;
        # 屏蔽未知访问
        return 403;
        access_log  /var/log/nginx/access.log;
    }

server
    {
        listen 127.0.0.1:6001 proxy_protocol default_server;
        #listen [::]:6001 default_server ipv6only=on;
        server_name _ ;
        include cunoe.com-ssl.conf;
        # 屏蔽未知访问
        return 403;
        access_log  /var/log/nginx/access.log;

    }
        # 包括conf.d下的配置文件
        include conf.d/*.conf;
    }

conf.d/template.conf

server
    {
        listen 80;
        server_name nginx.example.com;
        location / {
            return 301 https://$host$request_uri;
        }
        access_log  /var/log/nginx/nginx.example.com.log;
    }

server
    {
        listen 127.0.0.1:6001 proxy_protocol ssl http2;
        server_name nginx.example.com;
        include cunoe.com-ssl.conf;
        root /home/webroot/nginx.example.com;
        index index.html;

        # 网站常用反向代理
        location ^~/test/ {
            proxy_pass  http://127.0.0.1:8080/test/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # ws常用反向代理
        location ^~ /ws/ {
            client_max_body_size 0;
            lingering_close always;
            proxy_redirect off;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_connect_timeout 3600s;
            proxy_read_timeout 3600s;
            proxy_send_timeout 3600s;
            proxy_pass http://127.0.0.1:8080/ws/;
        }

        # grpc常用反向代理
        location ^~ /grpc.Service {
            grpc_set_header Host $host;
            grpc_set_header X-Real-IP $remote_addr;
            grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            grpc_socket_keepalive on;
            grpc_pass grpc://127.0.0.1:8081;
        }

        location / {
            alias /home/webroot/nginx.example.com;
            index index.html;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /var/log/nginx/nginx.example.com.log;
    }

Nginx Location 规则

Location的格式如下

location [modifier] [URI] {
  ...
  ...
}

Modifier

Nginx对不同的Modifier有不同的优先级,该表按照匹配的优先级排序

Modifier名称说明Example
=精确匹配最高优先级,路径必须严格等于时才匹配到该语法块location = /mod { ... }
^~路径前缀匹配正则匹配路径前缀且命中后不再进行进一步匹配location ^~ /mod { ... }
~*不区分大小写的正则匹配不区分大小写的正则匹配location ~* /mod { ... }
~正则匹配正则匹配location ~ /mod { ... }
none普通匹配普通匹配location /mod { ... }