nginx 配置

本文汇总了 Nginx 的常用配置，包括 gzip 压缩、缓存策略、反向代理、HTTPS SSL 部署以及常见问题处理方案。

nginx

若修改了nginx的启动目录，则需要修改 user属性

#user nginx;
user root;

gzip

# 开启gzip功能
gzip                on;
# 启用gzip压缩的最小文件，小于设置值的文件将不会压缩
gzip_min_length     1k;
# 缓存空间大小
gzip_buffers        4 16k;
# 设置gzip压缩针对的HTTP协议版本
gzip_http_version   1.1;
# 压缩级别，1-9，数字越大压缩的越好，也越占用CPU时间
gzip_comp_level     4;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png application/vnd.ms-fontobject font/ttf font/opentype font/x-woff image/svg+xml;
# 是否在http header中添加Vary: Accept-Encoding，建议开启
gzip_vary           on;
# 禁用IE 6 gzip
gzip_disable        "MSIE [1-6]\.";

######cache
proxy_connect_timeout 6;
proxy_send_timeout 120;
proxy_read_timeout 60;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path /data/cache/proxy_temp;
proxy_cache_path /data/cache/proxy_cache levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=2g;
proxy_cookie_path / '/; secure; SameSite=None';

构建纯净的nginx config

在nginx.conf 最后配置
include vhost/*.conf;
之后在当前路径的vhost目录下根据域名新建配置xx.conf即可
在 vhost下新建cert目录存放证书文件

测试是否通过nginx -t，通过后重启nginx -s reload

killall nginx
nginx -c /etc/nginx/nginx.conf
nginx -s reload

反向代理

# 使用反向代理 proxy_pass http://host;
upstream host { 
  server 127.0.0.1:3000; 
}
server {
    listen 80;
    server_name _ host host1;  #绑定的域名；_ 直接IP访问
    
    #access_log /etc/nginx/conf.d/host.log;

    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host   $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Connection "";
        proxy_http_version 1.1;
        proxy_pass http://127.0.0.1:3000;  #反向代理端口
        
        ## websocket 不可重定向
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
	
	location ^~ /web {
        # alias不会使用location后面配置的路径，而且如果alias指定的是目录，后面一定要加上 "/"
        alias                   /mnt/projects/smart-farm/web/;
        index                   index.html;
        try_files $uri $uri/    /web/index.html; # history mode
      }

	location ^~  {
      return 301 $scheme://$host/web; # 首页重定向到指定页面/web
    }

}

#保留请求方式转发https
server {
  listen 80;
  server_name   host;
  location / {
    return 307 https://$host$request_uri;
  }
}
server {
  listen 443 ssl;
  server_name   host;

  ssl_certificate      /etc/nginx/vhost/cert/3247124_host.pem;
  ssl_certificate_key  /etc/nginx/vhost/cert/3247124_host.key;

  ssl_session_timeout 5m;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  # access_log  /var/log/nginx/access_ssl.log  main;

  location ^~ /api {
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host   $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    proxy_pass http://127.0.0.1:8778;
  }
  
  location ^~ /console {
    # alias不会使用location后面配置的路径，而且如果alias指定的是目录，后面一定要加上 "/"
    # alias                   /root/projects/console/;
    # projects目录下需要有console目录
    root                    /root/projects;
    index                   index.html;
    try_files $uri $uri/    /console/index.html; # history mode
  }
  
  location / {
    root                    /root/projects/node;
    index                   index.html;
    try_files $uri $uri/    /index.html; # history mode
  }
}

nginx基本配置与参数说明

nginx location指令详解

https

阿里云免费SSL证书

server {
    listen 443 ssl;
    server_name host;
    ##ssl on;
    root         /usr/share/nginx/html/host;
    index        index.html;
    ssl_certificate      /usr/local/nginx_ssl/1935715_host.anyrtc.io.pem;
    ssl_certificate_key  /usr/local/nginx_ssl/1935715_host.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    
    location / {
        root         /usr/share/nginx/html/host;
        try_files $uri $uri/ /index.html; #history mode
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        access_log  /var/log/nginx/access_ssl.log  main;
        if ($request_uri ~ ^/api/server/userconsole(/)?.*){
             proxy_pass http://127.0.0.1:7370$request_uri;
        }
        if ($request_uri ~ ^/api/servernotify/v1(/)?.*){
             proxy_pass http://127.0.0.1:7390$request_uri;
        }
    }
}

问题

1. connection to raw.githubusercontent.com:443

   在 www.ipaddress.com 查询 raw.githubusercontent.com 的真实为IP 185.199.108.133 （以实际为准）
   sudo vim /etc/hosts
   185.199.108.133 raw.githubusercontent.com
   :wq

1.