这是本文档旧的修订版!
NGINX 实践
for Nginx v1.20.1 or Later
最小化 nginx 静态站配置
server {
listen 80;
listen [::]:80;
server_name www.xyz.com; # server_name _ 未提供HOST头部时使用的站点
root /var/www/app-path/
index index.html
location / {
}
}
通常指定网站根目录及首页即可
Nginx + 反向代理 + SSL
server {
listen 80;
listen [::]:80;
server_name www.xxx.com;
return 301 https://$server_name:443$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name c.ezua.com;
charset utf-8;
# ssl配置
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_certificate /etc/letsencrypt/live/www.xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.xxx.com/privkey.pem;
root /usr/share/nginx/html;
location / {
proxy_ssl_server_name on;
proxy_pass https://bing.imeizi.me;
proxy_set_header Accept-Encoding '';
sub_filter "bing.imeizi.me" "www.xyz.com";
sub_filter_once off;
}
location /long-long-path {
proxy_redirect off;
proxy_pass http://127.0.0.1:20860;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# Show real IP in v2ray access.log
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
其中:
- 第一个 location 是通用路径反代,获取之后数据之后对部分内容进行替换。
sub_filter指令将获取到的部分内容进行替换 - 使用了高级功能的一些网站可能需要进行传递 Upgrade,以及 Connection 头部,如:WebSocket
- X-Real-IP 多用于代理服务器,向真实服务器传递远程客户端IP地址
- Server Listen 80 端口,并使用301重定向
- X-Forwarded-For XFF头不是标准HTTP头部
- 第二个 location 可以设置的长一点,这样可以把该路径隐藏在转发的网站中
Nginx + PHP-fpm + SSL
预装PHP及PHP-FPM环境
配置PHP fastcgi 转发
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.c.ezua.com;
charset utf-8;
# ssl配置
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_certificate /etc/letsencrypt/live/www.c.ezua.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.c.ezua.com/privkey.pem;
#root /var/www/html/;
root /var/www/dokuwiki/;
index index.php;
location ~ \.(php|php5).* {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php-fpm/www.sock;
include fastcgi_params;
}
location / {
}
}
在配置方面与普通的反代没有区别, fastcgi_pass 除了可以用unix sockets方式转发外,还可以使用 tcp://127.0.0.1:9000 的形式配置,要看 php-fpm.conf 配置文件里面监听的是socket还是端口
Nginx + 负载均衡
暂未涉及
Nginx location 及访问控制
关于 location 匹配规则
语法规则为: location [=|~|~*|^~] /uri/ { … }
- = /path... 为精确匹配
- ^~ /path... 匹配以/path开关的路径。location中的规则无需进行url编解码,当请求为/static/20%/aa,可以被规则^~ /static/ /aa匹配到(注意是空格)
- ~ expr... 匹配包含expr的路径,可用正则表达式
- ~* expr... 同上,但不区分大小写
- !~ expr 与 !~* expr... 反向匹配,匹配不包含指定路径的规则
- / 通用路径匹配,最终路径,所有路径均未匹配时,调用规则
规则匹配顺序
- = /PATH ..., 精确匹配
- ^~ /PATH ..., 首位匹配
- 按照配置文件进行匹配
访问控制
禁止客户端访问指定路径,以下配置节禁止客户端访问/conf/, /bin/, /inc, /vendor/ 等目录
location ~ /(conf|bin|inc|vendor)/ {
allow 192.168.1.0/24;
deny all;
}
针对指定路径返回指定状态,以下配置将路径/usr/c03f883c.db设置为404未找到
location ^~ /usr/c03f883c.db {
return 404;
}