netnr / nginx.conf
2018-08-28 22:47
nginx 配置文件
####### nginx.conf
user www www;

worker_processes auto;
worker_cpu_affinity auto;

error_log /home/wwwlogs/nginx_error.log crit;

pid /usr/local/nginx/logs/nginx.pid;

worker_rlimit_nofile 51200;

events {
    use epoll;
    worker_connections 51200;
    multi_accept off;
    accept_mutex off;
}

http {
    include mime.types;
    default_type application/octet-stream;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 32k;
    large_client_header_buffers 4 32k;
    client_max_body_size 50m; # 文件上传大小限制

    sendfile on;
    sendfile_max_chunk 512k;
    tcp_nopush on;

    keepalive_timeout 60;

    tcp_nodelay on;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;

    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied expired no-cache no-store private auth;
    gzip_disable "MSIE [1-6]\.";

    server_tokens off; # 关闭版本号
    # access_log off; # 关闭日志
    # 先定义日志格式,logf 是日志格式的名字
    log_format logf '[$time_local] $remote_addr "$request" $status $body_bytes_sent $request_body "$http_referer" "$http_user_agent"';
    access_log /package/log/access.log logf;

    # 引用配置文件
    include vhost/*.conf;
}


####### 端口转发,322 => 192.168.1.188:22
stream {
    server {
        listen 322;
        proxy_pass 192.168.1.188:22;
    }
}


####### HTTP => HTTPS
server {
    listen 80;
    server_name *.netnr.com;
  
    return 301 https://$host$request_uri;
}


####### @ => www
server {
    listen 80;
    server_name netnr.com;

    rewrite ^(.*) $scheme://www.$host$1 permanent;
}


####### SSL 证书
server / {
    # add_header Strict-Transport-Security "max-age=31536000";
    ssl_certificate /package/ssl/netnr.com/fullchain.cer;
    ssl_certificate_key /package/ssl/netnr.com/private.key;

    ssl_session_timeout 60m;
    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
}


####### 自定义错误 404 503
server / {
    proxy_intercept_errors on;

    # 错误4
    error_page 403 404 408 413 414 /404.html;
    location /404.html {
        root html;
    }

    # 错误5
    error_page 500 501 503 504 /503.html;
    location /503.html {
        root html;
    }
}


####### 开启 nginx 状态
server / {
    location /nginx_status {
        stub_status on;
        access_log off;
    }
}


####### 屏蔽 HEAD 请求
server / {
    # block HEAD
    if ($request_method ~ ^(HEAD)$ ) {
        return 404;
    }
}


####### upstream 负载均衡,注意:upstream 取名不要下划线_ 与 gzip 冲突
upstream lb-web {
    server 192.168.5.100:8080 weight=1 max_fails=2 fail_timeout=20s;
    server 192.168.5.101:8080 weight=2 max_fails=2 fail_timeout=20s;
}
location / {
    proxy_pass http://lb-web;
    proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
    proxy_next_upstream_tries 3;
}


####### Header、Cookie 正常
location / {
    proxy_redirect http://$host/ http://$http_host/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Cookie $http_cookie;
}


####### cookie 无关键字字符阻断访问
location / {
    if ($http_cookie !~ 'access_token') {
        return 401;
    }
}


####### CORS 跨域
location / {
    add_header Access-Control-Allow-Origin '*' always;
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
    add_header Access-Control-Allow-Headers 'tenant-id,DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization' always;
}


####### FTP
location / {
    root /package;
    index _index.html;

    autoindex on;
    autoindex_exact_size off;
    autoindex_localtime off;
}


####### 默认访问 index.html,忽略 .html
location / {
    # 默认访问 index.html
    if ( $request_uri = "/" ) {
        rewrite ^(.*)$ /$1/index.html last;
    }

    # 默认访问 .html
    if (!-e $request_filename) {
        rewrite ^(.*)$ /$1.html last;
        break;
    }
}


####### 代理上游 https,自签证书:https://www.netnr.com/gist/code/5218147624476006375
location / {
    proxy_pass https://10.0.0.5:9951;

    proxy_ssl_certificate /package/ssl/local/server.crt;
    proxy_ssl_certificate_key /package/ssl/local/server.key;
    proxy_ssl_verify off;
    proxy_ssl_session_reuse on;
}


####### *.netnr.com
server {
    listen 443 ssl http2;
    server_name *.netnr.com;
    charset	utf-8;

    # add_header Strict-Transport-Security "max-age=31536000";
    ssl_certificate /package/ssl/netnr.com/fullchain.cer;
    ssl_certificate_key /package/ssl/netnr.com/private.key;

    ssl_session_timeout 60m;
    ssl_session_cache shared:SSL:10m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;

    client_max_body_size 1000M; # 文件上传大小限制

    # nginx 状态
    location /nginx_status {
        stub_status	on;
        access_log	off;
    }

    location / {
        proxy_redirect http://$host/ http://$http_host/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Cookie $http_cookie;

        # 泛域名开始配置
        if ( $host ~* (.*)\.(.*)\.(.*) ) {
            # 二级域名前缀
            set $sd $1;
        }

        # 是否为服务器环境,非静态
        if ($sd = "www") {
            proxy_pass http://localhost:50;
            break;
        }

        if ($sd = "rf2") {
            proxy_pass http://localhost:51;
            break;
        }

        # root /package/site/$sd;

        # 默认访问 index.html
        if ( $request_uri = "/" ) {
            rewrite ^(.*)$ /$1/index.html last;
        }

        # 默认访问.html
        if (!-e $request_filename) {
            rewrite ^(.*)$ /$1.html last;
            break;
        }
    }
}