####### nginx.conf
user www www;
worker_processes auto;
worker_cpu_affinity auto;
error_log /home/wwwlogs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m; # 文件上传大小限制
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off; # 关闭版本号
# access_log off; # 关闭日志
# 先定义日志格式,logf 是日志格式的名字
log_format logf '[$time_local] $remote_addr "$request" $status $body_bytes_sent $request_body "$http_referer" "$http_user_agent"';
access_log /package/log/access.log logf;
# 引用配置文件
include vhost/*.conf;
}
####### 端口转发,322 => 192.168.1.188:22
stream {
server {
listen 322;
proxy_pass 192.168.1.188:22;
}
}
####### 禁 IP 访问
server {
server_name _;
listen 80 default_server;
listen 443 ssl default_server;
listen [::]:80 default_server; # IPv6
listen [::]:443 default_server; # IPv6
charset utf-8;
ssl_certificate /package/ssl/netnr.com/fullchain.cer;
ssl_certificate_key /package/ssl/netnr.com/private.key;
# return 444;
return 500 "Visit https://www.netnr.com";
}
####### HTTP => HTTPS
server {
listen 80;
server_name *.netnr.com;
return 301 https://$host$request_uri;
}
####### @ => www
server {
listen 80;
server_name netnr.com;
rewrite ^(.*) $scheme://www.$host$1 permanent;
}
####### IPv6
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name netnr.com;
# SSL
ssl_certificate /package/ssl/netnr.com/fullchain.cer;
ssl_certificate_key /package/ssl/netnr.com/private.key;
# ...
}
####### SSL 证书
server / {
# add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /package/ssl/netnr.com/fullchain.cer;
ssl_certificate_key /package/ssl/netnr.com/private.key;
ssl_session_timeout 60m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
}
####### 自定义错误 404 503
server / {
proxy_intercept_errors on;
# 错误4
error_page 403 404 408 413 414 /404.html;
location /404.html {
root html;
}
# 错误5
error_page 500 501 503 504 /503.html;
location /503.html {
root html;
}
}
####### 开启 nginx 状态
server / {
location /nginx_status {
stub_status on;
access_log off;
}
}
####### 屏蔽 HEAD 请求
server / {
# block HEAD
if ($request_method ~ ^(HEAD)$ ) {
return 404;
}
}
####### upstream 负载均衡,注意:upstream 取名不要下划线_ 与 gzip 冲突
upstream lb-web {
server 192.168.5.100:8080 weight=1 max_fails=2 fail_timeout=20s;
server 192.168.5.101:8080 weight=2 max_fails=2 fail_timeout=20s;
}
location / {
proxy_pass http://lb-web;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
}
####### Header、Cookie 正常
location / {
proxy_redirect http://$host/ http://$http_host/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
}
####### cookie 无关键字字符阻断访问
location / {
if ($http_cookie !~ 'access_token') {
return 401;
}
}
####### CORS 跨域
location / {
proxy_hide_header Access-Control-Allow-Origin; # 可隐藏反代,避免重复添加
add_header Access-Control-Allow-Origin '*' always;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,tenant-id' always;
}
####### FTP
location / {
root /package;
index _index.html;
autoindex on;
autoindex_exact_size off;
autoindex_localtime off;
}
####### SPA 项目刷新非主页路由出现 404 的问题
location / {
root /package/site/www;
try_files $uri $uri/ /index.html?$args;
}
####### 默认访问 index.html,忽略 .html
location / {
# 默认访问 index.html
if ( $request_uri = "/" ) {
rewrite ^(.*)$ /$1/index.html last;
}
# 默认访问 .html
if (!-e $request_filename) {
rewrite ^(.*)$ /$1.html last;
break;
}
}
####### 代理上游 https,自签证书:https://www.netnr.com/gist/code/5218147624476006375
location / {
proxy_pass https://10.0.0.5:9951;
proxy_ssl_certificate /package/ssl/local/server.crt;
proxy_ssl_certificate_key /package/ssl/local/server.key;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
}
####### www.netnr.com
server {
listen 443 ssl http2;
server_name www.netnr.com;
charset utf-8;
# SSL
#add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /package/ssl/netnr.com/fullchain.cer;
ssl_certificate_key /package/ssl/netnr.com/private.key;
ssl_session_timeout 60m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
# status
location /nginx_status {
stub_status on;
access_log off;
}
location / {
# 跨域
add_header Access-Control-Allow-Origin '*' always;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,tenant-id' always;
proxy_redirect http://$host/ http://$http_host/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
proxy_pass http://localhost:51;
# 默认访问.html
if (!-e $request_filename) {
rewrite ^(.*)$ /$1.html last;
break;
}
}
}