Nginx/Tengine通用配置教程,包含多域名共用一个端口指向不同程序、Nginx负载均衡配置、Https配置、禁止通过IP访问、设置访问流量并发速率、Nginx反代PHP、Nginx反代Tomcat。

Nginx/Tengine通用配置教程

Nginx通用配置:

user www www;
worker_processes auto;
worker_cpu_affinity auto;
dso {
	load ngx_http_concat_module.so;
	load ngx_http_sysguard_module.so;
}

error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
  use epoll;
  worker_connections 51200;
  multi_accept on;
}

http {
  include mime.types;
  default_type application/octet-stream;
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 1024m;
  client_body_buffer_size 10m;
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 120;
  server_tokens off;
  tcp_nodelay on;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  #Gzip Compression
  gzip on;
  gzip_buffers 16 8k;
  gzip_comp_level 6;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_proxied any;
  gzip_vary on;
  gzip_types
    text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
    text/javascript application/javascript application/x-javascript
    text/x-json application/json application/x-web-app-manifest+json
    text/css text/plain text/x-component
    font/opentype application/x-font-ttf application/vnd.ms-fontobject
    image/x-icon;
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";

  #If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
  open_file_cache max=1000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

    #如果不是域名访问,就直接返回444错误
    server {  
	    listen       80  default_server;  
	    server_name  _;  
	    return       444;  
	} 

    server {
        listen 80;
        server_name v.4xx.me;
        access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
        index index.html index.htm index.jsp;
        root /data/wwwroot/v.4xx.me;    #可不需要
        
        #error_page 404 /404.html;
        #error_page 502 /502.html;
        location ~ {
            proxy_pass http://127.0.0.1:8080;
            proxy_connect_timeout 300s;
            proxy_send_timeout 900;
            proxy_read_timeout 900;
            proxy_buffer_size 32k;
            proxy_buffers 4 64k;
            proxy_busy_buffers_size 128k;
            proxy_redirect off;
            proxy_hide_header Vary;
            proxy_set_header Accept-Encoding '';
            proxy_set_header Referer $http_referer;
            proxy_set_header Cookie $http_cookie;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

}

Nginx共用一个端口指向不同程序

#主要通过域名判断
    server {
        listen 80;
        server_name 域名1;
        access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
        index index.html index.htm index.jsp;
        root /data/wwwroot/v.4xx.me;    #可不需要
        
        #error_page 404 /404.html;
        #error_page 502 /502.html;
        location ~ {
            proxy_pass http://127.0.0.1:8080;
            include proxy.conf;
        }
    }
    server {
        listen 80;
        server_name 域名2;
        access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
        index index.html index.htm index.jsp;
        root /data/wwwroot/v.4xx.me;    #可不需要
        
        #error_page 404 /404.html;
        #error_page 502 /502.html;
        location ~ {
            proxy_pass http://127.0.0.1:8080;
            include proxy.conf;
        }
    }

Nginx负载均衡配置

#tomcat例子,php同理
upstream tomcats {
         # session共享
         session_sticky cookie=SESSION.V.4XX.ME fallback=on mode=insert option=direct;
         server 127.0.0.1:9001 weight=1;
         server 192.168.128.1:80 weight=1;  #weight权重,可负载内网机器
   	}

server {
        listen       80;
        server_name  域名;
        location / { 
        	session_sticky_hide_cookie upstream=tomcats;    # session共享
            proxy_pass http://tomcats;
            include proxy.conf;
        }
    }

Nginx开启Https

#需要nginx先安装了ssl相关模块

#php typeoch博客的配置,用的fastcgi_pass unix:/dev/shm/php-cgi.sock;
server {
  listen 80;
  listen 443 ssl http2;
  ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt;       #ssl证书路径
  ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_name 4xx.me;
  access_log /data/wwwlogs/4xx.me_nginx.log combined;
  index index.html index.htm index.php;
  root /data/wwwroot/4xx.me;
  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }     #http请求自动301跳转到https

  if (!-e $request_filename) {  #重定向
        rewrite ^(.*)$ /index.php$1 last;
    }
  location ~ [^/]\.php(/|$) {
      fastcgi_pass unix:/dev/shm/php-cgi.sock;
      fastcgi_index index.php;
      
    fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
    fastcgi_param  QUERY_STRING       $query_string;
    fastcgi_param  REQUEST_METHOD     $request_method;
    fastcgi_param  CONTENT_TYPE       $content_type;
    fastcgi_param  CONTENT_LENGTH     $content_length;

    fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
    fastcgi_param  REQUEST_URI        $request_uri;
    fastcgi_param  DOCUMENT_URI       $document_uri;
    fastcgi_param  DOCUMENT_ROOT      $document_root;
    fastcgi_param  SERVER_PROTOCOL    $server_protocol;
    fastcgi_param  HTTPS              $https if_not_empty;

    fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
    fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

    fastcgi_param  REMOTE_ADDR        $remote_addr;
    fastcgi_param  REMOTE_PORT        $remote_port;
    fastcgi_param  SERVER_ADDR        $server_addr;
    fastcgi_param  SERVER_PORT        $server_port;
    fastcgi_param  SERVER_NAME        $server_name;

    # PHP only, required if PHP was built with --enable-force-cgi-redirect
    fastcgi_param  REDIRECT_STATUS    200;

      set $path_info "";
	  set $real_script_name $fastcgi_script_name;
	  if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
	          set $real_script_name $1;
	          set $path_info $2;
	     }
      fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
      fastcgi_param SCRIPT_NAME $real_script_name;
      fastcgi_param PATH_INFO $path_info;
    }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /\.ht {
    deny all;
  }
}


#java tomcat配置
server {
  listen 80;
  listen 443 ssl http2;
  ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt;       #ssl证书路径
  ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_name 域名;
  access_log /data/wwwlogs/4xx.me_nginx.log combined;
  index index.html index.htm index.jsp;
  root /data/wwwroot/4xx.me;
  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }     #http请求自动301跳转到https

   #error_page 404 /404.html;
    #error_page 502 /502.html;
    location ~ {
        proxy_pass http://127.0.0.1:8080;
        include proxy.conf;
    }

}

禁止通过IP访问

#如果不是域名访问,就直接返回444错误
    server {  
	    listen       80  default_server;  
	    server_name  _;  
	    return       444;  
	} 

设置访问流量并发速率,可防御少量ddos、cc流量攻击

limit_req_zone $binary_remote_addr zone=qpscon:10m rate=10r/s;   #1秒接收10个请求
server {
    listen       80;
    server_name  域名;
    location / { 
        limit_req zone=qpscon burst=10 nodelay; #burst 突发流量时10个请求缓冲
        proxy_pass http://tomcats;
        include proxy.conf;
    }
}

php tomcat配置上边的例子中有,就不在赘述了