nginx配置
实例
状态码转换
refer http://nginx.org/en/docs/http/ngx_http_core_module.html
error_page 404 $scheme://$http_host/securitybook/404.html;
error_page 403 http://example.com/forbidden.html;
error_page 404 =301 http://example.com/notfound.html;
error_page 404 =200 /empty.gif; #转换状态码
error_page 500 502 503 504 /50x.html;
nginx禁用日志记录
关闭favicon.ico 禁止访问隐藏文件
# 把以下配置放到 server {} 块.
#关闭favicon.ico不存在时记录日志
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# 不允许访问隐藏文件例如 .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /. {
deny all;
access_log off;
log_not_found off;
}
参数:listen 示例
listen 127.0.0.1:8000;
listen 127.0.0.1; #此时将相当监听80
listen 8000;
listen *:8000;
listen localhost:8000;
参数root与alias的区别
alias 与 root区别
prefix=/var/lib/nginx
目录html中有download/index.html
location /download{
alias html/download/; #1 = #4
root /var/lib/nginx/html; #2 即是请求的/var/lib/nginx/html//download/index.html
alias /var/lib/nginx/html/; #3 location 带与不带/的结果与带/相同。即是请求的/var/lib/nginx/html/index.html
alias /var/lib/nginx/html/xxxxxxx/; #4 location 带与不带/的结果与带/相同。即是请求的/var/lib/nginx/html/xxxxx/index.html,访问ip地址为http://127.0.0.1:8010/download/index.html
首先权限正确后
http://127.0.0.1:8010/download/
首页自动跳转
location / {
root html;
index index.html index.htm;
}
/usr/local/nginx/html/index.html
<html><head><meta http-equiv="Refresh" content="0; URL=/docs"/></head></html>
<html><head><meta http-equiv="Refresh" content="0; URL=/manual"/></head></html>
证书
https://syslink.pl/cipherlist/
https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
https证书配置,pem也可以用crt
实例
ssl_protocols TLSv1.2;# Requires nginx >= 1.13.0 else use TLSv1.2
#ssl_dhparam ssl/dhparam.pem;
ssl_certificate ssl/star_zjzwfw_gov_cn.pem;
ssl_certificate_key ssl/star_zjzwfw_gov_cn.key;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 223.5.5.5 114.114.114.114 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
注意:此处的add_header X-Frame-Options DENY;将可能导致部分页面模块因为安全问题无法显示。可以注释掉该行。
ssl_dhparam
nginx: [emerg] BIO_new_file("/etc/nginx/ssl.crt/dhparams.pem") failed
用命令生成此文件,此文件生成时间随64-4096依次变长。
https://www.cnblogs.com/f-ck-need-u/p/7103791.html
openssl dhparam -out dhparam.pem 512
openssl dhparam -out dhparam.pem 1024
openssl dhparam -out dhparam.pem 4096
反向代理
实例
location ~ /abc {
proxy_pass http://abc_server;
proxy_set_header Host $host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ~ /dog {
proxy_pass http://dog_server;
proxy_set_header Host $host:80;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
参数proxy_pass
#
server {
listen 80;
server_name xinzhiba.top;
# if ($host != 'xinzhiba.top'){
# return 403;
# }
proxy_connect_timeout 75s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
upstream
| 参数 | 含义 |
|---|---|
| down | 当前的server暂时不参与负载均衡 |
| backup | 预留的备份服务器 |
| max_fails | 允许请求失败的次数 |
| fail_timeout | 经过max_fails服务暂停的时间默认10留给运维人员解决后端服务器问题的时间 |
| max_conns | 限制最大的接收的连接数 |
upstream bmfw {
server ip:8081 down;//不启用
server ip:8082 backup;//所有应用服务器失效状态下启用
server ip:8083 max_fails=3 fail_timeout=5s;//允许失败次数1次,失败1次后,暂停时间10s
}
1683
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
