1.nginx防跨域配置
add_header Access-Control-Allow-Origin$http_Origin;
           add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
           add_header Access-Control-Allow-Headers '*';
           if ($request_method = 'OPTIONS') { return 204;}
  • 1.
  • 2.
  • 3.
  • 4.
2.nginx缓存配置

2.1 http下先定义缓存空间

proxy_temp_path /dev/shm/nginx_cache/proxy_temp_dir;
    proxy_cache_path /dev/shm/nginx_cache/proxy_cache_dir levels=1:2 keys_zone=cache_html:500m inactive=1d max_size=1g;
  • 1.
  • 2.

2.2 在需要进行缓存的location 下配置

proxy_cache cache_html;  #引用第一步设置的缓存空间
           proxy_cache_valid 200 304 15m;  #将200 304状态码缓存15分钟
           proxy_cache_key $host$uri$is_args$args;  #定义完整需要缓存的URL
           proxy_set_header Host $host; #定义传到后端的host
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
           proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_504; #当后端返回超时或502时,下一跳请求
           proxy_ignore_headers Set-Cookie; #忽略cookie提高命中率
           proxy_ignore_headers X-Accel-Expires Expires Cache-Control; #忽略缓存头提高命中率
           add_header Nginx-Cache "$upstream_cache_status"; #响应头里显示命中状态
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.

2.3 配置清理nginx缓存,前提是nginx需要安装purage模块,清理缓存时,将URL放到/purge/后边去请求

location ~ ^/purge(/.*) {
                allow            127.0.0.1;
                allow            192.168.0.0/16;
                deny            all;
                add_header      X-Purge    'cache_html'; #注意缓存空间要一致
                proxy_cache_purge    cache_tuangou   $host$1$is_args$args;
        }
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
3.nginx配置websocket反向代理
proxy_http_version1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Origin "";
  • 1.
  • 2.
  • 3.
  • 4.
4.nginx配置json日志格式
log_format  lognormal'{"@timestamp":"$time_iso8601","remote_addr":"$remote_addr","host":"$host","request_method":"$request_method","uri":"$uri","request_uri":"$request_uri",'
                           '"status":$status,"body_bytes_sent":$body_bytes_sent,"http_referer":"$http_referer",'
                           '"http_user_agent":"$http_user_agent","http_x_forwarded_for":"$http_x_forwarded_for",'
                           '"upstream_addr":"$upstream_addr","upstream_status":"$upstream_status","upstream_response_time":"$upstream_response_time",'
                           '"server_addr":"$server_addr","request_time":$request_time,"scheme":"$scheme",'
                           '"remote_port":"$remote_port"}';
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
5.nginx https的标准设置
listen443 ssl http2; #需安装httpv2模块
        #hsts enable
        #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        #ssl                         on;
        ssl_certificate cert/xx.crt;
        ssl_certificate_key cert/xx.key;
        ssl_prefer_server_ciphers   on;
        # self define
        ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AE
S256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA2
56:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_protocols             TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_session_cache           shared:SSL:20m;
        ssl_session_timeout         10m;
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
6.nginx通过map定义变量

6.1通过定义变量获取真实的网友IP,先取x-forward-for,为空时去remoteAddress,

map$http_x_forwarded_for $clientRealIp {
    ""    $remote_addr;
    ~^(?P<firstAddr>[0-9\.]+),?.*$    $firstAddr;
}
  • 1.
  • 2.
  • 3.
  • 4.

6.2 获取网友真实IP的C段配置

map$http_x_forwarded_for  $cRealIp {
    ~^(?P<cfirstAddr>[\d]+\.[\d]+\.[\d]+),?.*$    $cfirstAddr;
}
  • 1.
  • 2.
  • 3.

6.3 区分爬虫和真实网友的useragent

map$http_user_agent  $useragent {
   default "";
   ~*spider "spider";
   ~*bot "spider";
}
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
7.nginx通过useragent进行爬虫或手机端判断

7.1通过useragent判断爬虫

if ( $http_user_agent ~* (spider|bot|Yahoo\!|dita|crawl) ) {
         rewrite (.*) /SPIDER$1 last;
      }
  • 1.
  • 2.
  • 3.

7.2 通过useragent判断手机端

if ( $http_user_agent ~* (mobile|nokia|iphone|ipad|ipod|android|samsung|htc|blackberry) ) {
         rewrite (.*) /WAP$1 last;
      }
  • 1.
  • 2.
  • 3.
8.nginx通过404下一跳访问另外一组机器

8.1通过404状态码可以实现相同入口下,两组机器资源不一致的情况

upstream WEB_APP{ #第一组机器
        server  172.16.1.1:6020 fail_timeout=2s max_fails=0;
    }
    
    upstream WEB_HTML { #第二组机器
        server  172.16.1.2:6060 fail_timeout=2s max_fails=0;
    }   
        location ~ ^/aa {
            proxy_intercept_errors on; #该配置会将后端的错误状态码专递回来
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect      off;
            proxy_pass http://WEB_APP; #正常请求第一组机器
            recursive_error_pages on; #该配置会将第二跳后端的错误状态码传递回来
            error_page 404 = @WEB_APP_fallback; #404后通过WEB_APP_fallback请求第二组机器
        }
        
        location @WEB_APP_fallback {
            internal;
            include nginx_proto.conf;
            proxy_pass          http://WEB_HTML;
            proxy_redirect      off;
            proxy_set_header    Host          $host;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_intercept_errors on;
        }
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.