Nginx配置备忘录

Nginx配置备忘录

契机

⚙ 最近服务器进行了迁移，nginx最为流量入口，配置一定得慎重

基础

#nginx一般安装目录
cd /etc/nginx

#nginx配置文件
cat /etc/nginx/nginx.conf
cat /etc/nginx/conf.d/*.conf

#nginx日志
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log

#验证conf文件
nginx -t

#查看当前生效conf文件+验证
nginx -T

#更改后生效nginx文件
nginx -s reload

#生成basic密码
echo -n 'admin:' >> /etc/nginx/access_pwd
openssl passwd -apr1 >> /etc/nginx/access_pwd
#输入两次密码..

配置文件

不同用途的配置文件分开存放,有利于阅读和管理

主配置

user nginx;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {

		#日志格式
   log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
	  #日志文件
		error_log /var/log/nginx/error.log main;
		access_log  /var/log/nginx/access.log main;
		
    sendfile            on;
    tcp_nopush          on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    #conf文件分层
    include /etc/nginx/conf.d/*.conf;

    #禁止通过ip直接访问80端口
    server {
        listen 80  default_server;
        server_name _;
        return 444;
    }

}

密码访问配置

server {
        listen       80;
        server_name  password.com;

        location / {
            #basic密码访问
            auth_basic "Restricted Access";
            auth_basic_user_file /etc/nginx/access_pwd;
            proxy_pass http://192.168.12.34:1234/;
            proxy_set_header Host $host:$server_port;
        }

}

限制ip访问配置

server {
        listen       80;
        server_name  ip.com;
        location / {
		        #只允许特定ip段访问
            allow 192.168.12.34/24;
            deny all;
            proxy_pass http://192.168.12.34:9876/;
            proxy_set_header Host $host:$server_port;
        }
}

SSL访问配置

server {
        listen       443;
        server_name  ssl.cn;

        ssl_certificate      /etc/nginx/cert/_.x.pem;
        ssl_certificate_key  /etc/nginx/cert/_.x.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_prefer_server_ciphers  on;

        location / {
            proxy_pass http://192.168.0.1:7654/;
            proxy_set_header Host $host:$server_port;
        }
}

静态资源访问配置

server {
        listen       80;
        server_name  xxx.cn;
        location / {
            root   /home/www/xxx;
        }
}

其他配置

server {
       listen       80;
       server_name  xxx.cn;

        #域名禁止访问(openWrt攻击)
        location /cgi-bin {
            deny all;
        }

        #域名禁止访问(springboot相关)
        location /actuator {
            deny all;
        }

        location / {
			       #真实ip获取
            proxy_set_header    X-Real-IP            $remote_addr;
            proxy_pass http://xxxx;
            proxy_set_header Host $host:$server_port;
        }

}

总结

• nginx配置文件分开存放
• 80和443配置，静态文件配置
• basic密码访问
• 安全隔离，ip防护，禁止访问特定路径
• REALIP获取等

写到最后

欢迎访问：https://bothsavage.github.io