隐藏 Nginx 版本信息
http {
server_tokens off;
}
禁止使用ip直接访问某个端口
server {
listen 80 default;
server_name _;
return 500;
}
HTTPS配置
pem和key可以去自行购买
server {
listen 443 ssl;
server_name www.xxx.com;
# 配置自己下载的数字证书
ssl_certificate /etc/nginx/ssl/www.xxx.com.pem;
# 配置自己下载的服务器私钥
ssl_certificate_key /etc/nginx/ssl/www.xxx.com.key;
# 停止通信时,加密会话的有效期,在该时间段内不需要重新交换密钥
ssl_session_timeout 10m;
# TLS握手时,服务器采用的密码套件
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
# 服务器支持的TLS版本
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 开启由服务器决定采用的密码套件
ssl_prefer_server_ciphers on;
}
websocket配置
server {
listen 80;
server_name 域名;
location / {
proxy_pass http://127.0.0.1:8080/; // 代理转发地址
proxy_http_version 1.1;
proxy_read_timeout 3600s; // 超时设置
// 启用支持websocket连接,下面两行是核心
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
vue项目配置
server {
# 项目启动端口
listen 80;
# 域名(localhost)
server_name _;
# 禁止 iframe 嵌套
add_header X-Frame-Options SAMEORIGIN;
# 访问地址 根路径配置
location / {
# 项目目录
root html;
# 默认读取文件
index index.html;
# 配置 history 模式的刷新空白
try_files $uri $uri/ /index.html;
}
# 后缀匹配,解决静态资源找不到问题
location ~* \.(gif|jpg|jpeg|png|css|js|ico)$ {
root html/static/;
}
# 图片防盗链
location ~/static/.*\.(jpg|jpeg|png|gif|webp)$ {
root html;
valid_referers *.deeruby.com;
if ($invalid_referer) {
return 403;
}
}
# 访问限制
location /static {
root html;
# allow 允许
allow 39.xxx.xxx.xxx;
# deny 拒绝
deny all;
}
}
tengine主动健康检查+负载均衡
http {
upstream mycluster {
vnswrr;
# Add backend servers with their IP address and port
server localhost:80;
server backend2.example.com:80;
#备服务器,只有当其它服务器不可用时采会转发到此服务器
server backend3.example.com:80 backup;
#每隔3秒主动检查一次,成功2次算成功,失败3次算失败,超时时间为1秒(超时也算失败),失败的节点nginx会剔除掉,直到主动健康检查成功才把该节点恢复
check interval=3000 rise=2 fall=3 timeout=1000 type=http;
#/jeecg-boot/heart为后端接口路径(此处的路径是上面的server+完整的请求路径)
check_http_send "HEAD /jeecg-boot/heart HTTP/1.0\r\n\r\n";
#http状态码为2xx或3xx判定为健康检查成功,否则为失败
check_http_expect_alive http_2xx http_3xx;
}
server {
listen 8080;
location /api/ {
proxy_pass http://mycluster/;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
}
}
解决上传文件大小限制(http 413错误)
可应用于`location`、`server`、`http`块
client_max_body_size 300M;
client_body_buffer_size 300M;
client_header_timeout 10m;
client_body_timeout 10m;
proxy_connect_timeout 10m;
proxy_read_timeout 10m;
proxy_send_timeout 10m;
spring:
servlet:
multipart:
max-request-size: 300MB
max-file-size: 300MB
文件压缩
# gzip config
gzip on;
gzip_min_length 1k;
gzip_comp_level 9;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
获取真实客户端IP
`location`块增加下面内容
proxy_set_header Host 127.0.0.1;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
http请求重定向到https
当访问http://a.com 会自动重定向到https://a.com
server{
listen 80;
server_name a.com;
rewrite ^(/.*)$ https://$host$1 permanent;
}
缓存js和css 实现浏览器秒开网页
location /{
root /home/cs;
index index.html index.htm;
try_files $uri $uri/ /index.html;
#缓存js和css
location ~* \.(js|css)$ {
expires 1h; # 设置缓存时间为1小时
add_header Cache-Control "public, max-age=3600"; # 设置Cache-Control头部,确保缓存时间为1小时
}
}
禁止缓存
location / {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires 0;
}
默认服务器
当server_name匹配不到的时候匹配这里
server{
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate /home/www.aaa.com.pem;
ssl_certificate_key /home/www.aaa.com.key;
return 444;
}
server{
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}