NGINX常见配置

豆豆的豆芽儿

已于 2023-01-20 09:55:21 修改

阅读量402

点赞数 1

文章标签： nginx 运维服务器

于 2023-01-19 17:32:24 首次发布

本文链接：https://blog.csdn.net/qq_42890862/article/details/128736576

版权

一、动态缓存

location ~/.*/file/.* {
    proxy_cache xd_cache;
    proxy_cache_key $uri$is_args$args$slice_range;
    add_header X-Cache-Status $upstream_cache_status;
    proxy_set_header Range $slice_range;
    proxy_cache_valid 200 206 304 3h;
    proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
    proxy_hide_header Cache-Control;
    proxy_hide_header Set-Cookie;
    
    proxy_pass http://192.168.1.11:80;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto http;
    proxy_redirect     off;
}

二、nginx代理静态页面

server {
    listen       82;
    server_name _;
    access_log  /data/logs/test.log main;
    error_log   /data/logs/test_error.log  warn;
    location = /50x.html {
        root   html; 
	}

location / {
            alias   /etc/nginx/htmls/;
            index  index.html;
        }
}

或

server {
    listen       83;
    server_name _;
    access_log  /data/logs/test.log main;
    error_log   /data/logs/test_error.log  warn;
    location = /50x.html {
        root   html;
    }

location / {
            root   /etc/nginx/htmls/zjmhweb;
            index  index.html;
        }
}

三、跨域问题：

location ~/api/ {
        proxy_pass  http://192.168.1.11:80;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_redirect     off;
        
        add_header Access-Control-Allow-Credentials true;
       # add_header Access-Control-Allow-Origin https://smtpqd.dysmt.cn;
}

四、http转https

proxy_redirect   http://test.com/loginSuccessAjax.html https://test.com/loginSuccessAjax.html;

或proxy_redirect http:// $scheme://;
注释掉配置里面的#proxy_redirect     off;

五、防止爬虫：

if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") 
{ 
return 403; 
}

六、ws协议配置

location根下添加：
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection keep-alive;
        
    location ~/signalr-hubs {   #websoket的uri
        proxy_pass http://192.168.1.11:80;
        proxy_set_header Host $http_host;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection upgrade;
        proxy_cache_bypass $http_upgrade;

    }

七、80强转443（http强转https）

server  {
    listen   80;
    server_name  test.com;
    return      301 https://$server_name$request_uri;
}
server {
    listen       443  ssl;
    server_name  test.com;    
    
    set $flag 0;
    if ($geoip_country_code !~ "CN") {
        set $flag 1;
    }
    if ($geoip_country_code_self ~ "CN"){
        set $flag 0;
    } 
    if ($request_method !~* GET|POST) {
        set $flag 1;
    }
    if ($flag = "1"){
        return 403;
    }
    
    ssl_certificate /usr/local/nginx/ssl/test.com.pem;
    ssl_certificate_key /usr/local/nginx/ssl/test.com.key;
    
    access_log  /auditlog/test/test.log main_json;
    error_log /var/log/nginx/test.com_error.log warn;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

八、nginx四层转发
1、在主配置文件，在http模块上方添加

stream {
    log_format proxy '$remote_addr $remote_port [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
                 
    include /usr/local/nginx/conf/conf.d/*.stream; 
}

2、在conf.d目录下编写配置文件test.stream

server {
        listen 80;
        proxy_connect_timeout 1s;
        proxy_timeout 10s;
        proxy_pass 192.168.1.11:80;
     }

九、禁止Scrapy|curl等工具的抓取

if ($http_user_agent ~* (Scrapy|Curl|HttpClient))
{
    return 403;
}

十、http证书验证

location /.well-known/pki-validation/ {
    alias /.well-known/ pki-validation/ ;
    #index fileauth.txt;
}

十一、禁止访问某uri

location / {
    set $allow 0;
    if ($request_uri = "/Login/Expertindex?type=118") {  #需做限制的uri
        set $allow 1;
    }
    if ($remote_addr ~ "192.168.1.11|192.168.1.12") { #允许访问的IP白名单
        set $allow 0;
    }
    if ($allow = 1) {
        return 403;
    }
   
    proxy_pass http://192.168.1.11:82;
    #proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto http;
    proxy_redirect off;
}

十二、限制使用公网IP访问

server {
    listen       80 default;
    listen       443 default;
    server_name  _;
    return 666;

    ssl_certificate /usr/local/nginx/ssl/test.com.pem;
    ssl_certificate_key /usr/local/nginx/ssl/test.com.key;

    access_log  /data/logs/test.log main_json;
    error_log  /var/log/nginx/test.log warn;

    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto http;
        proxy_redirect     off;
    }

    location ~ /\.ht {
        deny  all;
    }
}