一、动态缓存
location ~/.*/file/.* {
proxy_cache xd_cache;
proxy_cache_key $uri$is_args$args$slice_range;
add_header X-Cache-Status $upstream_cache_status;
proxy_set_header Range $slice_range;
proxy_cache_valid 200 206 304 3h;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
proxy_hide_header Cache-Control;
proxy_hide_header Set-Cookie;
proxy_pass http://192.168.1.11:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
二、nginx代理静态页面
server {
listen 82;
server_name _;
access_log /data/logs/test.log main;
error_log /data/logs/test_error.log warn;
location = /50x.html {
root html;
}
location / {
alias /etc/nginx/htmls/;
index index.html;
}
}
或
server {
listen 83;
server_name _;
access_log /data/logs/test.log main;
error_log /data/logs/test_error.log warn;
location = /50x.html {
root html;
}
location / {
root /etc/nginx/htmls/zjmhweb;
index index.html;
}
}
三、跨域问题:
location ~/api/ {
proxy_pass http://192.168.1.11:80;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
add_header Access-Control-Allow-Credentials true;
# add_header Access-Control-Allow-Origin https://smtpqd.dysmt.cn;
}
四、http转https
proxy_redirect http://test.com/loginSuccessAjax.html https://test.com/loginSuccessAjax.html;
或proxy_redirect http:// $scheme://;
注释掉配置里面的#proxy_redirect off;
五、防止爬虫:
if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot")
{
return 403;
}
六、ws协议配置
location根下添加:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
location ~/signalr-hubs { #websoket的uri
proxy_pass http://192.168.1.11:80;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_cache_bypass $http_upgrade;
}
七、80强转443(http强转https)
server {
listen 80;
server_name test.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name test.com;
set $flag 0;
if ($geoip_country_code !~ "CN") {
set $flag 1;
}
if ($geoip_country_code_self ~ "CN"){
set $flag 0;
}
if ($request_method !~* GET|POST) {
set $flag 1;
}
if ($flag = "1"){
return 403;
}
ssl_certificate /usr/local/nginx/ssl/test.com.pem;
ssl_certificate_key /usr/local/nginx/ssl/test.com.key;
access_log /auditlog/test/test.log main_json;
error_log /var/log/nginx/test.com_error.log warn;
location = /50x.html {
root /usr/share/nginx/html;
}
八、nginx四层转发
1、在主配置文件,在http模块上方添加
stream {
log_format proxy '$remote_addr $remote_port [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
include /usr/local/nginx/conf/conf.d/*.stream;
}
2、在conf.d目录下编写配置文件test.stream
server {
listen 80;
proxy_connect_timeout 1s;
proxy_timeout 10s;
proxy_pass 192.168.1.11:80;
}
九、禁止Scrapy|curl等工具的抓取
if ($http_user_agent ~* (Scrapy|Curl|HttpClient))
{
return 403;
}
十、http证书验证
location /.well-known/pki-validation/ {
alias /.well-known/ pki-validation/ ;
#index fileauth.txt;
}
十一、禁止访问某uri
location / {
set $allow 0;
if ($request_uri = "/Login/Expertindex?type=118") { #需做限制的uri
set $allow 1;
}
if ($remote_addr ~ "192.168.1.11|192.168.1.12") { #允许访问的IP白名单
set $allow 0;
}
if ($allow = 1) {
return 403;
}
proxy_pass http://192.168.1.11:82;
#proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
十二、限制使用公网IP访问
server {
listen 80 default;
listen 443 default;
server_name _;
return 666;
ssl_certificate /usr/local/nginx/ssl/test.com.pem;
ssl_certificate_key /usr/local/nginx/ssl/test.com.key;
access_log /data/logs/test.log main_json;
error_log /var/log/nginx/test.log warn;
location = /50x.html {
root /usr/share/nginx/html;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect off;
}
location ~ /\.ht {
deny all;
}
}