文章目录
一般配置
nginx.conf
user root root;
worker_processes 24;
worker_cpu_affinity auto 01111111111111111111111 ;
error_log /apps/logs/nginx/nginx_error.log error;
pid /apps/logs/nginx/nginx.pid;
worker_rlimit_nofile 65535;
events
{
use epoll;
worker_connections 65535;
accept_mutex off;
}
ssl_engine qat;
http
{
include mime.types;
#geoip_city /usr/local/nginx/conf/GeoLiteCity.dat;
#include geo.conf;
default_type application/octet-stream;
#charset gb2312;
server_names_hash_bucket_size 128;
client_header_buffer_size 4k;
large_client_header_buffers 4 32k;
client_max_body_size 80m;
sendfile on;
tcp_nopush on;
client_body_timeout 5;
client_header_timeout 5;
keepalive_timeout 5;
send_timeout 5;
open_file_cache max=65535 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
client_body_buffer_size 512k;
proxy_connect_timeout 5;
proxy_read_timeout 60;
proxy_send_timeout 5;
proxy_buffer_size 128k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/json application/javascript;
gzip_vary on;
#limit_zone crawler $binary_remote_addr 10m;
proxy_temp_path /dev/shm/temp;
proxy_cache_path /dev/shm/cache levels=2:2:2 keys_zone=cache_go:200m inactive=5d max_size=7g;
log_format log_access "$remote_addr" "\t$remote_user" "\t$time_local" "\t$request" "\t$request_time" "\t$upstream_response_time" "\t$status" "\t$body_bytes_sent" "\t$http_referer" "\t$http_user_agent" "\t$http_x_forwarded_for" "\t$host" "\t$hostname" "\tCustomName1" "\t$http_Cdn_Src_Ip" "\t$http_Cdn_Src_Port" "\t$http_Cdn_Node_Ip" "\t$cookie_mars_cid" "\t$ssl_cipher" "\t$ssl_protocol" "\t$ssl_session_id" "\t$ssl_session_reused" "\t$upstream_addr" "\t$upstream_status";
include /apps/conf/nginx/vhosts/upstream.conf;
include /apps/conf/nginx/vhosts/default.xx.com;
}
server
server
{
listen 443 ssl;
server_name abc.com;
include vhosts/ssl.conf;
location / {
include vhosts/proxy.conf;
proxy_pass http://gd9;
}
access_log /apps/logs/nginx/acce.access.log log_access;
}
ssl
ssl.conf
https://blog.helong.info/blog/2015/05/09/https-config-optimize-in-nginx/
https://blog.helong.info/blog/2015/01/23/ssl_tls_ciphersuite_intro/
https://yq.aliyun.com/articles/192837
ssl_certificate ca/com.crt;
ssl_certificate_key ca/com.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_asynch on;
ssl_session_cache shared:SSL:100m;
ssl_session_timeout 10m;
ssl_session_tickets on;
ssl_session_ticket_key ssl/ticket.key;
ssl_dhparam ssl/dhparam.pem;
ssl_ecdh_curve prime256v1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate ssl/com.chain.pem;
ssl_buffer_size 16k;
关闭CBC算法
Nginx 禁用 AES CBC 系列弱密码
通过禁用,!SHA1:!SHA256:!SHA384,从而禁用CBC算法
ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:EECDH+AES256:!MD5:!SHA1:!SHA256:!SHA384";
HSTS
server {
#可选 以下三行 启用 OCSP 可以让浏览器更快的获取证书撤销状态
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/startssl_trust_chain.crt;
#启用 HSTS 用于通知浏览器强制使用 https 通信
add_header Strict-Transport-Security "max-age=31536000";
resolver 8.8.8.8 8.8.4.4;
}
上游
upstream
upstream gd6{
keepalive 5;
server xxx:80 max_fails=3 fail_timeout=3s weight=100;
server xxxx:80 max_fails=3 fail_timeout=3s weight=100;
}
监控
原生监控和VTS示例
#vts配置
vhost_traffic_status_zone shared:vhost_traffic_status:10m;
vhost_traffic_status_filter_by_host on;
vhost_traffic_status_filter_check_duplicate on;
server {
listen 80;
server_name 127.0.0.1 default.xxxx.com;
access_log /apps/logs/nginx/default.access.log log_access;
location /nginx-status {
allow 10.0.0.0/8;
allow 127.0.0.1;
deny all;
stub_status on;
}
#vts status
location ^~ /status/vhosts {
vhost_traffic_status_display ;
vhost_traffic_status_display_format html;
allow 10.0.0.0/8;
allow 127.0.0.1/32;
deny all;
}
#vts control
location ^~ /status/vhosts/control {
vhost_traffic_status_display ;
vhost_traffic_status_display_format html;
#只允许收集状态机器ip操作,这里暂时先写内网
allow 10.0.0.0/8;
deny all;
}
# access_log off;
# error_log logs/nginx-status.err;
}
webserver
webserver接受POST请求
location ~ (.*\.json) {
root /data/web/coolnull.com/www;
error_page 405 =200 /; # 跳转到首页
}