tengine php 安装配置,Nginx/Tengine通用配置教程

Nginx/Tengine通用配置教程，包含多域名共用一个端口指向不同程序、Nginx负载均衡配置、Https配置、禁止通过IP访问、设置访问流量并发速率、Nginx反代PHP、Nginx反代Tomcat。

Nginx通用配置：user www www;

worker_processes auto;

worker_cpu_affinity auto;

dso {

load ngx_http_concat_module.so;

load ngx_http_sysguard_module.so;

}

error_log /data/wwwlogs/error_nginx.log crit;

pid /var/run/nginx.pid;

worker_rlimit_nofile 51200;

events {

use epoll;

worker_connections 51200;

multi_accept on;

}

http {

include mime.types;

default_type application/octet-stream;

server_names_hash_bucket_size 128;

client_header_buffer_size 32k;

large_client_header_buffers 4 32k;

client_max_body_size 1024m;

client_body_buffer_size 10m;

sendfile on;

tcp_nopush on;

keepalive_timeout 120;

server_tokens off;

tcp_nodelay on;

fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;

fastcgi_read_timeout 300;

fastcgi_buffer_size 64k;

fastcgi_buffers 4 64k;

fastcgi_busy_buffers_size 128k;

fastcgi_temp_file_write_size 128k;

fastcgi_intercept_errors on;

#Gzip Compression

gzip on;

gzip_buffers 16 8k;

gzip_comp_level 6;

gzip_http_version 1.1;

gzip_min_length 256;

gzip_proxied any;

gzip_vary on;

gzip_types

text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml

text/javascript application/javascript application/x-javascript

text/x-json application/json application/x-web-app-manifest+json

text/css text/plain text/x-component

font/opentype application/x-font-ttf application/vnd.ms-fontobject

image/x-icon;

gzip_disable "MSIE [1-6]\.(?!.*SV1)";

#If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.

open_file_cache max=1000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

#如果不是域名访问，就直接返回444错误

server {

listen 80 default_server;

server_name _;

return 444;

}

server {

listen 80;

server_name v.4xx.me;

access_log /data/wwwlogs/v.4xx.me_nginx.log combined;

index index.html index.htm index.jsp;

root /data/wwwroot/v.4xx.me; #可不需要

#error_page 404 /404.html;

#error_page 502 /502.html;

location ~ {

proxy_pass http://127.0.0.1:8080;

proxy_connect_timeout 300s;

proxy_send_timeout 900;

proxy_read_timeout 900;

proxy_buffer_size 32k;

proxy_buffers 4 64k;

proxy_busy_buffers_size 128k;

proxy_redirect off;

proxy_hide_header Vary;

proxy_set_header Accept-Encoding '';

proxy_set_header Referer $http_referer;

proxy_set_header Cookie $http_cookie;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

}

}

Nginx共用一个端口指向不同程序#主要通过域名判断

server {

listen 80;

server_name 域名1;

access_log /data/wwwlogs/v.4xx.me_nginx.log combined;

index index.html index.htm index.jsp;

root /data/wwwroot/v.4xx.me; #可不需要

#error_page 404 /404.html;

#error_page 502 /502.html;

location ~ {

proxy_pass http://127.0.0.1:8080;

include proxy.conf;

}

}

server {

listen 80;

server_name 域名2;

access_log /data/wwwlogs/v.4xx.me_nginx.log combined;

index index.html index.htm index.jsp;

root /data/wwwroot/v.4xx.me; #可不需要

#error_page 404 /404.html;

#error_page 502 /502.html;

location ~ {

proxy_pass http://127.0.0.1:8080;

include proxy.conf;

}

}

Nginx负载均衡配置#tomcat例子，php同理

upstream tomcats {

# session共享

session_sticky cookie=SESSION.V.4XX.ME fallback=on mode=insert option=direct;

server 127.0.0.1:9001 weight=1;

server 192.168.128.1:80 weight=1; #weight权重，可负载内网机器

}

server {

listen 80;

server_name 域名;

location / {

session_sticky_hide_cookie upstream=tomcats; # session共享

proxy_pass http://tomcats;

include proxy.conf;

}

}

Nginx开启Https#需要nginx先安装了ssl相关模块

#php typeoch博客的配置，用的fastcgi_pass unix:/dev/shm/php-cgi.sock;

server {

listen 80;

listen 443 ssl http2;

ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt; #ssl证书路径

ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

ssl_prefer_server_ciphers on;

ssl_session_timeout 10m;

ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_buffer_size 1400;

add_header Strict-Transport-Security max-age=15768000;

ssl_stapling on;

ssl_stapling_verify on;

server_name 4xx.me;

access_log /data/wwwlogs/4xx.me_nginx.log combined;

index index.html index.htm index.php;

root /data/wwwroot/4xx.me;

if ($ssl_protocol = "") { return 301 https://$host$request_uri; } #http请求自动301跳转到https

if (!-e $request_filename) { #重定向

rewrite ^(.*)$ /index.php$1 last;

}

location ~ [^/]\.php(/|$) {

fastcgi_pass unix:/dev/shm/php-cgi.sock;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

fastcgi_param QUERY_STRING $query_string;

fastcgi_param REQUEST_METHOD $request_method;

fastcgi_param CONTENT_TYPE $content_type;

fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;

fastcgi_param REQUEST_URI $request_uri;

fastcgi_param DOCUMENT_URI $document_uri;

fastcgi_param DOCUMENT_ROOT $document_root;

fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param HTTPS $https if_not_empty;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;

fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

fastcgi_param REMOTE_ADDR $remote_addr;

fastcgi_param REMOTE_PORT $remote_port;

fastcgi_param SERVER_ADDR $server_addr;

fastcgi_param SERVER_PORT $server_port;

fastcgi_param SERVER_NAME $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param REDIRECT_STATUS 200;

set $path_info "";

set $real_script_name $fastcgi_script_name;

if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {

set $real_script_name $1;

set $path_info $2;

}

fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;

fastcgi_param SCRIPT_NAME $real_script_name;

fastcgi_param PATH_INFO $path_info;

}

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {

expires 30d;

access_log off;

}

location ~ .*\.(js|css)?$ {

expires 7d;

access_log off;

}

location ~ /\.ht {

deny all;

}

}

#java tomcat配置

server {

listen 80;

listen 443 ssl http2;

ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt; #ssl证书路径

ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

ssl_prefer_server_ciphers on;

ssl_session_timeout 10m;

ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_buffer_size 1400;

add_header Strict-Transport-Security max-age=15768000;

ssl_stapling on;

ssl_stapling_verify on;

server_name 域名;

access_log /data/wwwlogs/4xx.me_nginx.log combined;

index index.html index.htm index.jsp;

root /data/wwwroot/4xx.me;

if ($ssl_protocol = "") { return 301 https://$host$request_uri; } #http请求自动301跳转到https

#error_page 404 /404.html;

#error_page 502 /502.html;

location ~ {

proxy_pass http://127.0.0.1:8080;

include proxy.conf;

}

}

禁止通过IP访问#如果不是域名访问，就直接返回444错误

server {

listen 80 default_server;

server_name _;

return 444;

}

设置访问流量并发速率，可防御少量ddos、cc流量攻击limit_req_zone $binary_remote_addr zone=qpscon:10m rate=10r/s; #1秒接收10个请求

server {

listen 80;

server_name 域名;

location / {

limit_req zone=qpscon burst=10 nodelay; #burst 突发流量时10个请求缓冲

proxy_pass http://tomcats;

include proxy.conf;

}

}

php tomcat配置上边的例子中有，就不在赘述了