nginx 配置_nginx配置细节记录

1、限流的配置

nginx.conf的配置## 这里取得原始用户的IP地址，没走CDN/SLB的，给到$remote_addr        map $http_x_forwarded_for  $clientRealIp {        default $remote_addr;        ~^(?P[0-9.]+),?.*$$firstAddr;    }#设置IP白名单，对内部的IP不设限       map $clientRealIp $limit{        default $clientRealIp;          115.233.218.194 "";       115.198.223.22 "";       36.24.226.56 "";         #xx.xx.xx.xx "";    }#以真实IP为单位，限制请求数，并返回429状态；    limit_req_status 429;    limit_req_zone $limit zone=ConnLimitZone:20m rate=80r/s;    limit_req_zone $limit zone=singleConnLimitZone:20m rate=5r/m;    limit_req_log_level notice;#以真实IP为单位，限制该IP的并发连接数，并返回429状态；    limit_conn_status 429;    limit_conn_zone $limit zone=TotalConnLimitZone:20m ;    limit_conn  TotalConnLimitZone 100;    limit_conn_log_level notice;#以访问域名为单位，限制总并发链接数；    limit_conn_zone $server_name zone=SumConnLimitZone:20m;vhosts目录下子文件里的配置location / {      #限制总并发连接数        #limit_conn SumConnLimitZone 10000;        #最多5个排队， 由于每秒处理 50 个请求 + 5个排队，你一秒最多发送 55 个请求过来，再多就直接返回 429 错误给你了        limit_req  zone=ConnLimitZone  burst=5  nodelay;          proxy_pass http://shequ_world_api;           proxy_redirect    off;           proxy_set_header  Host             $host;           proxy_set_header  X-Real-IP        $remote_addr;           proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;           add_header Cache-Control no-cache;            add_header Cache-Control private;  }

2、html文件不缓存的配置

location ~ .*.(html)$ {                add_header Cache-Control " no-cache, no-store";        }

3、反向代理的时候获取客户端真实ip地址

location / {          proxy_set_header X-Real-IP $remote_addr;          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;          proxy_set_header X-Forwarded-Proto $scheme;             proxy_set_header Host $host;             proxy_set_header X-Forward-For $remote_addr;             proxy_pass http://xxxxx;    }

4、反向代理

upstream yearning {    server 172.19.220.168:8000;}server {    listen       80;    server_name yearning.ethnicity.com;  return      301 https://$server_name$request_uri;    location / {             proxy_set_header Host $host;             proxy_set_header X-Forward-For $remote_addr;             proxy_pass http://yearning;      }}

5、ssl域名证书配置

ssl on;ssl_certificate   /soft/openresty/nginx/ssl/xxxx.pem;ssl_certificate_key  /soft/openresty/nginx/ssl/xxxx.key;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;#在配置文件的时候 include这个文件即可

6、http跳转https(301)

server {        listen   443;        server_name   pc.ethnicity.cn;      root /soft/openresty/nginx/html/pc;       include /soft/openresty/nginx/ssl/xxx.conf;}server {        listen   80;        server_name   pc.ethnicity.cn;        return   301 https://$server_name$request_uri;}

7、移动端跳转

#手机端官网调转        set $flag 0;        if ( $request_uri ~* ^/activity|^/hzactivity  ) {                set $flag "${flag}1";        }        if ( $http_user_agent ~* "(Android|iPhone|Windows Phone|UC|Kindle)" ) {                set $flag "${flag}2";        }        if ( $flag = 012 ){           rewrite  ^/(.*)$  https://wanyan.ethnicity.cn$request_uri  redirect;        #redirect表示302跳转(暂时性转移)　        }

8、反向代理

server {        listen   443;        server_name   costanalysisapi.ethnicity.cn;        include /soft/openresty/nginx/ssl/ethnicity.cn.conf;        error_log /var/log/nginx/costanalysisapi/error.log error;        access_log /var/log/nginx/costanalysisapi/access.log elk_nobody   ;location / {    proxy_http_version 1.1;    proxy_set_header Connection "keep-alive";    proxy_set_header X-Real-IP $remote_addr;    if (!-f $request_filename) { proxy_pass http://172.19.220.146:18316; }}location ~ .php$ { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass 172.19.220.146:18316; try_files $uri =404; }location ~ /.(ht|svn|git){ deny all; }}

9、tengine反向代理+openladp

插件安装./dso_tool --add-module=/soft/nginx-auth-ldap

nginx.confldap_server wanyan-ldap {    url ldap://172.19.220.168:389/DC=ethnicity,DC=cn?cn?sub?(objectClass=inetorgperson);    binddn "cn=admin,dc=ethnicity,dc=cn";    binddn_passwd "xxxxxxoQs";    group_attribute uniqueMember;    group_attribute_is_dn on;    require valid_user;    }

server {    listen       80;    server_name  supervisor.ethnicity.com;    access_log /var/log/nginx/access.log main;    error_log  /var/log/nginx/error.log;    location / {            stub_status on;            auth_ldap_servers wanyan-ldap;            auth_ldap "Forbidden";            proxy_pass http://172.19.220.167:9001;    }}server {    listen       443;    server_name  supervisor.ethnicty.com;    include  /soft/tengine/ssl/ethnicity.com.conf;    access_log /var/log/nginx/access.log main;    error_log  /var/log/nginx/error.log;    location / {            stub_status on;            auth_ldap_servers wanyan-ldap;            auth_ldap "Forbidden";            proxy_pass http://172.19.220.167:9001;    }}

10、nginx四层tcp代理

nginx.conf的配置stream {    log_format proxy '$remote_addr [$time_local] '                 '$protocol $status $bytes_sent $bytes_received '                 '$session_time "$upstream_addr" '                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';    access_log /var/log/nginx/tcp-access.log proxy ;    open_log_file_cache off;include vhosts/*.stream;}server的配置(被引用的文件)upstream scratch-cps-api_rpc {        server 172.19.220.171:8122;}server {      listen 8122;      proxy_responses 1;      proxy_timeout 20s;      proxy_pass scratch-cps-api_rpc;}