1、限流的配置
nginx.conf的配置## 这里取得原始用户的IP地址,没走CDN/SLB的,给到$remote_addr map $http_x_forwarded_for $clientRealIp { default $remote_addr; ~^(?P[0-9.]+),?.*$$firstAddr; }#设置IP白名单,对内部的IP不设限 map $clientRealIp $limit{ default $clientRealIp; 115.233.218.194 ""; 115.198.223.22 ""; 36.24.226.56 ""; #xx.xx.xx.xx ""; }#以真实IP为单位,限制请求数,并返回429状态; limit_req_status 429; limit_req_zone $limit zone=ConnLimitZone:20m rate=80r/s; limit_req_zone $limit zone=singleConnLimitZone:20m rate=5r/m; limit_req_log_level notice;#以真实IP为单位,限制该IP的并发连接数,并返回429状态; limit_conn_status 429; limit_conn_zone $limit zone=TotalConnLimitZone:20m ; limit_conn TotalConnLimitZone 100; limit_conn_log_level notice;#以访问域名为单位,限制总并发链接数; limit_conn_zone $server_name zone=SumConnLimitZone:20m;vhosts目录下子文件里的配置location / { #限制总并发连接数 #limit_conn SumConnLimitZone 10000; #最多5个排队, 由于每秒处理 50 个请求 + 5个排队,你一秒最多发送 55 个请求过来,再多就直接返回 429 错误给你了 limit_req zone=ConnLimitZone burst=5 nodelay; proxy_pass http://shequ_world_api; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Cache-Control no-cache; add_header Cache-Control private; }
2、html文件不缓存的配置
location ~ .*.(html)$ { add_header Cache-Control " no-cache, no-store"; }
3、反向代理的时候获取客户端真实ip地址
location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Forward-For $remote_addr; proxy_pass http://xxxxx; }
4、反向代理
upstream yearning { server 172.19.220.168:8000;}server { listen 80; server_name yearning.ethnicity.com; return 301 https://$server_name$request_uri; location / { proxy_set_header Host $host; proxy_set_header X-Forward-For $remote_addr; proxy_pass http://yearning; }}
5、ssl域名证书配置
ssl on;ssl_certificate /soft/openresty/nginx/ssl/xxxx.pem;ssl_certificate_key /soft/openresty/nginx/ssl/xxxx.key;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;#在配置文件的时候 include这个文件即可
6、http跳转https(301)
server { listen 443; server_name pc.ethnicity.cn; root /soft/openresty/nginx/html/pc; include /soft/openresty/nginx/ssl/xxx.conf;}server { listen 80; server_name pc.ethnicity.cn; return 301 https://$server_name$request_uri;}
7、移动端跳转
#手机端官网调转 set $flag 0; if ( $request_uri ~* ^/activity|^/hzactivity ) { set $flag "${flag}1"; } if ( $http_user_agent ~* "(Android|iPhone|Windows Phone|UC|Kindle)" ) { set $flag "${flag}2"; } if ( $flag = 012 ){ rewrite ^/(.*)$ https://wanyan.ethnicity.cn$request_uri redirect; #redirect表示302跳转(暂时性转移) }
8、反向代理
server { listen 443; server_name costanalysisapi.ethnicity.cn; include /soft/openresty/nginx/ssl/ethnicity.cn.conf; error_log /var/log/nginx/costanalysisapi/error.log error; access_log /var/log/nginx/costanalysisapi/access.log elk_nobody ;location / { proxy_http_version 1.1; proxy_set_header Connection "keep-alive"; proxy_set_header X-Real-IP $remote_addr; if (!-f $request_filename) { proxy_pass http://172.19.220.146:18316; }}location ~ .php$ { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass 172.19.220.146:18316; try_files $uri =404; }location ~ /.(ht|svn|git){ deny all; }}
9、tengine反向代理+openladp
插件安装./dso_tool --add-module=/soft/nginx-auth-ldap
nginx.confldap_server wanyan-ldap { url ldap://172.19.220.168:389/DC=ethnicity,DC=cn?cn?sub?(objectClass=inetorgperson); binddn "cn=admin,dc=ethnicity,dc=cn"; binddn_passwd "xxxxxxoQs"; group_attribute uniqueMember; group_attribute_is_dn on; require valid_user; }
server { listen 80; server_name supervisor.ethnicity.com; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; location / { stub_status on; auth_ldap_servers wanyan-ldap; auth_ldap "Forbidden"; proxy_pass http://172.19.220.167:9001; }}server { listen 443; server_name supervisor.ethnicty.com; include /soft/tengine/ssl/ethnicity.com.conf; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; location / { stub_status on; auth_ldap_servers wanyan-ldap; auth_ldap "Forbidden"; proxy_pass http://172.19.220.167:9001; }}
10、nginx四层tcp代理
nginx.conf的配置stream { log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; access_log /var/log/nginx/tcp-access.log proxy ; open_log_file_cache off;include vhosts/*.stream;}server的配置(被引用的文件)upstream scratch-cps-api_rpc { server 172.19.220.171:8122;}server { listen 8122; proxy_responses 1; proxy_timeout 20s; proxy_pass scratch-cps-api_rpc;}