返回
首页

nginx cheatsheet

端口 listen

server {
  # 标准 HTTP 端口
  listen 80;
  
  # 标准 HTTPS 端口
  listen 443 ssl;
  
  # 使用 IPv6 监听 80 端口
  listen [::]:80;
  
  # 仅监听 IPv6 端口
  listen [::]:80 ipv6only=on;
}

域名 server_name

server {
  # 监听域名 yourdomain.com
  server_name yourdomain.com;
  
  # 监听多个域名
  server_name yourdomain.com www.yourdomain.com;
  
  # 监听所有子域名
  server_name *.yourdomain.com;
  
  # 监听所有顶级域名
  server_name yourdomain.*;
  
  # 监听未指定域名 (listens to IP address itself)
  server_name "";
}

访问日志 access_log

server {
  # 日志文件的相对或完整路径
  access_log /path/to/file.log;
  
  # Turn 'on' or 'off'
  access_log on;
}

杂项 gzip, client_max_body_size

server {
  # Turn gzip compression 'on' or 'off'
  gzip on;
  
  # Limit client body size to 10mb
  client_max_body_size 10M;
}

文件服务

静态资源

传统web服务

server {
  listen 80;
  server_name yourdomain.com;
  
  location / {
  	root /path/to/website;
  }
}

静态资源并使用 HTML5 History Mode

单页应用,如Vue, React, Angular

server {
  listen 80;
  server_name yourdomain.com;
  root /path/to/website;
  
  location / {
  	try_files $uri $uri/ /index.html;
  }
}

重定向

301 永久重定向

可用于处理www.yourdomain.comyourdomain.com,或者将http重定向到https。下面例子中www.yourdomain.com重定向到yourdomain.com

server {
  listen 80;
  server_name www.yourdomain.com;
  return 301 http://yourdomain.com$request_uri;
}

302 临时重定向

server {
  listen 80;
  server_name yourdomain.com;
  return 302 http://otherdomain.com;
}

特殊URL的重定向

server {
  listen 80;
  server_name yourdomain.com;
  
  location /redirect-url {
	return 301 http://otherdomain.com;  
  }
}

反向代理

基本使用

server {
  listen 80;
  server_name yourdomain.com;
  
  location / {
    proxy_pass http://0.0.0.0:3000;
    # 0.0.0.0:3000 是本地服务绑定的ip和端口
  }
}

或者先定义upstream

upstream node_js {
  server 0.0.0.0:3000;
}

server {
  listen 80;
  server_name yourdomain.com;
  
  location / {
    proxy_pass http://node_js;
  }
}

升级连接(推荐用于Node.js应用程序)

对于支持WebSockets(例如socket.io)的Node.js应用程序很有用。

upstream node_js {
  server 0.0.0.0:3000;
}

server {
  listen 80;
  server_name yourdomain.com;
  
  location / {
    proxy_pass http://node_js;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
	
    # not required but useful for applications with heavy WebSocket usage
    # as it increases the default timeout configuration of 60
    proxy_read_timeout 80;
  }
}

TLS/SSL (HTTPS)

基本使用

以下配置只是TLS / SSL设置的一个示例。 不要将这些设置作为适用于您的应用程序的完美安全解决方案。 请研究最适合您的证书颁发机构的正确设置。

如果您正在寻找免费的SSL证书,则 Let's Encrypt 是免费、自动、开放的证书颁发机构。另外,这是一个很棒的Digital Ocean指南,了解如何在Ubuntu 16.04上设置TLS / SSL。

server {
  listen 443 ssl;
  server_name yourdomain.com;
  
  ssl on;
  
  ssl_certificate /path/to/cert.pem;
  ssl_certificate_key /path/to/privkey.pem;
  
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /path/to/fullchain.pem;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  add_header Strict-Transport-Security max-age=15768000;
}

# Permanent redirect for HTTP to HTTPS
server {
  listen 80;
  server_name yourdomain.com;
  return 301 https://$host$request_uri;
}

负载均衡

php-fpm Unix socket

upstream php {
    least_conn;

    server unix:/var/run/php/php-fpm.sock;
    server unix:/var/run/php/php-two-fpm.sock;

    keepalive 5;
}

least_conn选取活跃连接数与权重weight的比值最小者为下一个处理请求的server

php-fpm TCP

upstream php {
    least_conn;

    server 127.0.0.1:9090;
    server 127.0.0.1:9091;

    keepalive 5;
}

HTTP 负载均衡

# Upstreams
upstream backend {
    least_conn;

    server 10.10.10.1:80;
    server 10.10.10.2:80;
}

server {
    server_name site.ltd;

    location / {
        proxy_pass http://backend;
        proxy_redirect      off;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

代理

简单代理

location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect      off;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    }

子文件夹代理

location /folder/ { # The / is important!
        proxy_pass http://127.0.0.1:3000/; # The / is important!
        proxy_redirect      off;
        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    }

websocket keepalive 代理

# Upstreams
upstream backend {
    server 127.0.0.1:3000;
    keepalive 5;
}
# HTTP Server
server {
    server_name site.tld;
    error_log /var/log/nginx/site.tld.access.log;
    location / {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;
    }
}

反向代理 Apache

server {

    server_name domain.tld;

    access_log /var/log/nginx/domain.tld.access.log;
    error_log /var/log/nginx/domain.tld.error.log;

    root /var/www/domain.tld/htdocs;

    # pass requests to Apache backend
    location / {
        proxy_pass http://backend;
    }
    # handle static files with a fallback
    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|zip|webm|mp3|aac|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
        add_header "Access-Control-Allow-Origin" "*";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri @fallback;
    }
    # fallback to pass requests to Apache if files are not found
    location @fallback {
        proxy_pass http://backend;
    }
}

Nginx 安全

访问限制

常用备份和存档文件

location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
    deny all;
}

限制访问隐藏文件和文件夹

location ~ /\.(?!well-known\/) {
    deny all;
}

阻止常见攻击

base64 encoded url

location ~* "(base64_encode)(.*)(\()" {
    deny all;
}

javascript eval() url

location ~* "(eval\()" {
    deny all;
}

Nginx Media

MP4 stream module

location /videos {
    location ~ \.(mp4)$ {
        mp4;
        mp4_buffer_size       1m;
        mp4_max_buffer_size   5m;
        add_header Vary "Accept-Encoding";
        add_header "Access-Control-Allow-Origin" "*";
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
    }
}

WebP images

Mapping conditions to display WebP images

# 如果Web浏览器支持WebP,则提供WebP图像
map $http_accept $webp_suffix {
   default "";
   "~*webp" ".webp";
}