Nginx 配置指南
基本配置结构
# nginx.conf 基本结构
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# 包含站点配置
include /etc/nginx/conf.d/*.conf;
}
静态网站配置
- 基础配置
- 单页应用
server {
listen 80;
server_name example.com www.example.com;
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
# 静态资源缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 7d;
add_header Cache-Control "public, immutable";
}
}
server {
listen 80;
server_name app.example.com;
root /var/www/app;
index index.html;
# SPA 路由支持
location / {
try_files $uri $uri/ /index.html;
}
# API 代理
location /api/ {
proxy_pass http://backend:5000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# 静态资源缓存
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
反向代理配置
基本反向代理
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://backend:5000;
proxy_http_version 1.1;
# 代理头设置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
}
}
WebSocket 代理
server {
listen 80;
server_name ws.example.com;
location / {
proxy_pass http://backend:8080;
proxy_http_version 1.1;
# WebSocket 必需的头
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# 超时设置(WebSocket 需要更长的超时)
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
}
}
负载均衡
- 轮询
- 加权
- IP Hash
- 最少连接
- 健康检查
upstream backend {
server backend1:5000;
server backend2:5000;
server backend3:5000;
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
upstream backend {
server backend1:5000 weight=3; # 权重 3
server backend2:5000 weight=2; # 权重 2
server backend3:5000 weight=1; # 权重 1
}
upstream backend {
ip_hash; # 根据客户端 IP 分配服务器
server backend1:5000;
server backend2:5000;
server backend3:5000;
}
upstream backend {
least_conn; # 选择连接数最少的服务器
server backend1:5000;
server backend2:5000;
server backend3:5000;
}
upstream backend {
server backend1:5000 max_fails=3 fail_timeout=30s;
server backend2:5000 max_fails=3 fail_timeout=30s;
server backend3:5000 backup; # 备用服务器
}
SSL/TLS 配置
HTTPS 配置
server {
listen 80;
server_name example.com www.example.com;
# HTTP 重定向到 HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# SSL 证书
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL 配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
root /var/www/html;
index index.html;
}
}
Let's Encrypt 自动续期
# 安装 certbot
apt-get install certbot python3-certbot-nginx
# 获取证书
certbot --nginx -d example.com -d www.example.com
# 自动续期(添加到 crontab)
0 0 * * * certbot renew --quiet
缓存配置
# 定义缓存路径
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m
max_size=1g inactive=60m use_temp_path=off;
server {
listen 80;
server_name cache.example.com;
location / {
proxy_cache my_cache;
proxy_cache_use_stale error timeout http_500 http_502 http_503;
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
# 缓存头
add_header X-Cache-Status $upstream_cache_status;
proxy_pass http://backend:5000;
}
}
限流配置
# 定义限流区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=addr_limit:10m;
server {
listen 80;
server_name api.example.com;
location /api/ {
# 请求限流(每秒 10 个请求,突发 20 个)
limit_req zone=api_limit burst=20 nodelay;
# 连接限流(每个 IP 最多 10 个连接)
limit_conn addr_limit 10;
proxy_pass http://backend:5000/;
}
}
Gzip 压缩
http {
# 启用 gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_disable "msie6";
}
日志配置
# 自定义日志格式
log_format custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time';
server {
access_log /var/log/nginx/example.com.access.log custom;
error_log /var/log/nginx/example.com.error.log warn;
# 关闭特定路径的日志
location = /health {
access_log off;
return 200 "OK\n";
}
}
常用命令
# 测试配置
nginx -t
# 重新加载配置
nginx -s reload
# 停止服务
nginx -s stop
# 优雅停止
nginx -s quit
# 查看版本和配置
nginx -V
# 查看进程
ps aux | grep nginx
最佳实践
最佳实践清单