2024-01-04
服务器
nginx1.24
432
一、Nginx 安装
1.安装 br 压缩模块
# 安装 br 压缩模块
cd /usr/local/download
git clone https://github.com/google/ngx_brotli
cd ngx_brotli
git submodule update --init
# 或者解压 br 文件
tar -zxvf ngx_brotli.tar.gz
# 安装 brotli 扩展
yum -y install brotli-devel2.下载安装
官网地址:http://nginx.org/en/download.html
mkdir /usr/local/download
mkdir /usr/local/software
cd /usr/local/download
# 下载 nginx
wget http://nginx.org/download/nginx-1.24.0.tar.gz
tar -zxvf nginx-1.24.0.tar.gz
cd nginx-1.24.0
# 编译安装
./configure --prefix=/usr/local/software/nginx1.24 --with-http_auth_request_module --with-http_ssl_module --add-module=/usr/local/download/ngx_brotli
make && make install3.重新编译添加模块
cd /usr/local/download
cd nginx-1.24.0
# 追加要添加的模块
./configure --prefix=/usr/local/software/nginx1.24 --with-http_auth_request_module --with-http_ssl_module --add-module=/usr/local/download/ngx_brotli
# make命令执行后,不要进行 make install,否则会覆盖安装
make
# 停止nginx
systemctl stop nginx124.service
# 备份及覆盖nginx
cp /usr/local/software/nginx1.24/sbin/nginx /usr/local/software/nginx1.24/sbin/nginx_bak
cp /usr/local/download/nginx-1.24.0/objs/nginx /usr/local/software/nginx1.24/sbin/4.创建用户
groupadd nginx
useradd -r -g nginx nginx
chown -R nginx /usr/local/software/nginx1.24
chgrp -R nginx /usr/local/software/nginx1.245.设置开机自启动
vim /lib/systemd/system/nginx124.service
[Unit]
Description=nginx service
After=network.target
[Service]
Type=forking
PIDFile=/usr/local/software/nginx1.24/logs/nginx.pid
ExecStart=/usr/local/software/nginx1.24/sbin/nginx -c /usr/local/software/nginx1.24/conf/nginx.conf
ExecReload=/usr/local/software/nginx1.24/sbin/nginx -s reload
ExecStop=/usr/local/software/nginx1.24/sbin/nginx -s quit
PrivateTmp=true
Restart=always
[Install]
WantedBy=multi-user.target
systemctl daemon-reload # 修改配置文件后重载
systemctl list-units --type=service # 查看所有已启动的服务
systemctl status nginx124.service # 查看服务当前状态
systemctl enable nginx124.service # 设置开机自启动
systemctl disable nginx124.service # 停止开机自启动6.创建软链接
ln -s /usr/local/software/nginx1.24/sbin/nginx /usr/bin/nginx7.常用命令
nginx -t # 检查语法
nginx -s reload
nginx -V # 查看模块
systemctl start nginx124.service # 启动服务
systemctl stop nginx124.service # 停止服务
systemctl restart nginx124.service # 重新启动服务8.跨域配置
location / {
# 添加跨域头部
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Headers *;
add_header Access-Control-Allow-Credentials true;
# 处理 OPTIONS 请求
if ($request_method = 'OPTIONS') {
return 200;
}
}二、nginx.conf 文件
1.linux 系统
vim /usr/local/software/nginx1.24/conf/nginx.conf
user nginx;
# 设置为 cpu 核心数量(注意:是核心数量,不是 cpu 数量,一颗 cpu 可能有多个核心)或 auto
# 核心数查看命令:lscpu 或 cat /proc/cpuinfo | grep 'processor' | wc -l
worker_processes auto;
# 自动绑定 cpu
worker_cpu_affinity auto;
# error_log /www/log/nginx/error.log warn;
pid /usr/local/software/nginx1.24/logs/nginx.pid;
events {
use epoll;
worker_connections 10240;
}
http {
include /usr/local/software/nginx1.24/conf/mime.types;
default_type application/octet-stream;
# 定义日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# access_log /www/log/nginx/access.log main;
# 开启高效文件传输模式,将 tcp_nopush 和 tcp_nodely 两个指令设置为 on,用于防止网络阻塞。
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# 连接超时时间
keepalive_timeout 60;
keepalive_requests 200;
# 开启 br 压缩(仅在 https 中生效,放在 gzip 前面)
brotli on;
brotli_comp_level 6;
brotli_types text/css text/javascript text/xml text/plain application/javascript application/json application/xml application/xhtml+xml image/svg+xml;
# 开启 gzip 压缩
gzip on;
gzip_comp_level 6;
gzip_types text/css text/javascript text/xml text/plain application/javascript application/json application/xml application/xhtml+xml image/svg+xml;
# 优化 fastcgi 性能参数设置
fastcgi_connect_timeout 1200; # 不小于 php.ini 文件中 max_execution_time
fastcgi_send_timeout 1200; # 不小于 php.ini 文件中 max_execution_time
fastcgi_read_timeout 1200; # 不小于 php.ini 文件中 max_execution_time
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
# nginx 上传大文件限制
client_max_body_size 100M;
client_body_buffer_size 1024k;
client_header_buffer_size 8k;
large_client_header_buffers 4 8k;
# 隐藏 nginx 版本
server_tokens off;
include /usr/local/software/nginx1.24/conf/vhost/*.conf;
}三、vhost/*.conf 文件
1.laravel 框架
mkdir /usr/local/software/nginx1.24/conf/vhost/
vim /usr/local/software/nginx1.24/conf/vhost/xxx.jdzor.cn.conf
server {
# 监听端口
listen 80;
# 白名单和黑名单
allow all;
# 指定响应编码
charset utf-8;
# 域名
server_name xxx.jdzor.cn;
# 网站根目录
root /www/web/project-demo/public;
# 默认访问的网页
index admin.html index.php;
# header 设置
add_header X-Frame-Options "SAMEORIGIN"; # 防止网站被嵌入恶意网页中,避免点击劫持
add_header X-XSS-Protection "1; mode=block"; # 启用浏览器XSS防护功能,并在检测到攻击时,停止渲染页面
add_header X-Content-Type-Options "nosniff"; # 禁止浏览器猜测(嗅探)资源的MIME类型,防止资源类型混淆攻击
add_header Referrer-Policy "strict-origin-when-cross-origin"; # 控制引用地址信息传递,增强隐私保护
# 日志文件
access_log /www/log/nginx/xxx.jdzor.cn.access.log main;
error_log /www/log/nginx/xxx.jdzor.cn.error.log warn;
# 静态资源鉴权
location ^~ /storage {
auth_request /auth;
}
location = /auth {
internal;
resolver 223.5.5.5 223.6.6.6 183.60.83.19 180.76.76.76 122.112.208.1;
proxy_pass $scheme://$host:$server_port/xxxxxxxxx/storageAuth;
proxy_set_header Sign-Key "xxxxxxxxx";
}
# rewrite 重写
location / {
try_files $uri $uri/ /admin.html;
}
location /xxx {
try_files $uri $uri/ /index.php?$query_string;
}
# php 文件由 fpm 解析
location ~ \.php($|/) {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# 不记录 favicon.ico 和 robots.txt 日志
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
# 限制 git, svn 管理
location ~ .*.(svn|git|cvs)$ {
deny all;
}
# 静态文件过期
location ~ .*.(js|css)$ {
expires 12h;
}
location ~ .*.(jpg|jpeg|png|xls|xlsx|doc|docx|pdf)$ {
expires 7d;
# 图片防盗
valid_referers xxx.jdzor.cn;
if ($invalid_referer) {
return 404;
}
}
}2.hyperf 框架 ssl ws
# 至少需要一个 Hyperf 节点,多个配置多行
upstream xxx_api {
server 127.0.0.1:10010;
}
upstream xxx_ws {
server 127.0.0.1:10011;
}
server {
# 监听端口
listen 80;
# 白名单和黑名单
allow all;
# 指定响应编码
charset utf-8;
# 域名
server_name xxx.jdzor.cn;
# HTTP 请求处理逻辑
return 301 https://$server_name$request_uri;
}
server {
# 监听端口
listen 443 ssl;
# 白名单和黑名单
allow all;
# 指定响应编码
charset utf-8;
# 域名
server_name xxx.jdzor.cn;
# 网站根目录
root /www/web/xxx-api-hyperf/public;
# 默认访问的网页
index index.html;
# SSL 配置
ssl_certificate /etc/letsencrypt/live/xxx.jdzor.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.jdzor.cn/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# header 设置
add_header X-Frame-Options "SAMEORIGIN"; # 防止网站被嵌入恶意网页中,避免点击劫持
add_header X-XSS-Protection "1; mode=block"; # 启用浏览器XSS防护功能,并在检测到攻击时,停止渲染页面
add_header X-Content-Type-Options "nosniff"; # 禁止浏览器猜测(嗅探)资源的MIME类型,防止资源类型混淆攻击
add_header Referrer-Policy "strict-origin-when-cross-origin"; # 控制引用地址信息传递,增强隐私保护
# 日志文件
access_log /www/log/nginx/xxx.jdzor.cn.access.log main;
error_log /www/log/nginx/xxx.jdzor.cn.error.log warn;
# 静态资源鉴权
location ^~ /storage {
auth_request /auth;
}
location = /auth {
internal;
resolver 223.5.5.5 223.6.6.6 183.60.83.19 180.76.76.76 122.112.208.1;
proxy_pass $scheme://$host:$server_port/xxxxxx/storageAuth;
proxy_set_header Sign-Not-Verified-Key "xxxxxx";
proxy_set_header Set-Cookie $http_cookie;
}
# rewrite重写
location / {
try_files $uri $uri/ /index.html;
}
location /xxxxxx {
# 将客户端的 Host 和 IP 信息一并转发到对应节点
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 转发Cookie,设置 SameSite
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# 执行代理访问真实服务器
proxy_pass http://xxx_api;
}
location /xxxxxx {
# WebSocket Header
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
# 将客户端的 Host 和 IP 信息一并转发到对应节点
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
# 客户端与服务端无交互 60s 后自动断开连接,请根据实际业务场景设置
proxy_read_timeout 60s;
# 执行代理访问真实服务器
proxy_pass http://xxx_ws;
}
# 不记录 favicon.ico 和 robots.txt 日志
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
# 限制git,svn管理
location ~ .*.(svn|git|cvs) {
deny all;
}
# 静态文件过期
location ~ .*.(js|css)$ {
expires 12h;
}
location ~ .*.(jpg|jpeg|png|xls|xlsx|doc|docx|pdf)$ {
expires 7d;
# 图片防盗
valid_referers xxx.jdzor.cn;
if ($invalid_referer) {
return 404;
}
}
}
标签:
nginx1.24
Jdzor's Blog
51
文章42
标签联系方式:赵先生 15196635307
自我介绍:博主是一位互联网软件开发人员,擅长开发后台管理系统、企业门户网站和微信小程序。
座右铭:革命尚未成功,同志仍需努力。