2026-01-05
服务器
nginx1.24
38
一、sysctl.conf
vim /etc/sysctl.conf
# 提高系统全局连接队列上限,是Nginx backlog参数生效的基础
net.core.somaxconn = 65535
# 提高半连接队列(SYN队列)大小
net.ipv4.tcp_max_syn_backlog = 65535
# 开启SYN Cookie防护,在队列溢出时提供安全兜底。默认通常为1
net.ipv4.tcp_syncookies = 1
# 队列满时让客户端重试,而不是直接拒绝
net.ipv4.tcp_abort_on_overflow = 0
# 文件描述符限制,系统总容量
fs.file-max = 1000000
# 文件描述符限制,单进程上限
fs.nr_open = 900000
# 保存设置后执行,使配置生效
sysctl -p
# 查看 TCP 参数配置
sysctl net.core.somaxconn
sysctl net.ipv4.tcp_max_syn_backlog
# 查看网络连接统计
ss -s
ss -tan state syn-recv | wc -l
ss -tan state established | wc -l 二、nginx.conf
vim /usr/local/software/nginx1.24/conf/nginx.conf
user nginx;
# 设置为 cpu 核心数量(注意:是核心数量,不是 cpu 数量,一颗 cpu 可能有多个核心)或 auto
# 核心数查看命令:lscpu 或 cat /proc/cpuinfo | grep 'processor' | wc -l
worker_processes auto;
# 自动绑定 cpu
worker_cpu_affinity auto;
# 每个 worker 进程文件描述符数量
worker_rlimit_nofile 65535;
# error_log /www/log/nginx/error.log warn;
pid /usr/local/software/nginx1.24/logs/nginx.pid;
events {
use epoll;
worker_connections 10240;
multi_accept on;
}
http {
include /usr/local/software/nginx1.24/conf/mime.types;
default_type application/octet-stream;
# 定义日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# access_log /www/log/nginx/access.log main buffer=32k flush=5s;
# 限流配置
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=200r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# SSL 配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 4h;
ssl_session_tickets on;
ssl_buffer_size 4k;
# 开启高效文件传输模式,将 tcp_nopush 和 tcp_nodely 两个指令设置为 on,用于防止网络阻塞。
sendfile on;
tcp_nopush on;
tcp_nodelay on;
output_buffers 4 32k;
# 长连接配置
keepalive_timeout 60;
keepalive_requests 10000;
# 连接重用相关
reset_timedout_connection on;
send_timeout 30s;
# 开启 br 压缩(仅在 https 中生效,放在 gzip 前面)
brotli on;
brotli_comp_level 6;
brotli_types text/css text/javascript text/xml text/plain application/javascript application/json application/xml application/xhtml+xml image/svg+xml;
# 开启 gzip 压缩
gzip on;
gzip_comp_level 6;
gzip_types text/css text/javascript text/xml text/plain application/javascript application/json application/xml application/xhtml+xml image/svg+xml;
# 优化 fastcgi 性能参数设置
fastcgi_connect_timeout 1200; # 不小于 php.ini 文件中 max_execution_time
fastcgi_send_timeout 1200; # 不小于 php.ini 文件中 max_execution_time
fastcgi_read_timeout 1200; # 不小于 php.ini 文件中 max_execution_time
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
# nginx 上传大文件限制
client_max_body_size 100M;
client_body_buffer_size 1024k;
client_header_buffer_size 8k;
large_client_header_buffers 4 8k;
# 隐藏 nginx 版本
server_tokens off;
# 加载配置
include /usr/local/software/nginx1.24/conf/vhost/*.conf;
}vim /usr/local/software/nginx1.24/conf/mime.types
# 前端 pdf.js,在 nginx 中添加 mjs 类型
application/javascript js mjs;三、nginx-common.conf
vim /usr/local/software/nginx1.24/conf/nginx-common.conf
# header 设置
add_header X-Frame-Options "SAMEORIGIN"; # 该页面可以在相同域名页面的 frame 中展示
add_header X-XSS-Protection "1; mode=block"; # 1 表示允许过滤器,mode=block 指示浏览器在检测到 XSS 攻击后禁止加载整个页面
add_header X-Content-Type-Options "nosniff"; # 禁用浏览器对 Content-Type 类型进行猜测的行为
add_header Referrer-Policy "strict-origin-when-cross-origin"; # 控制引用地址信息传递,增强隐私保护
# 不记录 favicon.ico 和 robots.txt 日志
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
# 禁止访问以点开头的文件或目录
location ~ /\. {
deny all;
access_log off;
log_not_found off;
return 404;
}
# 静态文件过期设置
location ~ \.(js|css)$ {
expires 12h;
access_log off;
}
location ~ \.(jpg|jpeg|png|xls|xlsx|doc|docx|pdf)$ {
expires 7d;
access_log off;
}四、dev25.xxx.xxx.com.cn.conf
vim /usr/local/software/nginx1.24/conf/vhost/dev25.xxx.xxx.com.cn.conf
server {
# 监听端口
listen 80;
# 域名
server_name dev25.xxx.xxx.com.cn;
# HTTP 请求处理逻辑
return 301 https://$server_name$request_uri;
}
server {
# 监听端口
listen 443 ssl;
# 白名单和黑名单
allow all;
# 指定响应编码
charset utf-8;
# 域名
server_name dev25.xxx.xxx.com.cn;
# 网站根目录
root /www/siteng-2025/siteng2025-xxx-vue3.5;
# 默认访问的网页
index platform.html;
# SSL 配置
ssl_certificate /etc/letsencrypt/live/dev25.xxx.xxx.com.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev25.xxx.xxx.com.cn/privkey.pem;
# 日志文件
access_log /www/log/nginx/dev25.xxx.xxx.com.cn.access.log main buffer=32k flush=5s;
error_log /www/log/nginx/dev25.xxx.xxx.com.cn.error.log warn;
# rewrite 重写
location / {
try_files $uri $uri/ /platform.html;
}
# 后端接口转发
location /api/ {
proxy_pass http://127.0.0.1/; # 有斜杠,转发后会去掉 /api/前缀
proxy_set_header Host "dev25.xxx-api.xxx.com.cn:80";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 应用请求频率限制
limit_req zone=api_limit burst=200 nodelay;
limit_conn addr 30;
}
# 后端 sse 转发
location = /api/dz0r7a1u/platform/permission/home/deepSeek {
rewrite ^/api(/.*)$ $1 break; # rewrite 去掉 /api 前缀
proxy_pass http://127.0.0.1; # 无斜杠,转发后会保留完整路径
proxy_set_header Host "dev25.xxx-api.xxx.com.cn:80";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 保持长连接配置
proxy_read_timeout 3600s;
# 关闭缓冲和缓存
proxy_buffering off;
proxy_cache off;
}
# 后端静态资源转发
location ~ ^/(common|storage)/ {
proxy_pass http://127.0.0.1; # 无斜杠,转发后会保留完整路径
proxy_set_header Host "dev25.xxx-api.xxx.com.cn:80";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 加载配置
include /usr/local/software/nginx1.24/conf/nginx-common.conf;
}
五、dev25.xxx-api.xxx.com.cn.conf
vim /usr/local/software/nginx1.24/conf/vhost/dev25.xxx-api.xxx.com.cn.conf
# 负载均衡
upstream ncsq_api {
server 127.0.0.1:10830;
keepalive 256;
}
upstream ncsq_ws {
ip_hash; # IP Hash 算法模式,不同客户端每次请求与同一节点进行交互
server 127.0.0.1:10831;
keepalive 256;
}
server {
# 监听端口
listen 80;
# 白名单和黑名单
allow all;
# 指定响应编码
charset utf-8;
# 域名
server_name dev25.xxx-api.xxx.com.cn;
# 网站根目录
root /www/siteng-2025/siteng2025-xxx-hyperf3.1/public;
# 默认访问的网页
index index.php;
# 日志文件
access_log /www/log/nginx/dev25.xxx-api.xxx.com.cn.access.log main buffer=32k flush=5s;
error_log /www/log/nginx/dev25.xxx-api.xxx.com.cn.error.log warn;
# 静态资源鉴权
location ~ ^/(common|storage)/ {
auth_request /auth;
}
location = /auth {
internal;
resolver 223.5.5.5 223.6.6.6 183.60.83.19 180.76.76.76 122.112.208.1;
proxy_pass http://127.0.0.1/dz0r7a1u/platform/storageAuth;
proxy_set_header Host $http_host;
proxy_set_header Sign-Not-Verified-Key "xxxxxxxxxxxx";
proxy_set_header Set-Cookie $http_cookie; # 设置 Cookie 并重命名为 "Set-Cookie"
}
# http 请求
location ~ ^/(dz0r7a1u|etp2gf9t)/ {
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 执行代理访问真实服务器
proxy_pass http://xxx_api;
}
# websocket 请求
location /ud7mf3sy/ {
proxy_http_version 1.1;
proxy_set_header Upgrade "websocket";
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 客户端与服务端无交互 60s 后自动断开连接
proxy_read_timeout 60s;
proxy_send_timeout 60s;
# 执行代理访问真实服务器
proxy_pass http://xxx_ws;
}
}
标签:
nginx1.24
Jdzor's Blog
58
文章47
标签联系方式:赵先生 15196635307
自我介绍:博主是一位互联网软件开发人员,擅长开发后台管理系统、企业门户网站和微信小程序。
座右铭:革命尚未成功,同志仍需努力。