nginx 教程
安装nginx
// 一键安装脚本wget http://nginx.org/download/nginx-1.12.2.tar.gz && tar zxvf nginx-1.12.2.tar.gz && cd nginx-1.12.2 && ./configure && make && make install && ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx//ubuntusudo apt-get update//install nginxsudo apt-get install nginx//start nginxsudo systemctl start nginx//enable Nginx to start automatically at boot timesudo systemctl enable nginx
常用命令
启动:nginx重载加载配置:nginx -s reload//查看nginx监听的端口是否存在netstat -tlnup|grep nginx关闭nginx服务器pkill -9 nginx
配置文件
vim /usr/local/nginx/conf/nginx.confvim /usr/local/nginx/conf/vhost/www.movingbox.cn.conf
location / {proxy_pass http://127.0.0.1:3100;proxy_http_version 1.1;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto https;proxy_connect_timeout 300; #注意这里几个配置决定了API的timeout时间proxy_send_timeout 300;proxy_read_timeout 300;send_timeout 300;}location /demo/ {proxy_pass http://127.0.0.1:3101;proxy_http_version 1.1;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto https;}
hide etag
server {listen 80;listen 443 ssl http2;proxy_hide_header etag;add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;}
mac linux
// 使用brew下载nginxbrew install nginx// nginx地址/usr/local/etc/nginx// 查看nginx配置有木有生效//Locate the nginx.conf file my nginx is actually usingnginx -t// 查看nginx所有的配置nginx -T
Ngnix Location的匹配顺序
对于每个请求来说,nginx 会选择最匹配的一个 location 来处理这个请求,nginx 其实就是通过对比这些 location 规则来选择一个 location,对比的顺序可以总结为:1.首先匹配前缀匹配(没有 RE 表达式),针对当前这个请求,每个前缀匹配都匹配一遍.2.搜索=匹配,如果当前请求匹配上了,搜索将会停止,直接使用这个这个 location.3.如果第二步没有匹配上,nginx 会按照如下步骤继续搜索最长前缀匹配:3.1 如果最长前缀匹配有^~这个modifier,nginx 会停止搜索并直接使用这个 location.3.2 如果没有使用 ^~,暂存这个 location并且继续搜索.4.只要最长前缀匹配被暂存和选中,nginx 就会看当前的 location 是否有大小写敏感的 RE(~和~*),第一个匹配上这种会被当做有效的 location来处理这个请求.5.如果没有 RE 的 location 匹配上,前面暂存的 location 就会被选中来处理这个请求.
举例
修饰符= :精确匹配(必须全部相等)~ :大小写敏感(正则表达式)~* :忽略大小写(正则表达式),这里要注意忽略大小写的意思是请求的字符大小写都可以,但是不会进行大小转换,请求的大小写对应的文件必须存在。^~ :只需匹配uri部分@ :内部服务跳转location = / {# 只处理请求 /.}location / {# 匹配任何请求,因为所有请求都是以"/"开始# 但是更长字符匹配或者正则表达式匹配会优先匹配[ configuration B ]}location /data/ {# 所有以 /data/ 匹配,但是还会继续搜索.# 如果没有其他 location 匹配上,就用这个处理请求.}location ^~ /img/ {# 所有以 /img/ 开头的请求并且会停止搜索.}location ~* .(png|gif|ico|jpg|jpeg)$ {# 以png, gif, ico, jpg ,jpeg结尾的请求.# 如果请求是到 /img/ 路径的话 还是会被上面👆的 location 处理}如何防止图片盗链:location ~ .(png|gif|jpe?g)$ {valid_referers none blocked yourwebsite.io *.yourwebsite.io;if ($invalid_referer) {return 403;}}在可写权限的目录禁止脚本:location ~* /(media|images|cache|tmp|logs)/.*.(php|jsp|pl|py|asp|cgi|sh)$ {return 403;}
Redirecting from a Former Name to the Current Name
server {listen 80;listen 443 ssl;server_name www.old-name.com old-name.com;return 301 $scheme://www.new-name.com$request_uri;}
Forcing all Requests to Use SSL/TLS
server {listen 80;server_name www.domain.com;return 301 https://www.domain.com$request_uri;}
一个简单的 302 案例
rewrite ^/oldlocation$ http://www.newdomain.com/newlocation redirect;
一个简单的 301 案例
rewrite ^/oldlocation$ http://www.newdomain.com/newlocation permanent;eg: joinplastic.com 跳转配置rewrite ^/products/palletBox/palletBox.php$ https://www.joinplastic.com/product-category/pallet-box/ permanent;rewrite ^/products/foldableBox/foldablePlasticCrates.php$ https://www.joinplastic.com/product-category/folding-crate/ permanent;rewrite ^/products/pallets/pallet.php$ https://www.pallet-wholesale.com/plastic-pallets/ permanent;rewrite ^/products/attached-lid-containers/attached-lid-containers.php$ https://www.plastic-crates.com/product-category/totes-with-lids/ permanent;rewrite ^/products/stackableBox/stackableBox.php$ https://www.joinplastic.com/product-category/plastic-stacking-crates/ permanent;
如果有花括号(量词),需要用双引号或者单引号将表达式包起来
Curly braces are used both in regex and for block control, you must enclose your regex with quotes (single or double)
location ~* "^/.{16,22}[^/]$" {return 301 https://www.ausplastic.com;}
部署react 项目,直接访问二级路由回报 404 错误, 需要加上配置
location / {try_files $uri /index.html;}
nginx 配置 react 前端项目
server {listen 80;listen [::]:80;listen 443 ssl http2;listen [::]:443 ssl http2;ssl_certificate /usr/local/nginx/conf/ssl/www.movingbox.cn.crt;ssl_certificate_key /usr/local/nginx/conf/ssl/www.movingbox.cn.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;ssl_prefer_server_ciphers on;ssl_session_timeout 10m;ssl_session_cache builtin:1000 shared:SSL:10m;ssl_buffer_size 1400;add_header Strict-Transport-Security max-age=15768000;ssl_stapling on;ssl_stapling_verify on;server_name www.movingbox.cn movingbox.cn;access_log /data/wwwlogs/www.movingbox.cn_nginx.log combined;index index.html index.htm index.php;# 注意这里,react 生成的前端根目录在public下# 但由于要 lets encrypt 自动申请证书成功,不能直接在这里指向/publicroot /data/wwwroot/www.movingbox.cn;if ($ssl_protocol = "") { return 301 https://$host$request_uri; }if ($host != www.movingbox.cn) { return 301 $scheme://www.movingbox.cn$request_uri; }include /usr/local/nginx/conf/rewrite/none.conf;#error_page 404 /404.html;#error_page 502 /502.html;location ~ [^/]\.php(/|$) {#fastcgi_pass remote_php_ip:9000;fastcgi_pass unix:/dev/shm/php-cgi.sock;fastcgi_index index.php;include fastcgi.conf;}location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {deny all;}# 注意这里,配置lets encrypt 自动申请证书location ^~ /.well-known/acme-challenge/ {default_type "text/plain";root /data/wwwroot/www.movingbox.cn/;}location /{root /data/wwwroot/www.movingbox.cn/public/;try_files $uri $uri/index.html =404;# 注意这里,路由没有找到 返回404 code;# 交给前端 404.html 页面;error_page 404 /404.html;}# 注意这里,配置图片的参数如 expires, 同时要指定 root 目录,# 因为匹配到此条规则,就不会用上条规则的 root,# 而是会用默认的 server 下的 root,即 root /data/wwwroot/www.movingbox.cn;location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {root /data/wwwroot/www.movingbox.cn/public/;expires 30d;access_log off;}# 注意这里,配置js\css 文件同上面一样, 同时要指定 root 目录,location ~ .*\.(js|css)?$ {root /data/wwwroot/www.movingbox.cn/public/;expires 7d;access_log off;}}
利用nginx 做负载均衡 load balancer
参考 https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#overview
upstream my_http_servers {server 127.0.0.1:444; # httpServer1 listens to port 444server 127.0.0.1:445; # httpServer2 listens to port 445server 127.0.0.1:446; # httpServer3 listens to port 446server 127.0.0.1:447; # httpServer4 listens to port 447}server {listen 80;server_name your-domain.com www.your-domain.com;location / {proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $http_host;proxy_pass http://my_http_servers;}}// my_http_servers 为自定义的名称// proxy_pass http://my_http_servers; 注意 my_http_servers 前要有 http://// server 可以为本地ip,也可以为 其他ip 如: server 54.218.*8.*4:28000;
Choosing a Load-Balancing Method
//Round Robinupstream backend {# no load balancing method is specified for Round Robinserver backend1.example.com;server backend2.example.com;}//Least Connections – A request is sent to the server with the least number of active connections, again with server weights taken into considerationupstream backend {least_conn;server backend1.example.com;server backend2.example.com;}
多个位置用到 反向代理的 地址,可以将其放到 upstream 里面
upstream my-backend {localhost:9000;}server {listen 80;server_name my-awesome-php.site;root /path/to/root;# The protected locationlocation /protected {auth_basic "Give me codes.";auth_basic_user_file /path/to/.htpasswd;location ~ \.php$ {include fastcgi.conf;fastcgi_pass my-backend;}}# Normal files (blank location is OK, just means serve from root)location / {}# PHP for normal stufflocation ~ \.php$ {include fastcgi.conf;fastcgi_pass my-backend;}}
为一个域名配置 nginx 服务器
创建配置文件
配置文件通常在
/etc/nginx/sites-enabled
/etc/nginx/sites-available
下,以 your_domain.conf 命名
for example:
server {listen 80;server_name example.com www.example.com;root /var/www/example.com;}
创建网站根目录
根据配置文件里面指定的 root,创建网站根目录及入口文件 如: vim /var/www/example.com/index.html
<html><head><title>Welcome to example.com!</title></head><body><h1>Hello, world!</h1></body></html>
重启nginx 服务,使配置生效
sudo systemctl restart nginx
为域名添加安全证书
Secure Nginx with Let's Encrypt on Ubuntu 20.04
Step 1 — Installing Certbot
sudo apt install certbot python3-certbot-nginx
Step 2 — Confirming Nginx’s Configuration
Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for.
Step 3 — Allowing HTTPS Through the Firewall/云服务的安全组端口配置
要开放80,443 端口访问
Step 4 — Obtaining an SSL Certificate
sudo certbot --nginx -d example.com -d www.example.com
Step 5 — Verifying Certbot Auto-Renewal
sudo systemctl status certbot.timer
To test the renewal process, you can do a dry run with certbot:
sudo certbot renew --dry-run
nginx 配置 for v2ray
server{listen 443 ssl; # 监听 SSL/TLS 连接location /yourpath/trojan {proxy_pass http://127.0.0.1:10000; # 10000为v2ray 的运行端口#页面访问 v2ray 路径时,会直接返回 Bad request, 下面设置自定义返回页面proxy_intercept_errors on;error_page 400 = https://name.yourdomain/;# 代理 WebSocket 连接proxy_http_version 1.1;# the "Upgrade" header switch the protocol from HTTP to another protocol, such as WebSocketproxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_read_timeout 600s;# 传递客户端 IP 地址proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}# ...}//配置 v2ray 错误页(400 badrequest),也就是前端页面访问时到达的页面// 可以自定义一个网址// 也可以自定义到本地某个html页面proxy_intercept_errors on;# error_page 400 = https://www.bing.com;error_page 400 =200 /index.html;location =/index.html {root /data/wwwroot/xxx.com;}