nginx服务小结
1、nginx代理谷歌、维基等,这部分以谷歌为例,需要准备一个可以解析的域名以及该域名的https证书,配置如下:
server
{
#监听端口可以改
listen 80;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#填上证书的名字和路径
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
#填上你的域名
server_name xxx.xxx.com;
location / {
client_max_body_size 100m;
proxy_set_header Host "www.google.com";
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_pass https://www.google.com;
}
#access_log logs/xxx.log;
access_log /dev/null;
}
2、nginx代理S3
server
{
listen 80;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
server_name www.xxx.com;
location / {
client_max_body_size 10m;
set $s3_bucket 's3name';
add_header x-by "aws";
proxy_http_version 1.1;
proxy_set_header Host $s3_bucket;
proxy_set_header Authorization '';
proxy_hide_header x-amz-id-2;
proxy_hide_header x-amz-request-id;
proxy_hide_header Set-Cookie;
proxy_ignore_headers "Set-Cookie";
add_header X-Cached $upstream_cache_status;
proxy_pass http://s3name.s3.amazonaws.com;
}
#access_log logs/xxx.log;
access_log /dev/null;
}
3、针对一些场景需要上传,但相互直接速度很慢或经常断开的场景,可以使用nginx进行中转,配置如下:
server
{
listen 80;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.com.key;
server_name xxx.xxx.com;
location / {
client_max_body_size 100m;
client_body_buffer_size 256k;
#缓存路径必须提前设置,并设置为可读写
client_body_temp_path /etc/nginx/proxy_temp;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://1.1.1.1;
}
#access_log logs/xxx.log;
access_log /dev/null;
}
4、针对一些场景下,需要携带cookie的nginx转发,可以在nginx转发配置中加入以下内容
location / {
proxy_cookie_domain domino_server nginx_server;
}
完整配置
server
{
#监听端口可以改
listen 80;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#填上证书的名字和路径
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
#填上你的域名
server_name xxx.xxx.com;
location / {
client_max_body_size 100m;
proxy_set_header Host "aaa.xxx.com";
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_pass http://aaa.xxx.com:2505;
proxy_cookie_domain aaa.xxx.com xxx.xxx.com;
}
#access_log logs/xxx.log;
access_log /dev/null;
}
5、Nginx进行密码验证。因为有些web应用需要只给特定的人群访问,但本身又没有做密码验证,则可以通过nginx来进行密码验证。首先如下写入密码至验证文件:
echo "test:yCdBGqFtXtbRR3O3" > key/auth.key
写入验证文件后,添加以下配置以完成密码验证步骤:
server {
location / {
auth_basic "please input user&passwd";
auth_basic_user_file key/auth.key;
}
}
6、不允许使用IP或非nginx限定的域名访问web,可以使用以下方法跳转404
server {
listen 80 default;
server_name _;
return 404;
}
6、针对国外的非阿里云服务器使用阿里云监控存在数据put不过来的问题,可以在香港部署一个代理站点,证书可以使用任意证书:
server
{
listen 80;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
server_name cms-cloudmonitor.aliyun.com;
location / {
client_max_body_size 100m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://cms-cloudmonitor.aliyun.com;
}
#access_log logs/xxx.log;
access_log /dev/null;
}
7、nginx做负载均衡
upstream abc {
# simple round-robin
server 10.0.0.1:80 max_fails=2 fail_timeout=30s weight=10;
server 10.0.0.2:80 max_fails=2 fail_timeout=30s weight=10;
check interval=3000 rise=2 fall=5 timeout=1000 type=http port=90;
check_http_send "GET /monitor.html HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
}
server
{
listen 80;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxx.key;
server_name a.d.com;
location / {
root html;
index index.html index.htm;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://abc;
location /status {
check_status;
access_log off;
allow 10.0.0.0/8;
deny all;
}
}
}
8、针对nginx反代中proxy_pass后的域名解析变化后造成站点5xx的问题,可以通过增加resolver+DNS服务器解决,这样可以使其遵守域名的TTL
server
{
resolver 114.114.114.114;
listen 80;
server_name www.aaa.com;
location / {
client_max_body_size 100m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://1.1.1.1;
}
#access_log logs/xxx.log;
access_log /dev/null;
}
9、带ssl的websocket可以用以下方法实现:
server
{
listen 8888 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/xxx.crt;
ssl_certificate_key /etc/nginx/ssl/xxxx.key;
server_name xxx.comfun.com;
location / {
proxy_buffer_size 64k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
client_max_body_size 100m;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://1.1.1.1:9999;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
#access_log logs/xxx.log;
access_log /dev/null;
}
10、针对http请求超过缓存的问题,可以通过单个配置文件里进行client_max_body_size和client_body_buffer_size相关设置,从未不影响全局nginx配置:
server
{
listen 80;
server_name xxx.xxx.com;
location / {
client_max_body_size 100m;
client_body_buffer_size 100m;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.10;
}
#access_log logs/xxx.log;
#error_log logs/xxx.log;
}