worker_processes 4;# 优化 Nginx worker 进程数
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535;# 这个指令是指当一个nginx进程打开的最多文件描述符数目
events {
worker_connections 65535;# 单个进程允许客户端最大并发连接数
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on; # 开启文件的高效传输模式
tcp_nopush on;# 激活 TCP_CORK socket 选择
tcp_nodelay on; # 数据在传输的过程中不进缓存
keepalive_timeout 60; # 客户端连接保持会话超时时间,超过这个时间,服务器断开这个链接。
send_timeout 10;# 如果超过这个时间,客户端没有任何活动,nginx关闭连接。
reset_timedout_connection on;# 告诉nginx关闭不响应的客户端连接。
client_body_timeout 10; # 设置请求体的超时时间。
client_header_timeout 15; # 设置请求头的超时时间。
client_header_buffer_size 1k; # 客户端请求头部的缓冲区大小,这个可以根据你的系统分页大小来设置,一般一个请求头的大小不会超过 1k
open_file_cache max=65535 inactive=20s;
open_file_cache_valid 30s; # 这个是指多长时间检查一次缓存的有效信息。
open_file_cache_min_uses 1;
server_tokens off; # 隐藏版本号
client_max_body_size 10m;# 上传文件大小限制。
# nginx与php之间FastCGI 相关参数调优
# 时间超时设定
fastcgi_connect_timeout 240;
fastcgi_send_timeout 240;
fastcgi_read_timeout 240;
# 缓冲/缓存设置
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_temp_path /nginx/ngx_fcgi_tmp;
fastcgi_cache_path /nginx/ngx_fcgi_cache levels=2:2 keys_zone=ngx_fcgi_cache:512m inactive=1d max_size=40g;
# 这里取得原始用户的IP地址,跟下面json格式变量对应
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
map $host $resp_body {
default "";
}
map $host $loggable {
default 1;
}
map $host $request_body_sub {
default "";
}
##以上都是json格式变量
###########################日志格式
log_format json escape=json '{"@timestamp":"$time_iso8601",'
'"time":"$time_iso8601",'
'"realip":"$clientRealIp",'
'"host":"$http_host",'
'"request":"$request",'
'"status":$status,'
'"req_body":"$request_body",'
'"cookie":"$http_cookie",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"request_method":"$request_method",'
'"uri":"$uri",'
'"http_referrer":"$http_referer",'
'"xff":"$http_x_forwarded_for",'
'"ups_status":"$upstream_status",'
'"ups_addr":"$upstream_addr",'
'"ups_time":"$upstream_response_time",'
'"http_user_agent":"$http_user_agent"'
'}';
############################gzip优化###############################
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
server {
listen 80;
server_name www.kubernetes-devops.cn; # 设置的域名解析,对应的就进入不同目录
root /usr/share/nginx/html; # 相关主目录
index index.html index.php; # 先找index.html 到不到就找index.php
error_log logs/error.log warn;
access_log logs/access.log json_log;
# 安全优化
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header strict-transport-security "max-age=31536000; includeSubDomains";
fastcgi_hide_header X-Powered-By;
#只允许特定的METHOD
if ($request_method !~ ^(GET|POST|HEAD|OPTION)$) {
return 405;
}
#禁止默认的命令行工具访问
if ($http_user_agent ~* (pytho[n]?|curl|wget)) {
return 403;
}
# 防止外部直接thinkphp漏洞攻击
#if ($request_uri ~* ^/index\.php) {
# return 405;
#}
#禁止所以点开头的访问
#eg: /upload/../index.php
location ~ /\. {
deny all;
}
#upload下php无运行权限,防止上传漏洞
location ~* /upload[s]?/.*\.php$ {
return 404;
}
#静态文件就不需要记录在日志了
location ~* \.(map|gif|jpg|png|css|js|ico|swf|pdf|apk|exe|eot|otf|ttf|woff|woff2)$ {
try_files $uri =404;
access_log off;
}
location = /favicon.ico {
try_files $uri =404;
access_log off;
}
location / {
if (!-e $request_filename){
rewrite ^(.*)$ /index.php?s=$1 last; break;
}
# php配置优化
location ~ .php(.*)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.+.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
fastcgi_cache ngx_fcgi_cache;
include fastcgi.conf;
fastcgi_cache_valid 200 302 1h;
fastcgi_cache_valid 301 1d;
fastcgi_cache_valid any 1m;
fastcgi_cache_min_uses 1;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_key http://$host$request_uri;
}
}
}