Nginx

安装

http://nginx.org/en/linux_packages.html
http://nginx.org/en/linux_packages.html#RHEL-CentOS

sudo yum install yum-utils
// 设置yum仓库
sudo vim /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

// 默认是稳定版,如果想用最新的
sudo yum-config-manager --enable nginx-mainline

// 执行安装命令
sudo yum install nginx

// 检查
nginx -v
// 查看安装路径
whereis nginx
// 查看进程
ps -ef | grep nginx
// 快速关闭
nginx -s stop
// 平滑关闭-等待请求都处理完
nginx -s quit
// 重新载入配置
nginx -s reload

docker

#!/bin/bash
docker run \
-d \
-p 80:80 \
--name=nginx \
--restart=always \
-v ~/nginx/conf.d:/etc/nginx/conf.d \
nginx:1.21.6

配置负载均衡

• 轮询-默认

upstream myapp1 {
    server srv1.example.com;
    server srv2.example.com;
}
server {
    listen 80;
    location / {
        proxy_pass http://myapp1;
    }
}

• session保持

upstream myapp1 {
    ip_hash;
    server srv1.example.com;
    server srv2.example.com;
}

• 按权重分配

upstream myapp1 {
    server srv1.example.com weight=3;
    server srv2.example.com;
    server srv3.example.com;
}

• 最少连接-请求优先分配给不太繁忙的服务器

upstream myapp1 {
    least_conn;
    server srv1.example.com;
    server srv2.example.com;
    server srv3.example.com;
}

配置HTTPS

• Let's Encrypt
  Let's Encrypt - 免费的SSL/TLS证书
• acme.sh操作步骤

1. 安装 https://github.com/acmesh-official/get.acme.sh

curl https://get.acme.sh | sh
OR
wget -O -  https://get.acme.sh | sh

2. 生成证书 https://github.com/acmesh-official/acme.sh/wiki/说明

acme.sh --issue  \
-d onlypasser.com \
-d *.onlypasser.com \
--nginx

acme.sh  --remove  -d onlypasser.com  ## 删除
acme.sh --list ## 查看证书

3. 验证 添加dns记录 https://github.com/acmesh-official/acme.sh#3-install-the-issued-cert-to-apachenginx-etc

acme.sh --issue \
-d onlypasser.com \
-d *.onlypasser.com \
--dns  \
--yes-I-know-dns-manual-mode-enough-go-ahead-please

4. 重新生成证书

acme.sh --renew \
-d onlypasser.com \
-d *.onlypasser.com \
--yes-I-know-dns-manual-mode-enough-go-ahead-please

5. copy/安装证书

acme.sh --install-cert \
-d onlypasser.com \
--key-file       /etc/nginx/ssl/onlypasser.com.key \
--fullchain-file /etc/nginx/ssl/onlypasser.com.cer \
--reloadcmd     "service nginx force-reload"

6. nginx配置SSL，记得防火墙开通443端口 service nginx force-reload

upstream mmall {
    server 127.0.0.1:8080;
}

server {
    listen 80;  #如果硬性要求全部走https协议，这一行去除
    listen       443 ssl;    #如果硬性要求全部走https协议，这里去除ssl
    autoindex on;
    server_name www.onlypasser.com onlypasser.com;
    access_log /var/log/nginx/host.access.log combined;
    index index.html index.htm;

    #ssl on;   #如果硬性要求全部走https协议，这里开启ssl on
    ssl_certificate      /etc/nginx/ssl/onlypasser.com.cer;
    ssl_certificate_key  /etc/nginx/ssl/onlypasser.com.key;

    #ssl性能调优-nginx 1.13.0支持了TLSv1.3,TLSv1.3相比之前的TLSv1.2、TLSv1.1等性能大幅提升
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 10m;
	
    #使用ssl_session_cache优化https下Nginx的性能
    ssl_session_cache builtin:1000 shared:SSL:10m;
	
    #OCSP Stapling 开启。OCSP是用于在线查询证书吊销情况的服务，使用OCSP Stapling能将证书有效状态的信息缓存到服务器，提高 TLS 握手速度
    ssl_stapling on;
	
    #OCSP Stapling 验证开启
    ssl_stapling_verify on; 
	
  
    if ( $query_string ~* ".*[\;'\<\>].*" ){
        return 404;
    }

    location = / {
        root /home/mmall_home/dist/view;
        index index.html;
    }

    location ~ .*\.html$ {
        root /home/mmall_home/dist/view;
        index index.html;
    }

    location / {
        proxy_pass http://mmall;
    }

}
# 将Http请求转化成Https请求
server {
    listen 80;
    server_name www.onlypasser.com onlypasser.com;
    rewrite ^/(.*) https://$server_name$request_uri? permanent;
}

反向代理配置去除前缀

• 加“/”

server {
    listen              80;
    server_name         abc.com;

    location ^~/user/ {
        proxy_set_header Host $host;
        proxy_set_header  X-Real-IP        $remote_addr;
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        # ^~/user/表示匹配前缀是user的请求，proxy_pass的结尾有/， 则会把/user/*后面的路径直接拼接到后面，即移除user。
        proxy_pass http://user/;
    }
}

• rewrite

server {
    listen              80;
    server_name  abc.com;

    location ^~/user/ {
        proxy_set_header Host $host;
        proxy_set_header  X-Real-IP        $remote_addr;
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
#proxy_pass结尾没有/， rewrite重写了url。
        rewrite ^/user/(.*)$ /$1 break;
        proxy_pass http://user;
    }
}