Nginx配置文件详解
全局配置
user nginx nginx; # 启动nginx工作进程的用户和用户组 daemon on; # 是否为守护进程方式运行,默认为on, on|off worker_processes auto; # worker 进程数量,一般为cpu核心数。 num|auto worker_cpu_affinity 0; # cpu亲和力,绑定woker进程在指定的cpu核心上运行。 error_log logs/error.log error; # error 日志存储路径及级别,[debug | info | notice | warn | error | crit | alert | emerg] pid run/nginx.pid; # pid 文件存储路径 worker_priority 0; # 进程优先级 -20~19 worker_rlimit_nofile 65535; # 所有woker进程打开的文件书上限。推荐与系统最大打开文件数一致 ulimit -n查看 master_process on; # 是否开启 nginx master - worker 工作模式,默认为on, on | off
events 语句块
events { worker_connections 65535; # 设置单个工作进程的最大并发连接数 use epoll; # 使用epoll事件驱动 支持事件驱动如: select、poll、epoll accept_mutex on; # on 为同一时刻一个请求轮流由work进程处理,而防止被同时唤醒所有worker,避免多个睡眠进程被唤醒的设置,默认为off,新请求会唤醒所有worker进程,此过程也称为"惊群",因此nginx刚安装完以后要进行适当的优化。建议设置为on multi_accept on; # on时Nginx服务器的每个工作进程可以同时接受多个新的网络连接,此指令默认为off,即默认为一个工作进程只能一次接受一个新的网络连接,打开后几个同时接受多个。建议设置为on }
http配置块
通用配置
include mime.types; #在响应报文中将指定的文件扩展名映射至MIME对应的类型 default_type application/octet-stream; #除mime.types中的类型外,指定其它文件的默认MIME类型,浏览器一般会提示下载
响应报文server首部
charset utf-8; # 设置编码格式 也可设置 off server_tokens off; # 是否显示版本
优化参数
server_names_hash_bucket_size 128; # 保存域名的 hash 表大小 client_header_buffer_size 32k; # 设置读取客户端请求头的缓冲区大小。如果请求行或请求头字段不适合此缓冲区,则分配由large_client_header_buffers指令配置的更大缓冲区 。 large_client_header_buffers 4 32k; # 设置最大number和size用于读取大的客户请求头缓冲器。 client_max_body_size 64m; # 设置允许客户端上传单个文件的最大值,默认值为1m,上传文件超过此值会 出413错误 client_body_buffer_size 64k; # 用于接收每个客户端请求报文的body部分的缓冲区大小;默认16k;超出此大小时,其将被暂存到磁盘上的由client_body_temp_path指令所定义的位置 client_body_temp_path /tmp/nginx/client_temp 1 2 2; sendfile on; # sendfile系统调用在两个文件描述符之间直接传递数据(完全在内核中操作),从而避免了数据在内核缓冲区和用户缓冲区之间的拷贝,操作效率很高,被称之为零拷贝。 tcp_nopush on; # 在开启了sendfile的情况下,合并请求后统一发送给客户端,必须开启 sendfile tcp_nodelay on; # 在开启了keepalived模式下的连接是否启用TCP_NODELAY选项,当为off时,延迟0.2s发送,默认On时,不延迟发送,立即发送用户响应报文。 #keepalive_timeout 0; keepalive_timeout 120 60; # 设置会话保持时间,第二个值为响应首部:keepAlived:timeout=65,可以和第一个值不同
open_file_cache max=10000 inactive=60s; # 最大缓存10000个文件,非活动数据超时时长60s
open_file_cache_valid 60s; # 缓存项有效性的检查验证频率,默认值为60s
open_file_cache_min_uses 3; # 60秒内至少被命中访问3次才被标记为活动数据
open_file_cache_errors on; # 是否缓存查找时发生错误的文件一类的信息,默认值为off
Sendfile简述
read/write
在传统的文件传输方式(read、write/send方式),具体流程细节如下:
调用read函数,文件数据拷贝到内核缓冲区
read函数返回,数据从内核缓冲区拷贝到用户缓冲区
调用write/send函数,将数据从用户缓冲区拷贝到内核socket缓冲区
数据从内核socket缓冲区拷贝到协议引擎中
在这个过程当中,文件数据实际上是经过了四次拷贝操作:
硬盘—>内核缓冲区—>用户缓冲区—>内核socket缓冲区—>协议引擎
sendfile系统调用则提供了一种减少拷贝次数,提升文件传输性能的方法。
注意: Nginx 是作为一个反向代理来使用的时候,SENDFILE 则没什么用了,因为 Nginx 是反向代理的时候。 in_fd 就不是文件句柄而是 socket,此时就不符合 sendfile 函数的参数要求了。
sendfile系统调用利用DMA(直接存储器访问:外部设备不通过CPU而直接与系统内存交换数据的接口技术)将数据拷贝到内核缓冲区,之后数据被拷贝到与socket相关的内核缓冲区。这里没有 用户态和核心态 之间的切换,在内核中直接完成了从一个 buffer 到另一个 buffer 的拷贝
DMA擎将数据从内核socket缓冲区拷贝到协议引擎中
这里没有用户态和内核态之间的切换,也没有内核缓冲区和用户缓冲区之间的拷贝,大大提升了传输性能。
注意:sendfile系统调用是一种文件传输的系统调用和kernel系统调用关系不大。
这个过程数据经历的拷贝操作如下:
硬盘—>内核缓冲区—>内核socket缓冲区—>协议引擎
带有DMA收集拷贝功能的sendfile
对于带有DMA收集拷贝功能的sendfile系统调用,还可以再减少一次内核缓冲区之间的拷贝。
具体流程如下:dfile系统调用利用DMA引擎将文件数据拷贝到内核缓冲区,之后,将带有文件位置和长度信息的缓冲区描述符添加到内核socket缓冲区中引擎会将数据直接从内核缓冲区拷贝到协议引擎中这个过程数据经历的拷贝操作如下: 硬盘—>内核缓冲区—>协议引擎
gzip压缩
gzip on; # 启用或禁用gzip压缩,默认关闭 gzip_buffers 16 8k; # 指定Nginx服务需要向服务器申请的缓存空间的个数和大小,平台不同,默认:32 4k或者16 8k; gzip_comp_level 6; # 压缩比由低到高从1到9,默认为1 gzip_http_version 1.1; # 启用压缩功能时,协议的最小版本,默认HTTP/1.1 gzip_min_length 256; # gzip压缩的最小文件,小于设置值的文件将不会压缩 gzip_proxied any; # gzip_vary on; # 如果启用压缩,是否在响应报文首部插入“Vary: Accept-Encoding”,一般建议打开 gzip_types text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json text/css text/plain text/x-component font/opentype application/x-font-ttf application/vnd.ms-fontobject image/x-icon; # 指明仅对哪些类型的资源执行压缩操作;默认为gzip_types text/html,不用显示指定,否则出错 gzip_disable "MSIE [1-6]\.(?!.*SV1)"; # 禁用IE6 gzip功能
gzip_proxied 字段
根据请求和响应启用或禁用对代理请求的响应进行 gzip 压缩。请求被代理的事实由“Via”请求头字段的存在决定。该指令接受多个参数:
off
- 禁用所有代理请求的压缩,忽略其他参数;
expired
- 如果响应头包含具有禁用缓存值的“Expires”字段,则启用压缩;
no-cache
- 如果响应头包含带有“
no-cache
”参数的“Cache-Control”字段,则启用压缩;
no-store
- 如果响应头包含带有“
no-store
”参数的“Cache-Control”字段,则启用压缩;
private
- 如果响应头包含带有“
private
”参数的“Cache-Control”字段,则启用压缩;
no_last_modified
- 如果响应头不包含“Last-Modified”字段,则启用压缩;
no_etag
- 如果响应头不包含“ETag”字段,则启用压缩;
auth
- 如果请求标头包含“授权”字段,则启用压缩;
any
为所有代理请求启用压缩。
日志配置
log_format main escape=json '{"@timestamp":"$time_iso8601",' # 时间配置 '"server_addr":"$server_addr",' # 服务器地址 '"remote_addr":"$remote_addr",' # 客户端地址公网IP '"scheme":"$scheme",' # 协议 '"request_method":"$request_method",' # 请求方法 '"request_uri": "$request_uri",' # uri '"request_length": "$request_length",' # 请求长度 '"uri": "$uri", ' # 请求rui全路径 rui + file '"request_time":$request_time,' # 耗时 '"body_bytes_sent":$body_bytes_sent,' # body 发送自截长度 '"bytes_sent":$bytes_sent,' # 发送字节长度 '"status":"$status",' # 状态码 '"upstream_time":"$upstream_response_time",''"upstream_host":"$upstream_addr",' '"upstream_status":"$upstream_status",' '"host":"$host",' # 服务器地址 '"http_referer":"$http_referer",' # 引用 '"http_user_agent":"$http_user_agent"' #请求客户端 '}'; access_log logs/access.log main; # 全局日志配置
server语句块通用指令
server { listen 80; # 监听端口 server_name _; # 主机名 access_log logs/devops_access.log main; # 访问日志 error_log logs/devops_error.log; # 错误日志 root /data/nginx/html/devops; # 主目录 index index.html index.htm index.php; # 主页文件 error_page 404 /404.html; # 404 页面 error_page 502 /502.html; # 502 页面 }
root & alias
location /test { root /data/nginx/html/devops/; } location /ceshi { alias /data/nginx/html/devops/; } # 实际访问磁盘路径如下 curl 10.211.55.106/test/index.html 磁盘路径: /data/nginx/html/devops/test/index.html curl 10.211.55.106/ceshi/index.html 磁盘径路: /data/nginx/html/devops/index.html
localtion指令
通过指定模式来与客户端请求的URI相匹配
- = #用于标准uri前,需要请求字串与uri精确匹配,大小敏感,如果匹配成功就停止向下匹配并立即处理请求
- ^~ #用于标准uri前,表示包含正则表达式,并且匹配以指定的正则表达式开头,对URI的最左边部分做匹配检查,不区分字符大小写
- ~ #用于标准uri前,表示包含正则表达式,并且区分大小写
- ~* #用于标准uri前,表示包含正则表达式,并且不区分大写不带符号 #匹配起始于此uri的所有的uri
- \ #用于标准uri前,表示包含正则表达式并且转义字符。可以将 . * ?等转义为普通符号
- #匹配优先级从高到低:
-
- =, ^~, ~/~*, 不带符号
location = /log.jpg { root /data/nginx/devops/; } location ~ /A.?\.jpg { root /data/nginx/devops/; } location ~* /A.?\.jpg { root /data/nginx/devops/; } location ^~ /images { root /data/nginx/devops/; } location /api { alias /data/nginx/api; } location ~ [^/]\.php(/|$) { #fastcgi_pass remote_php_ip:9000; fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) { deny all; } location /.well-known { allow all; }
四层访问控制
location = /login/ { root /data/nginx/html/pc; allow 10.0.0.0/24; deny all; } location /about { alias /data/nginx/html/pc; index index.html; deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; deny all; #按先小范围到大范围排序 }
账户认证
#CentOS安装包 [root@centos8 ~]#yum -y install httpd-tools #Ubuntu安装包 root@ops106:~# apt -y install apache2-utils root@ops106:~# htpasswd -cb /usr/local/nginx/conf/.htpassword devops 123456 Adding password for user devops location = /login/ { root /data/nginx/html/devops/; index index.html; auth_basic "login password"; auth_basic_user_file /usr/local/nginx/conf/.htpasswd; }
作为下载服务器
location /download { autoindex on; #自动索引功能 autoindex_exact_size on; #计算文件确切大小(单位bytes),此为默认值,off只显示大概大小(单位kb、mb、gb) autoindex_localtime on; #on表示显示本机时间而非GMT(格林威治)时间,默为为off显示GMT时间 limit_rate 1024k; #限速,默认不限速 root /data/nginx/html/devops/; }
状态页
location /nginx_status { stub_status; auth_basic "auth login"; auth_basic_user_file /apps/nginx/conf/.htpasswd; allow 192.168.0.0/16; allow 127.0.0.1; deny all; } #状态页用于输出nginx的基本状态信息: #输出信息示例: Active connections: 291 server accepts handled requests 16630948 16630948 31070465 上面三个数字分别对应accepts,handled,requests三个值 Reading: 6 Writing: 179 Waiting: 106 Active connections: #当前处于活动状态的客户端连接数,包括连接等待空闲连接数 =reading+writing+waiting accepts: #统计总值,Nginx自启动后已经接受的客户端请求连接的总数。 handled: #统计总值,Nginx自启动后已经处理完成的客户端请求连接总数,通常等于accepts,除非有因worker_connections限制等被拒绝的连接 requests: #统计总值,Nginx自启动后客户端发来的总的请求数。 Reading: #当前状态,正在读取客户端请求报文首部的连接的连接数,数值越大,说明排队现象严重,性能不足 Writing: #当前状态,正在向客户端发送响应报文过程中的连接数,数值越大,说明访问量很大 Waiting: #当前状态,正在等待客户端发出请求的空闲连接数,开启 keep-alive的情况下,这个值等于 active – (reading+writing)
https功能
自签名证书
1 # 自签名CA证书 2 root@ops106:/usr/local/nginx/certs# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt 3 Generating a RSA private key 4 ............................................................................++++ 5 ...........................++++ 6 writing new private key to 'ca.key' 7 ----- 8 You are about to be asked to enter information that will be incorporated 9 into your certificate request. 10 What you are about to enter is what is called a Distinguished Name or a DN. 11 There are quite a few fields but you can leave some blank 12 For some fields there will be a default value, 13 If you enter '.', the field will be left blank. 14 ----- 15 Country Name (2 letter code) [AU]:CN 16 State or Province Name (full name) [Some-State]:BeiJing 17 Locality Name (eg, city) []:BeiJing 18 Organization Name (eg, company) [Internet Widgits Pty Ltd]:SuperOps 19 Organizational Unit Name (eg, section) []:Ops 20 Common Name (e.g. server FQDN or YOUR name) []:ca.devops.com 21 Email Address []:superops@aliyun.com 22 root@ops106:/usr/local/nginx/certs# 23 root@ops106:/usr/local/nginx/certs# ls 24 ca.crt ca.key 25 26 27 # 自制 Key 和 Csr 文件 28 root@ops106:/usr/local/nginx/certs# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.devops.com.key -out www.devops.com.csr 29 Generating a RSA private key 30 ..............................++++ 31 .....................................................................................................................................................................++++ 32 writing new private key to 'www.devops.com.key' 33 ----- 34 You are about to be asked to enter information that will be incorporated 35 into your certificate request. 36 What you are about to enter is what is called a Distinguished Name or a DN. 37 There are quite a few fields but you can leave some blank 38 For some fields there will be a default value, 39 If you enter '.', the field will be left blank. 40 ----- 41 Country Name (2 letter code) [AU]:CN 42 State or Province Name (full name) [Some-State]:BeiJing 43 Locality Name (eg, city) []:BeiJing 44 Organization Name (eg, company) [Internet Widgits Pty Ltd]:SuperOps 45 Organizational Unit Name (eg, section) []:SuperOps 46 Common Name (e.g. server FQDN or YOUR name) []:www.devops.com 47 Email Address []:superops@aliyun.com 48 49 Please enter the following 'extra' attributes 50 to be sent with your certificate request 51 A challenge password []: 52 An optional company name []: 53 root@ops106:/usr/local/nginx/certs# ls 54 ca.crt ca.key www.devops.com.csr www.devops.com.key 55 56 57 # 签发证书 58 root@ops106:/usr/local/nginx/certs# openssl x509 -req -days 3650 -in www.devops.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.devops.com.crt 59 Signature ok 60 subject=C = CN, ST = BeiJing, L = BeiJing, O = SuperOps, OU = SuperOps, CN = www.devops.com, emailAddress = superops@aliyun.com 61 Getting CA Private Key 62 root@ops106:/usr/local/nginx/certs# ls 63 ca.crt ca.key ca.srl www.devops.com.crt www.devops.com.csr www.devops.com.key 64 65 66 # 验证证书内容 67 root@ops106:/usr/local/nginx/certs# openssl x509 -in www.devops.com.crt -noout -text 68 Certificate: 69 Data: 70 Version: 1 (0x0) 71 Serial Number: 72 1b:a6:3e:33:cd:72:fb:04:d0:8c:ac:bf:8d:5b:78:a7:98:79:ca:27 73 Signature Algorithm: sha256WithRSAEncryption 74 Issuer: C = CN, ST = BeiJing, L = BeiJing, O = SuperOps, OU = Ops, CN = ca.devops.com, emailAddress = superops@aliyun.com 75 Validity 76 Not Before: Dec 4 17:16:28 2021 GMT 77 Not After : Dec 2 17:16:28 2031 GMT 78 Subject: C = CN, ST = BeiJing, L = BeiJing, O = SuperOps, OU = SuperOps, CN = www.devops.com, emailAddress = superops@aliyun.com 79 Subject Public Key Info: 80 Public Key Algorithm: rsaEncryption 81 RSA Public-Key: (4096 bit) 82 Modulus: 83 00:d1:1f:f5:ed:1d:94:64:61:86:a5:31:5d:d6:23: 84 c3:0d:44:52:4c:ce:e4:fe:e1:84:3e:42:8b:3d:ae: 85 94:8a:b9:e6:43:63:1a:44:f0:5f:65:09:51:05:8f: 86 f4:66:db:52:c8:75:2c:69:50:dd:48:99:21:7d:5d: 87 2d:06:cf:90:2a:f9:2e:65:5b:4e:8b:b7:70:45:78: 88 91:4e:0c:96:3e:79:e6:0b:30:24:ff:ff:ea:5d:5c: 89 4d:f9:62:b6:0e:d8:5d:49:a4:0e:79:44:94:e5:d7: 90 52:3d:85:e7:62:2e:22:ca:03:64:40:11:33:5b:0a: 91 fe:33:a0:1e:85:d8:a1:a1:00:49:ed:9c:d5:4d:f5: 92 b1:c7:0d:ce:4d:2e:8b:30:73:b4:fb:55:0b:d4:1a: 93 8f:01:3c:4c:eb:33:10:c6:df:56:7e:b8:fd:b6:1e: 94 25:a9:9f:64:03:cb:86:9a:1c:f1:43:16:3d:18:bd: 95 fa:00:20:62:46:7d:20:c1:11:32:7b:24:16:bc:cc: 96 16:4f:29:6f:0a:66:a6:fc:45:89:8c:b3:fc:b9:3c: 97 e5:bb:ea:a3:ae:18:f1:29:c6:39:20:1d:2f:44:2b: 98 2b:3f:19:3d:5c:8d:5c:ad:b1:d3:d4:98:3a:7a:7b: 99 69:d1:72:32:31:80:01:8a:ee:55:60:24:60:5e:d7: 100 4e:87:da:91:cf:a6:b6:64:03:1a:fa:2d:b7:be:d9: 101 0d:18:d9:37:b1:e0:5c:52:e0:0d:a6:f2:51:9c:93: 102 ad:f2:80:7d:d9:d9:31:47:21:57:4e:52:a8:b0:11: 103 d2:d3:a2:5d:92:4b:5a:ca:35:b2:4e:16:6e:e7:76: 104 e7:da:0b:ca:e3:31:6f:09:1e:aa:ae:3d:0f:63:72: 105 c1:2e:2b:8d:b9:13:0d:77:ae:ea:d7:4d:da:e4:61: 106 58:d4:31:84:fa:3e:43:3c:ef:ea:b1:d0:2b:37:d4: 107 4e:19:ae:59:81:bf:9f:a1:5c:53:c3:5f:8e:0c:16: 108 47:9e:d2:8f:a9:c4:73:54:23:5c:dd:f1:67:46:5e: 109 fd:ac:91:85:0a:ff:af:d3:79:a5:d4:a6:7e:72:af: 110 4c:f1:71:97:42:e6:ad:cf:89:fa:6e:b1:ea:f9:05: 111 3c:fb:92:c3:72:a5:fb:60:1b:0f:f1:1a:93:b5:32: 112 d2:74:4c:01:ff:2c:47:cb:c4:8b:b2:45:5b:c6:09: 113 0b:06:f8:0d:06:fc:2c:10:06:2f:0f:92:ef:ad:cc: 114 9d:ad:23:7e:60:bc:d6:0d:3f:5c:f8:9b:72:be:03: 115 10:c5:18:26:bf:c8:e7:af:84:2b:16:d6:63:e9:03: 116 bf:97:24:ae:c2:1e:11:93:5f:97:96:54:cc:0d:bc: 117 4c:2a:67 118 Exponent: 65537 (0x10001) 119 Signature Algorithm: sha256WithRSAEncryption 120 61:a5:10:40:e3:98:54:75:b5:b2:9b:b1:52:88:42:f2:81:3f: 121 ee:6b:ef:93:64:ec:53:9f:a2:ae:97:e7:09:8e:4b:f9:27:2d: 122 cd:00:6d:71:02:c3:7a:c1:84:23:6c:60:c2:77:e8:a3:7a:8a: 123 2e:5e:31:b7:7c:e4:4b:8e:7b:50:5a:d6:9c:c9:70:5c:ef:31: 124 87:96:0d:03:10:b6:3a:76:86:5c:a1:0c:7e:eb:38:aa:0a:3b: 125 db:f0:75:8b:6c:e3:25:39:cb:ef:ac:dc:27:87:58:93:1e:5c: 126 88:2b:27:20:76:36:ef:f4:2c:66:b8:3f:57:bf:cc:9f:0d:32: 127 08:89:64:a7:e3:cf:45:a7:6e:f6:c9:df:ce:03:7d:0a:08:54: 128 46:c7:53:c0:3b:92:66:50:2d:fa:d3:34:2f:cc:92:13:ae:39: 129 49:cf:33:3c:ba:57:2b:f3:62:91:9a:40:de:2b:ce:50:31:6a: 130 67:26:e2:c1:b9:bb:a9:55:71:a4:3f:36:a4:c2:8c:ef:c1:48: 131 5a:80:54:9b:4a:a6:e9:b0:dc:77:35:c0:b3:7f:5e:cb:e9:fe: 132 aa:2f:c5:da:63:93:c5:cc:e0:af:cb:66:a4:e3:c2:d1:4e:8b: 133 1e:6c:28:cc:76:4b:c1:09:32:dc:fe:ed:92:96:9e:1e:be:d7: 134 f8:40:f8:b5:dd:92:91:e3:a4:38:b8:9e:ca:63:d4:22:08:5e: 135 31:04:2e:06:e0:eb:83:48:9f:93:bd:a9:a1:6a:1a:af:ea:7e: 136 1e:7f:9f:63:57:2d:34:11:14:97:bb:75:5a:04:07:e1:4c:9e: 137 12:ce:6f:5e:f6:80:57:c3:fa:be:a2:de:27:be:b8:85:04:1f: 138 27:52:4d:60:54:28:2e:18:3f:22:fe:c8:3b:c7:5e:46:ef:bf: 139 9d:81:58:04:47:58:07:71:76:32:46:04:63:03:aa:cd:b1:3d: 140 be:9d:59:b3:4a:e6:4f:fb:96:5f:0f:f0:9f:e9:51:07:e3:0f: 141 b0:7d:26:55:96:74:91:69:f4:ab:d9:20:6d:59:3d:b8:3c:89: 142 9b:8b:ec:a8:90:7a:45:e4:13:f8:b7:49:1d:e4:c8:d9:5a:2a: 143 96:0e:d2:c1:5f:ad:27:c9:1b:64:89:5c:45:97:89:b0:5a:45: 144 c0:a5:5f:45:3b:fc:52:61:c4:c9:1a:1a:30:52:ef:e2:46:30: 145 75:7f:a1:2e:e2:f7:65:ef:6a:ab:be:3a:1a:44:b7:77:a8:a1: 146 67:cf:a8:77:e1:a1:37:4f:c7:1e:ab:33:58:0b:17:26:f4:60: 147 5d:2c:2b:a7:13:22:2b:aa:33:a2:ca:af:b2:ff:5f:f7:a7:55: 148 1d:2b:6e:61:a6:e6:fc:e9 149 150 #合并CA和服务器证书成一个文件,注意服务器证书在前 151 root@ops106:/usr/local/nginx/certs# cat www.devops.com.crt ca.crt > www.devops.com.pem
配置信息
server { listen 80; listen 443 ssl; # 启用ssl 并指定端口 ssl_certificate /usr/local/nginx/certs/www.devops.com.pem; # crt 文件 ssl_certificate_key /usr/local/nginx/certs/www.devops.com.key; # 私钥文件 ssl_session_cache shared:sslcache:20m; # ssl 缓存 #在各worker之间使用一个共享的缓存,需要定义一个缓存名称和缓存空间大小,一兆可以存储4000个会话信息,多个虚拟主机可以使用相同的缓存名称 ssl_session_timeout 10m; # 客户端连接可以复用ssl session cache中缓存的有效时长,默认5m ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #表示使用的加密套件的类型。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #表示使用的TLS协议的类型。支持ssl协议版本,早期为ssl现在是TLS,默认为后三个
server_name www.devops.com; error_log /usr/local/nginx/logs/devops.com_error.log notice; access_log /usr/local/nginx/logs/devops.com_access.log main; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { root /data/nginx/html/devops; if ( $scheme = http ) { rewrite ^/(.*)$ https://www.devops.com/$1 redirect; } } }
nginx 变量
其他配置
rewrite 指令
ngx_http_rewrite_module
if 指令
set 指令
break 指令
return 指令
rewrite_log 指令
rewrite 指令
防盗链
其他功能
第三方模块
自动生成 nginx 配置文件
一键部署 nginx 集成环境
https://oneinstack.com/auto/
作者:闫世成
出处:http://cnblogs.com/yanshicheng