celery笔记 jieba RPC 服务 http2 vs http1 python发送邮件 gitbook 笔记 docker运行 pyppeteer 百度/腾讯 ocr 试用 页面元素选择 python pickle 实践 k3s 安装加速 FFmpeg 使用总结 Systemd 教程 mysql 1366 错误解决 docker-compose 笔记 sqlite 使用总结 百度网盘命令行工具 bypy 阿里云 PAI-EAS 试用报告 gpt2中文预训练模型试用 文本生成资料汇总 使用 tracemalloc 分析 python 内存使用情况 spark 集群试用 openresty使用笔记 mac下 python 报错 CERTIFICATE_VERIFY_FAILED docker-compose 安装方法 系统代理 mac 下安装 adb scrapy项目作为工具库使用 charles over proxy 使用 markdown 制作 ppt docker挂载目录异常 flask 笔记 wsl2 使用体验 nginx 配置 mac 配置 发布自己的 python 包 selenium + chrome 全页面截图 mongo ORM 笔记 supervisor 使用总结 h5py性能测评 privoxy实现PAC代理上网 session请求示例 ssh笔记 python小技巧 docker学习笔记 tornado使用总结 再读《MongoDB权威指南》 tornado文件上传服务 mongo学习笔记 python异步服务器测试 No module named 'Crypto' on Mac mac中安装python3.5 py3.6环境下numpy C扩展出错 mtcnn读书笔记 shell 学习笔记 install ubuntu18.04 定时备份linux系统的history记录 asyncio异步请求示例 golang setting git使用笔记 Ubuntu16.04下配置python3环境 将Ubuntu16.04升级为Ubuntu18.04(development branch) Ubuntu16.04下源码安装python3.6 virtualenv中安装anaconda模块 基于sqlite3实现数据缓存 修复colaboratory中tensorflow的bug 安装docker-compose docker引起的空间不足 CNN可视化研究 ubuntu16.04中安装wine-qq 在ubuntu16.04中安装wine3.0+winetricks ssh over socks5 python删除文件或目录 shadowsocks+privoxy设置本地代理 python下载大文件的方法 解决python中遇到的乱码问题 修改 ubuntu & windows双系统中系统启动顺序与等待时间 python3安装mysql ubuntu环境变量设置 python 后台程序实现

nginx 配置

2019年06月13日

nginx 配置

1. http2开启

环境 ubuntu18.04 + nginx1.14(apt 自带)

/etc/nginx/nginx.conf 配置,关键是SSL Settings下配置ssl证书信息

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_certificate  /etc/nginx/cert/b.com.pem;
        ssl_certificate_key /etc/nginx/cert/b.com.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

服务配置,新建/etc/nginx/site-avalable/x.conf文件,写入如下信息:

server {
    listen 443 ssl http2;
    server_name www.b.com;
    ssl on;
    root /var/www/b.com;
    index index.html index.htm;
    ssl_certificate  /etc/nginx/cert/b.com.pem;
    ssl_certificate_key /etc/nginx/cert/b.com.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        index index.html index.htm;
    }
}
server {
    listen 80;
    server_name www.b.com;
    rewrite ^(.*)$ https://$host$1 permanent;
}

2. 重定向

  • 强制使用https
server {
    listen 80;
    server_name www.b.com;
    rewrite ^(.*)$ https://$host$1 permanent;
}
  • path 转 子域名
rewrite ^/blog/(.*)$  https://blog.b.com/$1 permanent;
  • 修改网址并使用新网址进行其他操作
# 反向代理的例子
location /blog/ {
    rewrite ^/blog/(.*)$ /$1 break; # 去除blog
    proxy_pass http://127.0.0.1:6000; 
} 

3. 反向代理

server {

    listen 443 ssl http2;
    server_name www.b.com;
    
    ssl on;
    ssl_certificate  /etc/nginx/cert/b.com.pem;
    ssl_certificate_key /etc/nginx/cert/b.com.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    
    client_max_body_size 20M;

    location /static/ {
        alias   /var/www/b.com/static/;
    }
    
    location / {
         proxy_pass http://127.0.0.1:6000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_send_timeout 600;
         proxy_connect_timeout 600;
         proxy_read_timeout 600;    
    } 
}

4. 将/admin/*路径所有请求分流到另一台服务器上

django 服务挂载到 www.b.com/admin/ 下,www.b.com同时由多个服务器提供独立的服务。

为使 nginx 能正确区分来自django的请求(静态、动态),django服务强制客户端在请求的cookies上标识{"svr": "django"}

具体配置如下:

server {
    listen 443 ssl http2;
    server_name www.b.com;
    
    # other setting ...
    
    location / {
        set $dj '1';
        
        if ($cookie_svr ~* ^.django.*$ ){
             set $dj 1$dj ;
        }
        if ($request_uri ~* ^/admin/.*$ ){
            set $dj '1' ;
        }

        if ($dj = '11' ){
           rewrite ^/(.*)$ /admin/$1 permanent;
        }

        index index.html index.htm;
    }

    # admin
    location /admin/ {
         rewrite ^/admin/(.*)$ /$1 break;
         proxy_pass http://127.0.0.1:8000;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_send_timeout 600;
         proxy_connect_timeout 600;
         proxy_read_timeout 600;
    }

}
server {
    listen 80;
    server_name www.b.com;
    rewrite ^(.*)$ https://$host$1 permanent;
}

注意:

  • nginxif不能嵌套,没有else
  • 通过$cookie_svr可以获取到svr的值
  • 要正确使用rewrite的停止标志(last, break, permanent)

5. 负载均衡

通过 nginxstream 实现负载均衡


user root;
worker_processes  auto;

events {
    worker_connections  1024;
}


stream {
	log_format lbs '$remote_addr -> $upstream_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time  "$upstream_connect_time"';

    access_log /var/log/nginx/access.log  lbs ;
    open_log_file_cache off;

	upstream backend {
        hash $remote_addr consistent;
        server backend-1:18888;
        server backend-2:18888;
        server backend-3:18888;
        server backend-4:18888;
	}

    server {
        listen 18888;
        listen 18888 udp;

		proxy_pass backend;
    }

6. try_files

server {
    ...

    location ^~ /static/html/ {
        alias /opt/code/pages/html/;
        try_files $uri /static/html/index.html;
   }
}

7. location + if

server {
    location ^~ /static/html/ {
        if ($url ~* \.(png|jpg)$ ){
            rewrite ^/(.*)$ https://my-bucket.oss-cn-shenzhen.aliyuncs.com/$1 permanent;
        }
        alias /opt/code/pages/html/;
        try_files $uri /static/html/index.html;
    }
}

8. 安全验证

生成安全文件

# install htpasswd 
apt install apache2-utils

# create db file
htpasswd -c -d passwd.db user
chmod 400 passwd.db

nginx 配置

server {
    auth_basic  "secret";
    auth_basic_user_file  /etc/nginx/conf.d/passwd.db;

    ...
}

效果图

效果图