# nginx常用配置

# Gzip配置

gzip  on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
1
2
3
4
5
6
7

# ssl证书配置

## 将证书放置于nginx安装目录下
server {
     listen 443;
     server_name blog.zhuangzexin.top;
     ssl on;
     ssl_certificate  /etc/nginx/cert/2590551_blog.zhuangzexin.top.pem;
     ssl_certificate_key /etc/nginx/cert/2590551_blog.zhuangzexin.top.key;
     ssl_session_timeout 5m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
     ssl_prefer_server_ciphers on;
     location / {
         root /var/www/blog;
         index  index.html index.htm;
     }
 }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# 使用auth_basic 授权登录访问地址

  1. 生成密码
# 生成username password
# 两种方法
# 第一种:需安装htpasswd  
htpasswd -c /etc/nginx/passwords username 
# 第二种:
printf "yourusername:$(openssl passwd -apr1)" > /etc/nginx/passwords

# 以上注意生成的passwords 不要放在ngxin访问不到的目录,比如root,不然访问会出现500,详见error.log

1
2
3
4
5
6
7
8
9
  1. 配置
# auth_basic "内容" 为登录时提醒内容
auth_basic "Please input password";
auth_basic_user_file /etc/nginx/passwords;
1
2
3

# example: 配置netdata密码登录

upstream netdata {
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
    listen       80;
    #server_name  localhost 127.0.0.1;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    location /netdata {
        return 301 /netdata/;
    }

   location ~ /netdata/(?<ndpath>.*) {
        # auth
        auth_basic "Please input password";
        auth_basic_user_file /etc/nginx/passwd;
        proxy_redirect off;
        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        proxy_pass http://netdata/$ndpath$is_args$args;

        gzip on;
        gzip_proxied any;
        gzip_types *;
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

# 将http代理为https

  • 方式1: 转发所有http至https
server {
    listen 80 default_server;

    server_name _;

    return 301 https://$host$request_uri;
}

1
2
3
4
5
6
7
8

转发特定域名http至https

server {
    listen 80;

    server_name foo.com;
    return 301 https://foo.com$request_uri;
}
1
2
3
4
5
6
  • 方式2(old):

Proxy HTTPS requests to a HTTP backend with NGINX reference (opens new window)

server {
    listen xxx.xxx.xxx.xxx:80;
    server_name www.example.net;

    rewrite ^(.*) https://$server_name$1 permanent;
}

server {
    listen 443 ssl;
    server_name www.example.net;

    root   /vhosts/www.example.net;
    
    # ssl                  on;
    ssl_certificate      /etc/pki/nginx/www.example.net.crt;
    ssl_certificate_key  /etc/pki/nginx/www.example.net.key;

    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/pki/nginx/dh2048.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# 缓存控制

控制特定资源走缓存

  # 静态资源方式
  # location /test {
        #    add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
        #    alias /usr/share/nginx/test/;
        #    index index.html;
        #}

        #location ~* /test/(.+\.(gif|jpg|jpeg|png|css|js|ico|eot|otf|fon|font|ttf|ttc|woff|woff2))$ {
        #    alias /usr/share/nginx/test/$1;
        #    expires 1M;
        #    add_header Cache-Control "public";
        #}
  # proxy pass方式
  location /test/ {
            add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
            proxy_pass http://127.0.0.1:10089/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_connect_timeout 5;
        }


        location ~* /test/(.+\.(gif|jpg|jpeg|png|css|js|ico|eot|otf|fon|font|ttf|ttc|woff|woff2))$ {
            proxy_pass http://127.0.0.1:10089/$1;
            expires 1M;
            add_header Cache-Control "public";
        }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# 使用post访问json静态文件

server {
    listen 80;
    client_max_body_size 4G;

    access_log /var/sites/webapp/logs/access.maintenance.log;
    error_log /var/sites/webapp/logs/error.maintenance.log info;

    server_name api.webapp.com;

    # this guy redirects any path to /api.json
    rewrite ^.*$ /api.json last;

    location / {
        root /var/sites/webapp/webapp/;
        index api.json /api.json;

        # this is the magic
        error_page 405 = $uri;
    }

}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Last Updated: 4/8/2024, 3:34:45 AM