Nginx进阶

H5自动适配

通过修改变量$html_root来返回和调整不同的页面地址内容

配置

# 前端页面
set $html_root /var/html/yourdomain.com/;

# H5自动适配
if ($http_user_agent ~* (mobile|nokia|iphone|ipad|android|samsung|htc|blackberry)) {
    set $html_root /var/html/yourdomain.com/h5/;
}

location / {
    root $html_root/www/;
    index index.html;
    try_files $uri $uri/ /index.html;
}

location /admin/ {
    root $html_root;
    index index.html;
    try_files $uri $uri/ /admin/index.html;
}

目录结构

/var/html/yourdomain.com/
├── admin
│   └── index.html
├── www
│    └── index.html
└── h5
    ├── admin
    │   └── index.html
    └── www
        └── index.html

WebSocket

示例

location /v1/ {
    proxy_pass http://127.0.0.1:8080/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
}

关键配置

proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Upgrade $http_upgrade;

SSE

location /sse/ {
    proxy_buffering off;
    proxy_pass http://127.0.0.1:8080/;
}

开启OCSP套件

# 开启OCSP装订 (和ssl_certificate配置在一起)
ssl_stapling on;
ssl_stapling_verify on;

验证，更换成自己的域名和端口即可

openssl s_client -connect httpsok.com:443 -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"

正常会看到 OCSP 的响应信息

➜  ~ openssl s_client -connect httpsok.com:443 -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
➜  ~

Nginx隐藏版本号

nginx配置文件里增加 server_tokens off;

server_tokens 作用域是 http server location语句块。

全局隐藏

http {
  server_tokens off;
}

server隐藏

server {
  server_tokens off;
}

location隐藏

location / {
  server_tokens off;
}

完整配置示例

完整配置示例

server {
    listen 80;
    listen  443 ssl;
    server_name yourdomain.com;
    
    # http自动跳转到https
    if ($scheme = http) {
        return 302 https://$host$request_uri;
    }
    
    ## SSL证书配置
    ssl_certificate certs/yourdomain.com.pem;
    ssl_certificate_key certs/yourdomain.com.key;
    
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000";
    
    # 访问日志
    access_log /var/log/nginx/yourdomain.com.https.log;
    
    # 静态文件
    location / {
        root /var/html/yourdomain.com/;
        index index.html;
    }
    
    # 后端API服务
    location /api/ {
        proxy_pass http://127.0.0.1:8080/;
        proxy_read_timeout 30;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header REMOTE-HOST $remote_addr;
    }
}