Nginx实用配置
添加ssl证书
温馨提示
对于httpsok用户,直接复制下面的配置,替换掉域名即可。
ssl证书文件不存在也没有关系,申请成功后会自动签发最新证书。
nginx
server {
listen 443 ssl;
server_name yourdomain.com;
# 设置ssl证书文件路径
ssl_certificate certs/yourdomain.com.pem;
ssl_certificate_key certs/yourdomain.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
# 访问日志
access_log /var/log/nginx/yourdomain.com.https.log;
location / {
root /var/html/yourdomain.com/;
index index.html;
}
}nginx
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate certs/yourdomain.com.pem;
ssl_certificate_key certs/yourdomain.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";http重定向https
一般设置了https之后,需要将之前的http请求重定向到https
nginx
server {
listen 80;
server_name yourdomain.com;
rewrite ^(.*)$ https://$host$1 redirect; # 临时重定向 302
#rewrite ^(.*)$ https://$host$1 permanent; # 永久重定向 301
}后端服务接口
nginx
location /v1/ {
proxy_pass http://127.0.0.1:8080/;
proxy_read_timeout 30;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
}最佳实践
/结束,请求转发到后端服务器后,不会携带 /v1/。
访问日志
nginx
access_log /var/log/nginx/yourdomain.com.https.log;请求体大小
nginx
client_max_body_size 20m;H5自动适配
通过修改变量$html_root来返回和调整不同的页面地址内容
nginx
# 前端页面
set $html_root /var/html/yourdomain.com/;
# H5自动适配
if ($http_user_agent ~* (mobile|nokia|iphone|ipad|android|samsung|htc|blackberry)) {
set $html_root /var/html/yourdomain.com/h5/;
}
location / {
root $html_root/www/;
index index.html;
try_files $uri $uri/ /index.html;
}
location /admin/ {
root $html_root;
index index.html;
try_files $uri $uri/ /admin/index.html;
}bash
/var/html/yourdomain.com/
├── admin
│ └── index.html
├── www
│ └── index.html
└── h5
├── admin
│ └── index.html
└── www
└── index.html微信授权
nginx
location ~ .*.(txt) {
root /etc/nginx/text;
}WebSocket
nginx
location /v1/ {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}nginx
proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Upgrade $http_upgrade;SSE
nginx
location /sse/ {
proxy_buffering off;
proxy_pass http://127.0.0.1:8080/;
}开启gzip
nginx
gzip on;
gzip_min_length 10k;
gzip_buffers 4 16k;
gzip_comp_level 5;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary off;
gzip_disable "MSIE [1-8]\.";静态资源缓存
nginx
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}开启OCSP套件
bash
# 开启OCSP装订 (和ssl_certificate配置在一起)
ssl_stapling on;
ssl_stapling_verify on;验证,更换成自己的域名和端口即可
bash
openssl s_client -connect httpsok.com:443 -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"正常会看到 OCSP 的响应信息
bash
➜ ~ openssl s_client -connect httpsok.com:443 -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
➜ ~