此前整理了LEMP Installation and Nginx Optimization,關注的是LEMP環境安裝Nginx優化,本文將對Nginx使用示例進行整理。

虛擬機IP是192.168.0.103

Nginx Self

Nginx Version Disables

模塊 ngx_http_core_module的指令server_tokens控制是否顯示Nginx版本信息,默認on(開啓)
在文件/etc/nginx/conf.d/default.conf中配置

1
2
3
4
5
6
server {
listen 80;
server_name localhost;
server_tokens off;
...
}

或在文件/etc/nginx/nginx.confhttp{ }中配置

1
2
3
4
5
6
7
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
...
server_tokens off;
....
}

以下是設置前後的Header中Server信息

1
2
3
4
5
6
7
8
#默認
[[email protected] ~]$ curl -sI http://192.168.0.103 | grep -i server
Server: nginx/1.8.1

#設置server_tokens未off
[[email protected] ~]$ curl -sI http://192.168.0.103 | grep -i server
Server: nginx
[[email protected] ~]$

Nginx autoindex

模塊 ngx_http_autoindex_module中提供指令 autoindex,默認爲off。該指令用於列出目錄下文件,如果需要開啓,可設置爲on

在文件/etc/nginx/conf.d/default.conf中配置

1
2
3
4
5
6
7
server {
listen 80;
server_name localhost;
server_tokens off;
autoindex on;
...
}

Nginx Activity Monitoring

Nginx活動狀態監控,須有模塊ngx_http_status_module支持。可通過nginx -V 2>&1 | grep -o with-http_stub_status_module查看是否啓用該模塊。

:在Bash V4+中,可通過nginx -V |& grep -o with-http_stub_status_module查看。

通配命令

1
[[ $(bash --version | awk '{print gensub(/.* ([[:digit:]]{1}).*/,"\\1","g",$0);exit}') -ge 4 ]] && nginx -V 2>&1 | grep -o with-http_stub_status_module || nginx -V |& grep -o with-http_stub_status_module
1
2
3
[[email protected] ~]$ nginx -V 2>&1 | grep -o with-http_stub_status_module
with-http_stub_status_module
[[email protected] ~]$

在文件/etc/nginx/conf.d/default.conf中配置

1
2
3
4
5
6
7
location /nginx_status {
stub_status on;
access_log off;
allow 192.168.0.107; # 允许访问的 IP
allow 127.0.0.1;
deny all;
}

在瀏覽器中輸入http://192.168.0.103/nginx_status,得到

1
2
3
4
Active connections: 2
server accepts handled requests
10 10 8
Reading: 0 Writing: 1 Waiting: 1

如果IP不在白名單中,直接顯示403報錯。

具體含義可參考 LEMP Installation and Nginx Optimization

Nginx Auth Basic

Nginx支持密碼驗證功能,須有模塊 ngx_http_auth_basic_module支持。主要參數是auth_basicauth_basic_user_file,密碼使用crypt()函數加密,可使用Apache HTTP Server中的htpasswd命令生成。語法格式htpasswd -c -d /PATH/FROM/AUTH_FILE username,參數-d表示使用crypt()函數加密,-c表示創建密碼文件,會清空其中內容,僅創建第一個用戶時使用,之後添加的用戶無需再添加該參數。

1
2
3
4
5
6
7
8
9
10
#創建密鑰文件
[[email protected] conf.d]$ sudo htpasswd -c -d /etc/nginx/conf.d/auth_pwd vagrant
New password:
Re-type new password:
Adding password for user vagrant

#查看文件內容
[[email protected] conf.d]$ cat auth_pwd
vagrant:/Xbe3Sp0P3Jxs
[[email protected] conf.d]$

在文件/etc/nginx/conf.d/default.conf中配置,仍以監控狀態爲例

1
2
3
4
5
6
7
8
9
location /nginx_status {
stub_status on;
access_log off;
allow 192.168.0.107; # 允许访问的 IP
allow 127.0.0.1;
deny all;
auth_basic "Please input your auth info";
auth_basic_user_file /etc/nginx/conf.d/auth_pwd;
}

在瀏覽器中輸入http://192.168.0.103/nginx_status,會出現彈框,要求輸入認證用戶名、密碼。只有輸入了正確的用戶名、密碼,才會顯示頁面內容。

Nginx Virtual Host

在宿主機(筆電)中,添加如下信息到文件/etc/hosts

1
2
192.168.0.103 sun.com
192.168.0.103 moon.com

執行sudo systemctl restart network重啓網路服務,使用ping命令可以ping通。

在虛擬機中創建虛擬主機文件/etc/nginx/conf.d/vhosts.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
server {
listen 80;
server_name sun.com;
index index.php index.html;
root /usr/share/nginx/html/sun;
location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

server {
listen 80;
server_name moon.com;
index index.php index.html;
root /usr/share/nginx/html/moon;
location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

在對應目錄下創建index.php文件

1
2
3
4
5
6
7
8
9
10
11
sudo mkdir -pv /usr/share/nginx/html/{sun,moon}

[[email protected] conf.d]$ cat /usr/share/nginx/html/sun/index.php
<?php
echo 'sun.com';
?>
[[email protected] conf.d]$ cat /usr/share/nginx/html/moon/index.php
<?php
echo 'moon.com';
?>
[[email protected] conf.d]$

在瀏覽器地址欄中輸入sun.com,即可顯示文件中的內容sun.com;輸入moon.com,即可顯示文件中的內容moon.com

Alias With PHP

Nginx中使用alias後,PHP文件無法正常解析,會出現文件找不到或直接將文件下載到本地的情況。須對alias目錄做fastcgi配置,以下參考nginx alias+location directive

禁用/etc/nginx/conf.d/default.conf,創建文件/etc/nginx/conf.d/vhosts.conf,寫入如下信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
server {
listen 80;
server_name localhost;
index index.php index.html;
root /usr/share/nginx/html;

location /moon/ {
alias /usr/share/nginx/html/sun/;
}

#對目錄做fastcgi配置
location ~ ^/moon/(.+\.php)$ {
#此處的alias覆蓋server的$document_root
alias /usr/share/nginx/html/sun/;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$1;
include fastcgi_params;

}

#此處的location對/moon/中的php文件無效
location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

在瀏覽器中URL中輸入http://192.168.0.103/moon,顯示的是目錄/usr/share/nginx/html/sun/下文件index.php中內容。

Get Real IP Addr

獲取client真實IP,使用模塊ngx_http_proxy_module中的指令proxy_set_header

其使用位置可在http, server, location中。

1
2
3
4
5
6
7
8
9
10
http {

...
...
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...
...
}

另有模塊ngx_http_realip_module,暫不理解其使用場景,暫時擱置。

1
2
3
[[email protected] ~]$ nginx -V 2>&1 | grep -o http_realip_module
http_realip_module
[[email protected] ~]$

Nginx SSL Configuration

爲網站配置SSL證書,使用https進行通信,模塊 ngx_http_ssl_module支持該功能。難點在於如何優雅地使用SSL(即http自動跳轉至https)。

在文件/etc/nginx/conf.d/vhosts.conf中寫入如下信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
server {
listen 80;
listen 443 default_server ssl;
#server_name flying.com;
server_name localhost;
#ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key; # list of certificates will be sent to clients.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_ecdh_curve secp384r1; # Specifies a curve for ECDHE ciphers.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key; #the list of certificates will not be sent to clients
#ssl_stapling_verify on; # Enables verification of OCSP responses by the server
#ssl_stapling on;
#ssl_trusted_certificate /etc/nginx/ssl/nginx.crt;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 5s;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;


if ($scheme = http) {
return 301 https://$host$request_uri;
}

index index.php index.html;
root /usr/share/nginx/html;

location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

}

可直接複製此鏈接中的相關代碼 https://cipherli.st/,配置參考 letsencrypt-with-nginx

操作過程參考 Dealing with nginx 400 “The plain HTTP request was sent to HTTPS port” errorHow to force or redirect to SSL in nginx?Pitfalls and Common Mistakes

自簽證書使用如下命令生成

1
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj /CN=localhost -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

不使用ssl on,會造成400報錯,將ssl加在443之後,具體使用參見模塊ngx_http_core_module中的listen指令。

對於return 301 https://$host$request_uri;,使用$host而非$server_name,原因是$server_name默認指向第一個域名變量,不適合多域名場景;使用return,因爲rewriteif ssl_protocol等設置的性能很差。

對於ssl_session_cache shared:SSL:10m;,其中shared的作用(10*4000)

a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.

對於ssl_dhparam中的dhparam.pem,可使用如下命令生成 openssl dhparam -out dhparam.pem 4096

對於ssl_session_ticket_key中的ticket.key,可用如下命令生成openssl rand 48 -out ticket.key

1
2
3
sudo mkdir -p /etc/nginx/ssl
sudo openssl rand 48 -out /etc/nginx/ssl/ticket.key
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

Load balance

模塊 ngx_http_upstream_module提供該功能。

此處開啓3臺虛擬機,一臺作爲負載均衡服務器(lb),另外兩臺作爲web服務器(web1,web2)。

  • lb: 192.168.0.103
  • web1: 192.168.0.121
  • web2: 192.168.0.122

lb中設置

1
2
3
4
5
6
7
8
9
10
11
12
13
upstream backend {
server 192.168.0.121;
server 192.168.0.122;
}

server {
listen 80;
server_name sun.com;
location / {
proxy_pass http://backend;
proxy_set_header X-Real-IP $remote_addr;
}
}

重新載入nginx服務

web1,web2中設置

1
2
3
4
5
server {
listen 80;
server_name sun.com;
root /usr/share/nginx/html;
}

並在web1,web2/usr/share/nginx/html/index.html中寫入不同內容。

重新載入nginx服務

在宿主機(筆電)的/etc/hosts中添加

1
192.168.0.103 sun.com

重啓網路服務

在瀏覽器地址欄中輸入sun.com,使用F5刷新頁面,即可看到內容在web1web2之間不停切換。

Reverse Proxy

接上列
lb中設置

1
2
3
4
5
6
7
8
server {
listen 80;
server_name sun.com;
location / {
proxy_pass http://192.168.0.122;
proxy_set_header X-Real-IP $remote_addr;
}
}

重新載入nginx服務

在瀏覽器地址欄中輸入sun.com,顯示的內容即位主機192.168.0.122中內容。

Domain Redirect

域名跳轉,使用模塊 ngx_http_rewrite_modulerewrite指令。其有4個參數:last, break, redirect, permanent,具體使用見 rewritelastserver中使用,breaklocation中使用。

在文件/etc/nginx/conf.d/default.conf中配置,以跳轉到https://lempstacker.com爲例

1
2
3
4
5
6
7
8
server {
listen 80;
server_name localhost;
rewrite ^/ https://lempstacker.com;
#rewrite ^/(.*)$ https://lempstacker.com;

.....
}

在瀏覽器中輸入192.168.0.103或綁定的域名地址,自動跳轉到https://lempstacker.com頁面。

Permanent Direct

永久重定向狀態碼 301

1
2
3
4
5
6
7
server {
listen 80;
server_name localhost;
rewrite ^/ https://lempstacker.com permanent;

.....
}

使用命令curl -I http://192.168.0.103測試,可看到Headers中301狀態碼

1
2
3
4
5
6
7
8
9
10
[[email protected] ~]$ curl -I http://192.168.0.103
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Sun, 27 Mar 2016 07:31:30 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: https://lempstacker.com

[[email protected] ~]$

如果未設置參數permanent,皆屬於臨時重定向(Temporary Direct),狀態碼 302

1
2
3
4
5
6
7
8
9
10
[[email protected] ~]$ curl -I http://192.168.0.103
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.8.1
Date: Sun, 27 Mar 2016 07:34:01 GMT
Content-Type: text/html
Content-Length: 160
Connection: keep-alive
Location: https://lempstacker.com

[[email protected] ~]$

訪問不存在頁面時,可設置404,也可跳轉到指定頁面。使用if (!-f $request_filename) { }指令。

此處以.php文件爲例,訪問不存在的php頁面時,自動跳轉到info.php頁面。

1
2
3
4
5
6
7
8
9
10
11
location ~ \.php$ {
# try_files $uri = 404;
root /usr/share/nginx/html;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
if (!-f $request_filename) {
rewrite \.php$ /info.php ;
}
}

使用try_files $uri = 404;則是返回404

1
2
3
4
5
6
7
8
9
10
[[email protected] ~]$ curl -I http://192.168.0.103/llll.php
HTTP/1.1 404 Not Found
Server: nginx/1.8.1
Date: Sun, 27 Mar 2016 08:04:21 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive
Vary: Accept-Encoding

[[email protected] ~]$

Static File Cachhing

通過模塊 ngx_http_headers_module可實現對靜態文件進行緩存,指令是expires

1
2
3
location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|bmp|ico|css|js)$ {
expires 365d;
}

location後的符號~用於表示使用正則表達式,默認區分大小寫,加上符號*表示不區分大小寫。

Gzip Compression

Nginx支持對資源進行壓縮,通過模塊[ngx_http_gzip_module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html實現。

在文件/etc/nginx/nginx.conf中配置

1
2
3
4
5
6
7
8
9
# gzip compression
gzip on;
gzip_vary on;
gzip_comp_level 5;
gzip_buffers 4 8k;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/css application/javascript application/x-javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
gzip_disable "MSIE [1-6]\.";

重新載入Nginx服務

使用如下命令進行測試

1
curl -H "Accept-Encoding: gzip" -I http://172.16.252.107/index.html

未啓用gzip,命令執行結果是

1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Thu, 24 Mar 2016 06:48:13 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 26 Jan 2016 15:03:41 GMT
Connection: keep-alive
ETag: "56a78acd-264"
Accept-Ranges: bytes

啓用gzip後,命令執行結果是

1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Thu, 24 Mar 2016 06:41:15 GMT
Content-Type: text/html
Last-Modified: Tue, 26 Jan 2016 15:03:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"56a78acd-264"
Content-Encoding: gzip

可以發現已經有Content-Encoding: gzipVary: Accept-Encoding

favicon.ico

爲網站配置favicon.ico,將其放置在web root路徑下,此處爲/usr/share/nginx/html,並在文件/etc/nginx/conf.d/default.conf中配置

1
2
3
4
5
6
7
8
9
server {
...

location ~ ^/favicon\.ico$ {
root /usr/share/nginx/html;
}

...
}

暫時先整理這些,之後再更新

Example

注意:以下示例是之前的配置,最新的參見本人Blog LEMP Installation and Nginx Optimization
操作示例,在個人VPS上設置,綁定域名horsetong.comhttphttps分開解析

  • /etc/nginx/nginx.conf

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    user  nginx;
    worker_processes 2;

    pid /var/run/nginx.pid;

    events {
    worker_connections 65536;
    use epoll;
    multi_accept on;
    }

    http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    charset utf-8;
    server_tokens off;
    autoindex off;

    # [debug|info|notice|warn|error|crit|alert|emerg]
    error_log /var/log/nginx/error.log warn;
    access_log /var/log/nginx/access.log combined if=$loggable;

    #Conditional Logging
    map $status $loggable {
    ~^[23] 0;
    default 1;
    }

    log_format cpmpression '$remote_addr - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" "$gzip_ratio"';

    #Keep Alive
    keepalive_timeout 50;
    keepalive_requests 100000;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    #Buffer Size
    client_body_buffer_size 128k;
    client_max_body_size 10m;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 4k;
    output_buffers 1 32k;
    postpone_output 1460;

    #Timeouts
    client_header_timeout 3m;
    client_body_timeout 3m;
    send_timeout 90s;

    #Close connection on Missing Client Response
    reset_timedout_connection on;

    #Static Asset Serving
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 5;
    open_file_cache_errors off;

    # gzip compression
    gzip on;
    gzip_vary on;
    gzip_comp_level 5;
    gzip_buffers 4 8k;
    gzip_min_length 1000;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/css application/javascript application/x-javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
    gzip_disable "MSIE [1-6]\.";

    include /etc/nginx/conf.d/*.conf;

    allow all;
    deny 45.78.0.196;
    deny 46.148.18.162;
    deny 120.76.114.191;
    deny 125.16.134.222;
    deny 54.201.111.164;
    deny 194.177.20.169;

    # proxy_set_header Host $host;
    # proxy_set_header X-Real-IP $remote_addr;
    # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  • /etc/nginx/conf.d/vhosts.conf

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    server {
    listen 80 default_server;
    server_name horsetong.com:19999 www.horsetong.com:19999;
    root /usr/share/nginx/html;
    location / {
    proxy_pass http://127.0.0.1:19999;
    proxy_redirect off;
    #try_files $uri $uri/ =404;
    }

    location /resume {
    alias /usr/share/nginx/html/resume/;
    index index.php index.html index.htm;
    auth_basic "Please input your auth info";
    auth_basic_user_file /etc/nginx/conf.d/resume_auth_pwd;
    # if ($scheme = http) {
    # return 301 https://$host$request_uri;
    # }
    }

    location /stub_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    deny all;
    }
    }


    server {
    #listen 80;
    listen 443 ssl;
    #listen 443 default_server ssl;

    server_name horsetong.com www.horsetong.com;
    #server_name localhost;

    #access_log /var/log/nginx/log/host.access.log main;
    root /usr/share/nginx/html;
    ssl_certificate /etc/letsencrypt/live/horsetong.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/horsetong.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    #https://scotthelme.co.uk/doing-the-chacha-with-nginx/
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH DHE-RSA-CHACHA20-POLY1305 EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED !CAMELLIA";
    ssl_ecdh_curve secp384r1; # Specifies a curve for ECDHE ciphers.
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets on;
    ssl_session_ticket_key /etc/nginx/ssl/ticket.key; #the list of certificates will not be sent to clients
    ssl_stapling_verify on; # Enables verification of OCSP responses by the server
    ssl_stapling on;
    #ssl_trusted_certificate /etc/nginx/ssl/nginx.crt;
    # Google DNS, Open DNS, Dyn DNS
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
    resolver_timeout 5s;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    #if ($scheme = http) {
    # return 301 https://$host$request_uri;
    #}


    location / {
    try_files $uri $uri/ =404;
    index index.php index.html index.htm;
    }

    location ~ \.php$ {
    try_files $uri = 404;
    #fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    }

    location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|bmp|ico|css|js)$ {
    expires 365d;
    log_not_found off;
    access_log off;
    }

    # location /stub_status {
    # stub_status on;
    # access_log off;
    # # auth_basic "Please input your auth info";
    # # auth_basic_user_file /etc/nginx/conf.d/resume_auth_pwd;
    # allow 127.0.0.1;
    # #allow 192.168.0.0/24;
    # deny all;
    # if ($scheme = http) {
    # return 301 https://$host$request_uri;
    # }
    # }

    location ~ /.well-known {
    allow all;
    }

    location ~ ^/favicon\.ico$ {
    root /usr/share/nginx/html;
    }

    location /resume {
    alias /usr/share/nginx/html/resume/;
    index index.php index.html index.htm;
    auth_basic "Please input your auth info";
    auth_basic_user_file /etc/nginx/conf.d/resume_auth_pwd;
    }
    }

訪問日誌IP提取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[[email protected] ~]# awk -v flag=40 '{arr[$1]+=1}END{PROCINFO["sorted_in"]="@val_num_desc";for(i in arr) if(arr[i] > flag) {print i,arr[i]}}' /var/log/nginx/access.log
45.78.0.196 5307
80.91.178.234 1536
127.0.0.1 442
91.200.12.22 324
120.26.84.46 307
120.25.88.178 136
61.135.189.99 121
80.82.70.24 119
169.229.3.91 92
64.137.237.89 88
31.184.238.200 86
120.76.114.191 81
46.161.9.20 76
213.111.197.81 67
185.92.72.88 61
46.148.18.162 58
46.161.9.8 50
131.253.25.221 50
46.161.9.24 48
180.166.161.210 42
[[email protected] ~]#

References

Change Log

  • 2016.03.23 22:38 Wed Asia/Beijing
    • 初稿完成
  • 2016.03.24 14:51 Thu Asia/Beijing
    • 添加Gzip Compression
  • 2016.03.27 18:48 Sun Asia/Beijing
    • 添加Nginx Version DisablesNginx autoindexDomain RedirectAlias With PHP
  • 2016.03.28 11:18 Mon Asia/Beijing
    • 添加Nginx SSL Configuration
  • 2016.03.29 20:41 Tue Asia/Beijing
    • 添加favicon.ico
  • 2016.04.07 22:45 Thu Asia/Beijing
    • 添加Get Real IP Addr
  • 2016.06.21 11:39 Tue Asia/Shanghai
    • 添加Example使用實例

  • 2016.03.23 22:38 Wed
  • Note Location: Asia/Beijing
  • Writer: lempstacker