nginx教程 (章亦春)
http://openresty.org/download/agentzh-nginx-tutorials-zhcn.html
参数
匹配规则
- condition:比较表达式 == ,!=
- ~:模式匹配,区分字符大小写
- ~*:模式匹配,不区分字符大小写
- !~:模式不匹配,区分大小写
- !~*:模式不匹配,不区分大小写
- 文件及目录存在性判断:
- f:!f(文件)
- e:!e(存在)
- d:!d(目录)
- x:!x(执 行)
nginx rewrite规则
域名跳转
输入www.benet.com,跳转到www.accp.com
server {
listen 80;
server_name www.benet.com benet.com;
charset utf-8;
access_log logs/benet.access.log access;
location / {
root /home/wwwroot/benet;
index index.php index.html;
}
if ($http_host = www.benet.com) {
rewrite (.*) http://www.accp.com permanent;
}
}
文件跳转
server {
listen 80;
server_name www.accp.com accp.com;
charset utf-8;
access_log logs/benet.access.log access;
location / {
root /home/wwwroot/accp;
index index.html index.php;
}
rewrite inde /indexa.html last;
}
单服务配置域名访问
这里域名是ip + 端口解析后的域名
是一个服务,不是web网站
是Hyperledger Explorer服务,类似的jenkins、gitlab、jira等服务也可以配置二级域名访问
用的是腾讯云解析的二级域名,申请的ssl免费证书
前面配置了很久都不行,最后是拷贝的腾讯云ssl证书配置官方文档的配置文件
以后任何都是找官方的正规,再凭经历经验修改
[root@VM_0_10_centos nginx]# cat cctc.cntracechain.com.conf
server {
#SSL 访问端口号为 443
listen 443 ssl;
#填写绑定证书的域名
server_name cctc.cntracechain.com;
#证书文件名称
ssl_certificate ssl/cctc.cntracechain.com/1_cctc.cntracechain.com_bundle.crt;
#私钥文件名称
ssl_certificate_key ssl/cctc.cntracechain.com/2_cctc.cntracechain.com.key;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
#网站主页路径。此路径仅供参考,具体请您按照实际目录操作。
#root /var/www/cctc.cntracechain.com;
#index index.html index.htm;
proxy_pass http://127.0.0.1:9090/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
}
server {
if ($host = cctc.cntracechain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen *:80;
server_name cctc.cntracechain.com;
return 404; # managed by Certbot
}
server {
server_name jenkins.xxx.us;
# allow large uploads of files
#client_max_body_size 1G;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 2G;
location / {
# Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
proxy_pass http://127.0.0.1:9900/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
}
listen 443 ssl; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/jenkins.alphalion.us/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/jenkins.alphalion.us/privkey.pem; # managed by Certbot
}
server {
if ($host = jenkins.xxx.us) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen *:80;
server_name jenkins.xxx.us;
return 404; # managed by Certbot
}
反向代理
location /forum/ {
proxy_pass http://172.16.100.6:8080/bbs/; (不用端口也可以)
}
后端有“/”
http://www.magedu.com/forum/
---> http://172.16.100.6:8080/bbs/
locatio ~* ^/forum { (^:以什么开头的)
proxy_pass http://172.16.100.6:8080;
}
http://www.magedu.com/forum/
---> http://172.16.100.6:8080/forum/
负载均衡和动静分离
修改配置文件
改:# user nobody;
为:user nginx nginx;
#在 location / { 。。。 } 中添加以下内容中定义分发策略
location / {
root html;
index index.html index.htm;
if ($request_uri ~* \.html$){
proxy_pass http://htmlservers;
}
if ($request_uri ~* \.php$){
proxy_pass http://phpservers;
}
proxy_pass http://picservers;
}
#定义负载均衡设备的 Ip
#在配置文件 nginx.conf 的最后一行}前,添加以下内容:
upstream htmlservers { #定义负载均衡服务器组名称
server 192.168.10.30:80;
server 192.168.10.40:80;
}
upstream phpservers {
server 192.168.10.30:80;
server 192.168.10.40:80;
}
upstream picservers {
server 192.168.10.30:80;
server 192.168.10.40:80;
}
server {
listen 80;
server_name your.domain.name;
location / {
# 把跟路径下的请求转发给前端工具链(如gulp)打开的开发服务器
# 如果是产品环境,则使用root等指令配置为静态文件服务器
proxy_pass http://localhost:5000/;
}
location /api/ {
# 把 /api 路径下的请求转发给真正的后端服务器
proxy_pass http://localhost:8080/service/;
# 把host头传过去,后端服务程序将收到your.domain.name, 否则收到的是localhost:8080
proxy_set_header Host $http_host;
# 把cookie中的path部分从/api替换成/service
proxy_cookie_path /api /service;
# 把cookie的path部分从localhost:8080替换成your.domain.name
proxy_cookie_domain localhost:8080 your.domain.name
}
}
日志切割
日志切割(按天进行日志切割)
A.编写脚本
#!/bin/bash
year=`date +%Y`
month=`date +%m`
day=`date +%d`
logs_backup_path="/usr/local/nginx/logs_backup/$year$month" #日志存储路径
logs_path="/usr/local/nginx/logs/ #要切割的日志路径
logs_access="access" #要切割的日志
logs_error="error"
pid_path="/usr/local/nginx/logs/nginx.pid" #nginx的pid
[ -d $logs_backup_path ]||mkdir -p $logs_backup_path
rq=`date +%Y%m%d`
#mv ${logs_path}${logs_access}.log ${logs_backup_path}/${logs_access}_${rq}.log
mv ${logs_path}${logs_error}.log ${logs_backup_path}/${logs_error}_${rq}.log
kill -USR1 $(cat /usr/local/nginx/logs/nginx.pid)
做定时任务
crontab -e
59 23 * * * bash /usr/local/nginx/shell/cut_ngnix_log.sh #每天23:59分开始执行;
实际应用: shell+定时任务+nginx信号管理,完成日志按日期存储
分析思路:
凌晨00:00:01,把昨天的日志重命名,放在相应的目录下
再USR1信息号控制nginx重新生成新的日志文件
具体脚本:
#!/bin/bash
base_path='/usr/local/nginx/logs'
log_path=$(date -d yesterday +"%Y%m")
day=$(date -d yesterday +"%d")
mkdir -p $base_path/$log_path
mv $base_path/access.log $base_path/$log_path/access_$day.log
#echo $base_path/$log_path/access_$day.log
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`
定时任务
Crontab 编辑定时任务
01 00 * * * /xxx/path/b.sh 每天0时1分(建议在02-04点之间,系统负载小)
开启目录下载
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
location /download {
charset utf-8;
#root /data/; #root的意思是url 访问IP/download nginx会定向到本地目录/data/download/下。
alias /data/; #alias意思是url访问IP/download nginx会定向到本地目录/data/下。
}
########################################
server
{
listen 80;
listen 443 ssl http2;
server_name zs.cntracechain.com;
index index.php index.html index.htm default.php default.htm default.html;
root /data/web/zs.cntracechain.com;
location /fmapp {
root /data/web/zs.cntracechain.com;
}
}
nginx下配置多个项目
使用Nginx要在同一个域名下配置多个项目有两种方式:
1.nginx按不同的目录分发给不同的项目
2.启用二级域名,不同的项目分配不同的二级域名
1.Nginx按不同的目录分发给不同的项目
server {
listen 80;
server_name example.com;
location ^~ /project1 {
proxy_pass http://localhost:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ^~ /project2 {
proxy_pass http://localhost:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
这里配置了三个项目:
http://example.com/project1路径分发到http://localhost:8081
http://example.com/project2路径分发到http://localhost:8082
其他路径分发到http://localhost:8080
2.启用二级域名,不同的项目分别不同的二级域名
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name project1.example.com;
location / {
proxy_pass http://localhost:8081;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name project2.example.com;
location / {
proxy_pass http://localhost:8082;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
注意:这三个项目属于不同的域名,项目之间通过http访问会存在跨域问题
nginx-https + tomcat-http
浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。
Nginx 端口 80/443,Tomcat 的端口 8080
upstream tomcat {
server 127.0.0.1:8080 fail_timeout=0;
}
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /Users/winterlau/Desktop/SSL/oschina.bundle.crt;
ssl_certificate_key /Users/winterlau/Desktop/SSL/oschina.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
# note, there is not SSL here! plain HTTP is used
proxy_pass http://tomcat;
}
}
# 其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置,其他的按正常配置。不过多了一个 proxy_set_header X-Forwarded-Proto https; 配置。
Nginx配置WebSocket
location /websocket/api/ {
proxy_pass http://127.0.0.1:38081/; ## 对应服务 或者 走网关
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
}
wss://wet-m-test.xdp8.cn/websocket/api/ 是通的
wss://wet-m-test.xdp8.cn/websocket/api/wet-message/api/websocket/10
这是wet-message 又多加了路径/api/websocket