nginx教程 (章亦春)
http://openresty.org/download/agentzh-nginx-tutorials-zhcn.html
参数
匹配规则
- condition:比较表达式 == ,!=
- ~:模式匹配,区分字符大小写
- ~*:模式匹配,不区分字符大小写
- !~:模式不匹配,区分大小写
- !~*:模式不匹配,不区分大小写
- 文件及目录存在性判断:
- f:!f(文件)
- e:!e(存在)
- d:!d(目录)
- x:!x(执 行)
nginx rewrite规则
域名跳转
输入www.benet.com,跳转到www.accp.com
server {listen 80;server_name www.benet.com benet.com;charset utf-8;access_log logs/benet.access.log access;location / {root /home/wwwroot/benet;index index.php index.html;}if ($http_host = www.benet.com) {rewrite (.*) http://www.accp.com permanent;}}
文件跳转
server {listen 80;server_name www.accp.com accp.com;charset utf-8;access_log logs/benet.access.log access;location / {root /home/wwwroot/accp;index index.html index.php;}rewrite inde /indexa.html last;}
单服务配置域名访问
这里域名是ip + 端口解析后的域名是一个服务,不是web网站是Hyperledger Explorer服务,类似的jenkins、gitlab、jira等服务也可以配置二级域名访问用的是腾讯云解析的二级域名,申请的ssl免费证书前面配置了很久都不行,最后是拷贝的腾讯云ssl证书配置官方文档的配置文件以后任何都是找官方的正规,再凭经历经验修改[root@VM_0_10_centos nginx]# cat cctc.cntracechain.com.confserver {#SSL 访问端口号为 443listen 443 ssl;#填写绑定证书的域名server_name cctc.cntracechain.com;#证书文件名称ssl_certificate ssl/cctc.cntracechain.com/1_cctc.cntracechain.com_bundle.crt;#私钥文件名称ssl_certificate_key ssl/cctc.cntracechain.com/2_cctc.cntracechain.com.key;ssl_session_timeout 5m;#请按照以下协议配置ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;ssl_prefer_server_ciphers on;location / {#网站主页路径。此路径仅供参考,具体请您按照实际目录操作。#root /var/www/cctc.cntracechain.com;#index index.html index.htm;proxy_pass http://127.0.0.1:9090/;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto "https";}}server {if ($host = cctc.cntracechain.com) {return 301 https://$host$request_uri;} # managed by Certbotlisten *:80;server_name cctc.cntracechain.com;return 404; # managed by Certbot}
server {server_name jenkins.xxx.us;# allow large uploads of files#client_max_body_size 1G;# optimize downloading files larger than 1G#proxy_max_temp_file_size 2G;location / {# Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookupproxy_pass http://127.0.0.1:9900/;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto "https";}listen 443 ssl; # managed by Certbotinclude /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbotssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbotssl_certificate /etc/letsencrypt/live/jenkins.alphalion.us/fullchain.pem; # managed by Certbotssl_certificate_key /etc/letsencrypt/live/jenkins.alphalion.us/privkey.pem; # managed by Certbot}server {if ($host = jenkins.xxx.us) {return 301 https://$host$request_uri;} # managed by Certbotlisten *:80;server_name jenkins.xxx.us;return 404; # managed by Certbot}
反向代理
location /forum/ {proxy_pass http://172.16.100.6:8080/bbs/; (不用端口也可以)}后端有“/”http://www.magedu.com/forum/---> http://172.16.100.6:8080/bbs/locatio ~* ^/forum { (^:以什么开头的)proxy_pass http://172.16.100.6:8080;}http://www.magedu.com/forum/---> http://172.16.100.6:8080/forum/
负载均衡和动静分离
修改配置文件改:# user nobody;为:user nginx nginx;#在 location / { 。。。 } 中添加以下内容中定义分发策略location / {root html;index index.html index.htm;if ($request_uri ~* \.html$){proxy_pass http://htmlservers;}if ($request_uri ~* \.php$){proxy_pass http://phpservers;}proxy_pass http://picservers;}#定义负载均衡设备的 Ip#在配置文件 nginx.conf 的最后一行}前,添加以下内容:upstream htmlservers { #定义负载均衡服务器组名称server 192.168.10.30:80;server 192.168.10.40:80;}upstream phpservers {server 192.168.10.30:80;server 192.168.10.40:80;}upstream picservers {server 192.168.10.30:80;server 192.168.10.40:80;}
server {listen 80;server_name your.domain.name;location / {# 把跟路径下的请求转发给前端工具链(如gulp)打开的开发服务器# 如果是产品环境,则使用root等指令配置为静态文件服务器proxy_pass http://localhost:5000/;}location /api/ {# 把 /api 路径下的请求转发给真正的后端服务器proxy_pass http://localhost:8080/service/;# 把host头传过去,后端服务程序将收到your.domain.name, 否则收到的是localhost:8080proxy_set_header Host $http_host;# 把cookie中的path部分从/api替换成/serviceproxy_cookie_path /api /service;# 把cookie的path部分从localhost:8080替换成your.domain.nameproxy_cookie_domain localhost:8080 your.domain.name}}
日志切割
日志切割(按天进行日志切割)A.编写脚本#!/bin/bashyear=`date +%Y`month=`date +%m`day=`date +%d`logs_backup_path="/usr/local/nginx/logs_backup/$year$month" #日志存储路径logs_path="/usr/local/nginx/logs/ #要切割的日志路径logs_access="access" #要切割的日志logs_error="error"pid_path="/usr/local/nginx/logs/nginx.pid" #nginx的pid[ -d $logs_backup_path ]||mkdir -p $logs_backup_pathrq=`date +%Y%m%d`#mv ${logs_path}${logs_access}.log ${logs_backup_path}/${logs_access}_${rq}.logmv ${logs_path}${logs_error}.log ${logs_backup_path}/${logs_error}_${rq}.logkill -USR1 $(cat /usr/local/nginx/logs/nginx.pid)做定时任务crontab -e59 23 * * * bash /usr/local/nginx/shell/cut_ngnix_log.sh #每天23:59分开始执行;实际应用: shell+定时任务+nginx信号管理,完成日志按日期存储分析思路:凌晨00:00:01,把昨天的日志重命名,放在相应的目录下再USR1信息号控制nginx重新生成新的日志文件具体脚本:#!/bin/bashbase_path='/usr/local/nginx/logs'log_path=$(date -d yesterday +"%Y%m")day=$(date -d yesterday +"%d")mkdir -p $base_path/$log_pathmv $base_path/access.log $base_path/$log_path/access_$day.log#echo $base_path/$log_path/access_$day.logkill -USR1 `cat /usr/local/nginx/logs/nginx.pid`定时任务Crontab 编辑定时任务01 00 * * * /xxx/path/b.sh 每天0时1分(建议在02-04点之间,系统负载小)
开启目录下载
server {listen 80;server_name localhost;location / {root html;index index.html index.htm;}location /download {charset utf-8;#root /data/; #root的意思是url 访问IP/download nginx会定向到本地目录/data/download/下。alias /data/; #alias意思是url访问IP/download nginx会定向到本地目录/data/下。}########################################server{listen 80;listen 443 ssl http2;server_name zs.cntracechain.com;index index.php index.html index.htm default.php default.htm default.html;root /data/web/zs.cntracechain.com;location /fmapp {root /data/web/zs.cntracechain.com;}}
nginx下配置多个项目
使用Nginx要在同一个域名下配置多个项目有两种方式:1.nginx按不同的目录分发给不同的项目2.启用二级域名,不同的项目分配不同的二级域名1.Nginx按不同的目录分发给不同的项目server {listen 80;server_name example.com;location ^~ /project1 {proxy_pass http://localhost:8081;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location ^~ /project2 {proxy_pass http://localhost:8082;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}location / {proxy_pass http://localhost:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}这里配置了三个项目:http://example.com/project1路径分发到http://localhost:8081http://example.com/project2路径分发到http://localhost:8082其他路径分发到http://localhost:80802.启用二级域名,不同的项目分别不同的二级域名server {listen 80;server_name example.com;location / {proxy_pass http://localhost:8080;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}server {listen 80;server_name project1.example.com;location / {proxy_pass http://localhost:8081;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}server {listen 80;server_name project2.example.com;location / {proxy_pass http://localhost:8082;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}注意:这三个项目属于不同的域名,项目之间通过http访问会存在跨域问题
nginx-https + tomcat-http
浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx 到 Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。Nginx 端口 80/443,Tomcat 的端口 8080upstream tomcat {server 127.0.0.1:8080 fail_timeout=0;}# HTTPS serverserver {listen 443 ssl;server_name localhost;ssl_certificate /Users/winterlau/Desktop/SSL/oschina.bundle.crt;ssl_certificate_key /Users/winterlau/Desktop/SSL/oschina.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header Host $http_host;proxy_set_header X-Forwarded-Proto https;proxy_redirect off;proxy_connect_timeout 240;proxy_send_timeout 240;proxy_read_timeout 240;# note, there is not SSL here! plain HTTP is usedproxy_pass http://tomcat;}}# 其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置,其他的按正常配置。不过多了一个 proxy_set_header X-Forwarded-Proto https; 配置。
Nginx配置WebSocket
location /websocket/api/ {proxy_pass http://127.0.0.1:38081/; ## 对应服务 或者 走网关proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header X-real-ip $remote_addr;proxy_set_header X-Forwarded-For $remote_addr;}wss://wet-m-test.xdp8.cn/websocket/api/ 是通的wss://wet-m-test.xdp8.cn/websocket/api/wet-message/api/websocket/10这是wet-message 又多加了路径/api/websocket
若有收获,就点个赞吧
0 人点赞
