nginx教程 (章亦春)
http://openresty.org/download/agentzh-nginx-tutorials-zhcn.html

参数

匹配规则

  • condition:比较表达式 == ,!=
  • ~:模式匹配,区分字符大小写
  • ~*:模式匹配,不区分字符大小写
  • !~:模式不匹配,区分大小写
  • !~*:模式不匹配,不区分大小写
  • 文件及目录存在性判断:
    • ­f:!­f(文件)
    • ­e:!­e(存在)
    • ­d:!­d(目录)
    • x:!­x(执 行)

nginx rewrite规则

域名跳转

输入www.benet.com,跳转到www.accp.com

  1. server {
  2. listen 80;
  3. server_name www.benet.com benet.com;
  4. charset utf-8;
  5. access_log logs/benet.access.log access;
  6. location / {
  7. root /home/wwwroot/benet;
  8. index index.php index.html;
  9. }
  10. if ($http_host = www.benet.com) {
  11. rewrite (.*) http://www.accp.com permanent;
  12. }
  13. }

文件跳转

  1. server {
  2. listen 80;
  3. server_name www.accp.com accp.com;
  4. charset utf-8;
  5. access_log logs/benet.access.log access;
  6. location / {
  7. root /home/wwwroot/accp;
  8. index index.html index.php;
  9. }
  10. rewrite inde /indexa.html last;
  11. }

单服务配置域名访问

  1. 这里域名是ip + 端口解析后的域名
  2. 是一个服务,不是web网站
  3. Hyperledger Explorer服务,类似的jenkinsgitlabjira等服务也可以配置二级域名访问
  4. 用的是腾讯云解析的二级域名,申请的ssl免费证书
  5. 前面配置了很久都不行,最后是拷贝的腾讯云ssl证书配置官方文档的配置文件
  6. 以后任何都是找官方的正规,再凭经历经验修改
  7. [root@VM_0_10_centos nginx]# cat cctc.cntracechain.com.conf
  8. server {
  9. #SSL 访问端口号为 443
  10. listen 443 ssl;
  11. #填写绑定证书的域名
  12. server_name cctc.cntracechain.com;
  13. #证书文件名称
  14. ssl_certificate ssl/cctc.cntracechain.com/1_cctc.cntracechain.com_bundle.crt;
  15. #私钥文件名称
  16. ssl_certificate_key ssl/cctc.cntracechain.com/2_cctc.cntracechain.com.key;
  17. ssl_session_timeout 5m;
  18. #请按照以下协议配置
  19. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  20. #请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
  21. ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
  22. ssl_prefer_server_ciphers on;
  23. location / {
  24. #网站主页路径。此路径仅供参考,具体请您按照实际目录操作。
  25. #root /var/www/cctc.cntracechain.com;
  26. #index index.html index.htm;
  27. proxy_pass http://127.0.0.1:9090/;
  28. proxy_set_header Host $host;
  29. proxy_set_header X-Real-IP $remote_addr;
  30. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  31. proxy_set_header X-Forwarded-Proto "https";
  32. }
  33. }
  34. server {
  35. if ($host = cctc.cntracechain.com) {
  36. return 301 https://$host$request_uri;
  37. } # managed by Certbot
  38. listen *:80;
  39. server_name cctc.cntracechain.com;
  40. return 404; # managed by Certbot
  41. }
  1. server {
  2. server_name jenkins.xxx.us;
  3. # allow large uploads of files
  4. #client_max_body_size 1G;
  5. # optimize downloading files larger than 1G
  6. #proxy_max_temp_file_size 2G;
  7. location / {
  8. # Use IPv4 upstream address instead of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
  9. proxy_pass http://127.0.0.1:9900/;
  10. proxy_set_header Host $host;
  11. proxy_set_header X-Real-IP $remote_addr;
  12. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  13. proxy_set_header X-Forwarded-Proto "https";
  14. }
  15. listen 443 ssl; # managed by Certbot
  16. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  17. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  18. ssl_certificate /etc/letsencrypt/live/jenkins.alphalion.us/fullchain.pem; # managed by Certbot
  19. ssl_certificate_key /etc/letsencrypt/live/jenkins.alphalion.us/privkey.pem; # managed by Certbot
  20. }
  21. server {
  22. if ($host = jenkins.xxx.us) {
  23. return 301 https://$host$request_uri;
  24. } # managed by Certbot
  25. listen *:80;
  26. server_name jenkins.xxx.us;
  27. return 404; # managed by Certbot
  28. }

反向代理

  1. location /forum/ {
  2. proxy_pass http://172.16.100.6:8080/bbs/; (不用端口也可以)
  3. }
  4. 后端有“/”
  5. http://www.magedu.com/forum/
  6. ---> http://172.16.100.6:8080/bbs/
  7. locatio ~* ^/forum { (^:以什么开头的)
  8. proxy_pass http://172.16.100.6:8080;
  9. }
  10. http://www.magedu.com/forum/
  11. ---> http://172.16.100.6:8080/forum/

负载均衡和动静分离

  1. 修改配置文件
  2. 改:# user nobody;
  3. 为:user nginx nginx;
  4. #在 location / { 。。。 } 中添加以下内容中定义分发策略
  5. location / {
  6. root html;
  7. index index.html index.htm;
  8. if ($request_uri ~* \.html$){
  9. proxy_pass http://htmlservers;
  10. }
  11. if ($request_uri ~* \.php$){
  12. proxy_pass http://phpservers;
  13. }
  14. proxy_pass http://picservers;
  15. }
  16. #定义负载均衡设备的 Ip
  17. #在配置文件 nginx.conf 的最后一行}前,添加以下内容:
  18. upstream htmlservers { #定义负载均衡服务器组名称
  19. server 192.168.10.30:80;
  20. server 192.168.10.40:80;
  21. }
  22. upstream phpservers {
  23. server 192.168.10.30:80;
  24. server 192.168.10.40:80;
  25. }
  26. upstream picservers {
  27. server 192.168.10.30:80;
  28. server 192.168.10.40:80;
  29. }
  1. server {
  2. listen 80;
  3. server_name your.domain.name;
  4. location / {
  5. # 把跟路径下的请求转发给前端工具链(如gulp)打开的开发服务器
  6. # 如果是产品环境,则使用root等指令配置为静态文件服务器
  7. proxy_pass http://localhost:5000/;
  8. }
  9. location /api/ {
  10. # 把 /api 路径下的请求转发给真正的后端服务器
  11. proxy_pass http://localhost:8080/service/;
  12. # 把host头传过去,后端服务程序将收到your.domain.name, 否则收到的是localhost:8080
  13. proxy_set_header Host $http_host;
  14. # 把cookie中的path部分从/api替换成/service
  15. proxy_cookie_path /api /service;
  16. # 把cookie的path部分从localhost:8080替换成your.domain.name
  17. proxy_cookie_domain localhost:8080 your.domain.name
  18. }
  19. }

日志切割

  1. 日志切割(按天进行日志切割)
  2. A.编写脚本
  3. #!/bin/bash
  4. year=`date +%Y`
  5. month=`date +%m`
  6. day=`date +%d`
  7. logs_backup_path="/usr/local/nginx/logs_backup/$year$month" #日志存储路径
  8. logs_path="/usr/local/nginx/logs/ #要切割的日志路径
  9. logs_access="access" #要切割的日志
  10. logs_error="error"
  11. pid_path="/usr/local/nginx/logs/nginx.pid" #nginx的pid
  12. [ -d $logs_backup_path ]||mkdir -p $logs_backup_path
  13. rq=`date +%Y%m%d`
  14. #mv ${logs_path}${logs_access}.log ${logs_backup_path}/${logs_access}_${rq}.log
  15. mv ${logs_path}${logs_error}.log ${logs_backup_path}/${logs_error}_${rq}.log
  16. kill -USR1 $(cat /usr/local/nginx/logs/nginx.pid)
  17. 做定时任务
  18. crontab -e
  19. 59 23 * * * bash /usr/local/nginx/shell/cut_ngnix_log.sh #每天23:59分开始执行;
  20. 实际应用: shell+定时任务+nginx信号管理,完成日志按日期存储
  21. 分析思路:
  22. 凌晨00:00:01,把昨天的日志重命名,放在相应的目录下
  23. 再USR1信息号控制nginx重新生成新的日志文件
  24. 具体脚本:
  25. #!/bin/bash
  26. base_path='/usr/local/nginx/logs'
  27. log_path=$(date -d yesterday +"%Y%m")
  28. day=$(date -d yesterday +"%d")
  29. mkdir -p $base_path/$log_path
  30. mv $base_path/access.log $base_path/$log_path/access_$day.log
  31. #echo $base_path/$log_path/access_$day.log
  32. kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`
  33. 定时任务
  34. Crontab 编辑定时任务
  35. 01 00 * * * /xxx/path/b.sh 每天0时1分(建议在02-04点之间,系统负载小)

开启目录下载

  1. server {
  2. listen 80;
  3. server_name localhost;
  4. location / {
  5. root html;
  6. index index.html index.htm;
  7. }
  8. location /download {
  9. charset utf-8;
  10. #root /data/; #root的意思是url 访问IP/download nginx会定向到本地目录/data/download/下。
  11. alias /data/;  #alias意思是url访问IP/download nginx会定向到本地目录/data/下。
  12. }
  13. ########################################
  14. server
  15. {
  16. listen 80;
  17. listen 443 ssl http2;
  18. server_name zs.cntracechain.com;
  19. index index.php index.html index.htm default.php default.htm default.html;
  20. root /data/web/zs.cntracechain.com;
  21. location /fmapp {
  22. root /data/web/zs.cntracechain.com;
  23. }
  24. }

nginx下配置多个项目

  1. 使用Nginx要在同一个域名下配置多个项目有两种方式:
  2. 1.nginx按不同的目录分发给不同的项目
  3. 2.启用二级域名,不同的项目分配不同的二级域名
  4. 1.Nginx按不同的目录分发给不同的项目
  5. server {
  6. listen 80;
  7. server_name example.com;
  8. location ^~ /project1 {
  9. proxy_pass http://localhost:8081;
  10. proxy_set_header Host $host;
  11. proxy_set_header X-Real-IP $remote_addr;
  12. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  13. }
  14. location ^~ /project2 {
  15. proxy_pass http://localhost:8082;
  16. proxy_set_header Host $host;
  17. proxy_set_header X-Real-IP $remote_addr;
  18. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  19. }
  20. location / {
  21. proxy_pass http://localhost:8080;
  22. proxy_set_header Host $host;
  23. proxy_set_header X-Real-IP $remote_addr;
  24. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  25. }
  26. }
  27. 这里配置了三个项目:
  28. http://example.com/project1路径分发到http://localhost:8081
  29. http://example.com/project2路径分发到http://localhost:8082
  30. 其他路径分发到http://localhost:8080
  31. 2.启用二级域名,不同的项目分别不同的二级域名
  32. server {
  33. listen 80;
  34. server_name example.com;
  35. location / {
  36. proxy_pass http://localhost:8080;
  37. proxy_set_header Host $host;
  38. proxy_set_header X-Real-IP $remote_addr;
  39. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  40. }
  41. }
  42. server {
  43. listen 80;
  44. server_name project1.example.com;
  45. location / {
  46. proxy_pass http://localhost:8081;
  47. proxy_set_header Host $host;
  48. proxy_set_header X-Real-IP $remote_addr;
  49. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  50. }
  51. }
  52. server {
  53. listen 80;
  54. server_name project2.example.com;
  55. location / {
  56. proxy_pass http://localhost:8082;
  57. proxy_set_header Host $host;
  58. proxy_set_header X-Real-IP $remote_addr;
  59. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  60. }
  61. }
  62. 注意:这三个项目属于不同的域名,项目之间通过http访问会存在跨域问题

nginx-https + tomcat-http

  1. 浏览器和 Nginx 之间走的 HTTPS 通讯,而 Nginx Tomcat 通过 proxy_pass 走的是普通 HTTP 连接。
  2. Nginx 端口 80/443Tomcat 的端口 8080
  3. upstream tomcat {
  4. server 127.0.0.1:8080 fail_timeout=0;
  5. }
  6. # HTTPS server
  7. server {
  8. listen 443 ssl;
  9. server_name localhost;
  10. ssl_certificate /Users/winterlau/Desktop/SSL/oschina.bundle.crt;
  11. ssl_certificate_key /Users/winterlau/Desktop/SSL/oschina.key;
  12. ssl_session_cache shared:SSL:1m;
  13. ssl_session_timeout 5m;
  14. ssl_ciphers HIGH:!aNULL:!MD5;
  15. ssl_prefer_server_ciphers on;
  16. location / {
  17. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  18. proxy_set_header Host $http_host;
  19. proxy_set_header X-Forwarded-Proto https;
  20. proxy_redirect off;
  21. proxy_connect_timeout 240;
  22. proxy_send_timeout 240;
  23. proxy_read_timeout 240;
  24. # note, there is not SSL here! plain HTTP is used
  25. proxy_pass http://tomcat;
  26. }
  27. }
  28. # 其中最为关键的就是 ssl_certificate 和 ssl_certificate_key 这两项配置,其他的按正常配置。不过多了一个 proxy_set_header X-Forwarded-Proto https; 配置。

Nginx配置WebSocket

  1. location /websocket/api/ {
  2. proxy_pass http://127.0.0.1:38081/; ## 对应服务 或者 走网关
  3. proxy_http_version 1.1;
  4. proxy_set_header Upgrade $http_upgrade;
  5. proxy_set_header Connection "upgrade";
  6. proxy_set_header X-real-ip $remote_addr;
  7. proxy_set_header X-Forwarded-For $remote_addr;
  8. }
  9. wss://wet-m-test.xdp8.cn/websocket/api/ 是通的
  10. wss://wet-m-test.xdp8.cn/websocket/api/wet-message/api/websocket/10
  11. 这是wet-message 又多加了路径/api/websocket