Nginx 配置整理
linux : nginx -s reload
windows :去任务管理器搜nginx 进行杀掉后重启
IP传递(代理java接口)
location /test/ {proxy_pass http://localhost:9002/;proxy_set_header Host $host;proxy_http_version 1.1;// proxy_set_header Connection "";proxy_set_header X-Forwarded-Host $server_name;proxy_set_header X-Forwarded-Proto https;proxy_set_header X-Real-IP $remote_addr;zproxy_set_header REMOTE_ADDR $remote_addr;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
/*** 获取有网关是 的真正客户端IP 测试过nginx可以获取*<pre>** location /test/ {* proxy_pass http://localhost:9002/;* proxy_set_header Host $host;* proxy_set_header X-Forwarded-Host $server_name;* proxy_set_header X-Real-IP $remote_addr;* proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;* }* </pre>* @param request request* @return ip*/public static String getPoxyIp(HttpServletRequest request) {String ip = request.getHeader("X-Forwarded-For");if ( null != ip && !UNKNOWN.equalsIgnoreCase(ip) ) {// 多次反向代理后会有多个ip值,第一个ip才是真实ipint index = ip.indexOf(",");if ( index != -1 ) {return ip.substring(0, index);} else {return ip;}}ip = request.getHeader("X-Real-IP");if ( null != ip && !UNKNOWN.equalsIgnoreCase(ip) ) {return ip;}return request.getRemoteAddr();}
流穿透
我使用的是 openresty 自带 stream模块
原生请参考:我也没试过,百度来的
mysql redis
mysql
stream {upstream mysql{hash $remote_addr consistent;# $binary_remote_addr;server 127.0.0.1:3306 weight=5 max_fails=3 fail_timeout=30s;}server {listen 3317;#数据库服务器监听端口proxy_connect_timeout 10s;proxy_timeout 300s;#设置客户端和代理服务之间的超时时间,如果5分钟内没操作将自动断开。proxy_pass mysql;}}
redis
stream {upstream redis {server 127.0.0.1:6379 max_fails=3 fail_timeout=30s;}server {listen 6616;proxy_connect_timeout 1s;proxy_timeout 3s;proxy_pass redis;}}
http 自动导向https
rewrite ^(.*) https://$server_name$1 permanent;
nginx http 自动导向httpsserver {listen 80;server_name nexus.tannn.cn;#charset koi8-r;#access_log logs/host.access.log main;rewrite ^(.*) https://$server_name$1 permanent;}server {listen 443 ssl;server_name xx.cn;ssl_certificate /usr/local/openresty/nginx/xx.cn_nginx/xx.cn.pem;ssl_certificate_key /usr/local/openresty/nginx/xx.cn_nginx/xx.tannn.cn.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;client_max_body_size 500M;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {proxy_pass http://localhost:8081/;proxy_set_header X-Forwarded-Proto https; # 转发时使用https协议proxy_set_header REMOTE_ADDR $remote_addr;proxy_set_header Host $http_host;proxy_http_version 1.1;proxy_set_header Connection "";proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";}}
https 配置 (SSL)
🧅 listen
🧅 ssl_certificate
🧅 ssl_certificate_key
🧅 proxy_set_header X-Forwarded-Proto https;
server {listen 443 ssl;server_name xx.cn;ssl_certificate /usr/local/openresty/nginx/xx.cn_nginx/xx.cn.pem;ssl_certificate_key /usr/local/openresty/nginx/xx.cn_nginx/xx.tannn.cn.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;client_max_body_size 500M;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {proxy_pass http://localhost:8081/;proxy_set_header X-Forwarded-Proto https; # 转发时使用https协议proxy_set_header REMOTE_ADDR $remote_addr;proxy_set_header Host $http_host;proxy_http_version 1.1;proxy_set_header Connection "";proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";}}
纯静态
# 代理到 所有文件的公共根目录bistdashboard/html/index.html## 目录结构#### bistdashboard/html/xx.html#### bistdashboard/js/xx.js#### bistdashboard/css/xx.css# 访问 http://127.0.0.1:80/bistdashboard/html/index.htmllocation /bistdashboard/ {alias /home/detabes/softwares/bist-dashboard/;}
VUE静态文件
# nginx - vue (/tn/index.html 中的 tn必须要在 location 中体现)location /tn {alias /tn/tn/admin/dist;index index.html;try_files $uri $uri/ /tn/index.html;}
h5
location /mobile {alias C:/detabes/web/h5/;index index.html;try_files $uri $uri/ /mobile/index.html;}
minio
server {listen 80;server_name xx.com;# To allow special characters in headersignore_invalid_headers off;# Allow any size file to be uploaded.# Set to a value such as 1000m; to restrict file size to a specific valueclient_max_body_size 0;# To disable bufferingproxy_buffering off;location / {proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-NginX-Proxy true;# This is necessary to pass the correct IP to be hashedreal_ip_header X-Real-IP;proxy_connect_timeout 300;# To support websocketproxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";chunked_transfer_encoding off;proxy_pass http://127.0.0.1:9100;}location ~^/files {proxy_buffering off;proxy_set_header Host $http_host;rewrite ^/files/(.*)$ /$1 break;proxy_pass http://127.0.0.1:9000;}}
console地址
location / {proxy_set_header Host $http_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-NginX-Proxy true;# This is necessary to pass the correct IP to be hashedreal_ip_header X-Real-IP;proxy_connect_timeout 300;# To support websocketproxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";chunked_transfer_encoding off;proxy_pass http://console.com;}
file地址
非Root配置
location ~^/files {proxy_buffering off;proxy_set_header Host $http_host;proxy_pass http://localhost:9000;}
标准的Root配置
server {listen 80;server_name example.com;location / {proxy_set_header Host $http_host;proxy_pass http://localhost:9000;}}
使用Rewrite的非Root配置 - 一般用这个
location ~^/files {proxy_buffering off;proxy_set_header Host $http_host;rewrite ^/files/(.*)$ /$1 break;proxy_pass http://localhost:9000;}
限制文件大小
文件大小限制http {include mime.types;default_type application/octet-stream;#log_format main '$remote_addr - $remote_user [$time_local] "$request" '# '$status $body_bytes_sent "$http_referer" '# '"$http_user_agent" "$http_x_forwarded_for"';#access_log logs/access.log main;sendfile on;#tcp_nopush on;#keepalive_timeout 0;# 大小client_max_body_size 1024M;# timeout时间keepalive_timeout 1800;#gzip on;}
负载均衡
- 权重
- weight (数字越大访问比例越高) : weight和访问比率成正比
- iphash(ip_hash可以和weight配合使用):每个请求都根据访问ip的hash结果分配,经过这样的处理,每个访客固定访问一个后端服务。
- least_conn(least_conn可以和weight配合使用):将请求分配到连接数最少的服务上
- fair(fair可以和weight配合使用):按后端服务器的响应时间来分配请求,响应时间短的优先分配
upstream www.api.com {iphash;server 172.31.253.1:1122 weight=1;server 172.31.253.2:1122 weight=2;}server {listen 8888;# 多 server_nameserver_name 172.31.253.1 xx.xx.com 123.123.1.14;#client_max_body_size 200m;#charset koi8-r;#access_log logs/host.access.log main;location /api {proxy_pass http://www.api.com/api;proxy_redirect off;proxy_set_header Host $host:8888;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_read_timeout 300;}}
重定向
rewrite
带参数
server {listen 8085 ssl;server_name web.xxx.com;ssl_certificate /home/detabes/https/6388682_web.xxx.com_nginx/6388682_web.xxx.com.pem;ssl_certificate_key /home/detabes/https/6388682_web.xxx.com_nginx/6388682_web.xxx.com.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;client_max_body_size 500M;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {// rewrite ^(.*) https://$server_name$1 permanent; // $server_name = server_name web.xxx.com;rewrite ^(.*) https://web.xxx.com:8085/RMS/html/index02.html$1 permanent;}location /RMS {proxy_pass http://127.0.0.1:8084/RMS;proxy_redirect off;proxy_set_header X-Forwarded-Proto https;proxy_set_header Host $host:8085;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_read_timeout 300;}}
不带参数
server {listen 8085 ssl;server_name web.xxx.com;ssl_certificate /home/xxx/https/6388682_web.xxx.com_nginx/6388682_web.xxx.com.pem;ssl_certificate_key /home/xxx/https/6388682_web.xxx.com_nginx/6388682_web.xxx.com.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;client_max_body_size 500M;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {// rewrite ^(.*) https://$server_name; // $server_name = server_name web.xxx.com;rewrite ^(.*) https://web.xxx.com:8085/RMS/html/index02.html;}location /RMS {proxy_pass http://127.0.0.1:8084/RMS;proxy_redirect off;proxy_set_header X-Forwarded-Proto https;proxy_set_header Host $host:8085;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_read_timeout 300;}}
跨域
location / {add_header Access-Control-Allow-Origin *;add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';if ($request_method = 'OPTIONS') {return 204;}}
IPV6配置
同时监听IPV4和IPV6
server {listen [::]:80;}
只监听IPV6
server {listen [::]:80 default ipv6only=on;}
监听指定IPV6地址
server {listen [xx:xx:xx:xx:1]:80;}
配置错误页面
nginx配置,增加登录验证
安装htpasswd工具
# centosyum -y install nginx #安装nginxyum -y install httpd-tools #安装httpd-tools# ubuntusudo apt search htpasswdsudo apt install apache2-utils
生成密钥文件
[root@test102 conf.d]# htpasswd -cm /etc/nginx/htpasswd crystal #/etc/nginx/htpasswd就是配置文件里面配置的密码文件,crystal就是用户名New password: #输入密码Re-type new password: #再次输入密码,回车Adding password for user crystal
在原有密码文件中增加下一个用户
htpasswd -b /etc/nginx/htpasswd ren002 456 cat /etc/nginx/htpasswd ren001:$apr1$Ln1ZsyVn$2hn3VFqP0L5tNA1UCSU8F. ren002:$apr1$hCiMb9jc$Z.m7ZgOBCj0ISeIieTaVy/ #去掉c选项,即可在第一个用户之后添加第二个用户,依此类推
不更新密码文件,只显示加密后的用户名和密码
htpasswd -nb ren002 456 ren002:$apr1$DT53A20W$YRS7p4j.1Wum9q0kG3OQv. #不更新.passwd文件,只在屏幕上输出用户名和经过加密后的密码
用htpasswd命令删除用户名和密码
htpasswd -D /etc/nginx/htpasswd ren002 Deleting password for user ren002 cat /etc/nginx/htpasswd ren001:$apr1$Ln1ZsyVn$2hn3VFqP0L5tNA1UCSU8F.
用 htpasswd 命令修改密码
htpasswd -D /etc/nginx/htpasswd ren001 Deleting password for user ren001 htpasswd -b /etc/nginx/htpasswd ren001 123456 Adding password for user ren001
htpasswd命令选项参数说明
-c 创建一个加密文件
-n 不更新加密文件,只将htpasswd命令加密后的用户名,密码显示在屏幕上
-m 默认htpassswd命令采用MD5算法对密码进行加密
-d htpassswd命令采用CRYPT算法对密码进行加密
-p htpassswd命令不对密码进行进行加密,即明文密码
-s htpassswd命令采用SHA算法对密码进行加密
-b htpassswd命令行中一并输入用户名和密码而不是根据提示输入密码
-D 删除指定的用户
nginx配置登录验证
windows路径注意:
❌D:\tools\nginx\openresty-1.19.3.1-win64\htpasswd
✅D:/tools/nginx/openresty-1.19.3.1-win64/htpasswd
location /password {# proxy_pass http://10.0.0.102:5601$request_uri;#加上下面两行内容:auth_basic "登陆验证";auth_basic_user_file /etc/nginx/htpasswd; #/etc/nginx/htpasswd是密码文件,路径自定义}# 例子location /api {#加上下面两行内容:auth_basic "登陆验证";auth_basic_user_file D:/tools/nginx/openresty-1.19.3.1-win64/htpasswd; #/etc/nginx/htpasswd是密码文件,路径自定义proxy_pass http://192.168.0.65:9004/;proxy_set_header Host $host;proxy_set_header X-Forwarded-Host $server_name;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}
nginx 搭建文件服务器
location / { # 文件目录 alias D:/share; # 基本验证 可选 auth_basic "nginx basic auth"; auth_basic_user_file C:/nginx/conf/htpasswd; # 文件显示功能 autoindex on; #开启索引功能 autoindex_exact_size off; #关闭计算文件确切大小(单位bytes),只显示大概大小(单位kb、mb、gb) autoindex_localtime on; #显示本机时间而非 GMT 时间 }
Spring boot admin
# 没测试过# nohup java -jar springbootadmin-1.0-SNAPSHOT.jar --server.servlet.context-path=/adminlocation /admin {rewrite ^~/admin/(.*) /$1 break;proxy_pass http://localhost:9002;}
# https配置文件中server:forward-headers-strategy: nativespring:boot:admin:context-path: /ui:public-url: https://域名/cache:no-cache: truelocation / {proxy_pass http://localhost:8001;proxy_set_header Host $proxy_host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-Host $host;proxy_http_version 1.1;proxy_set_header X-Forwarded-Proto https;proxy_set_header Upgrade $http_upgrade;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Port $server_port;}
配置双方的 X-Forwarded-Proto 就是为了正确地识别实际用户发出的协议是 http 还是 https
proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Port $server_port;
若有收获,就点个赞吧
0 人点赞
