# 指定运行worker进程的用户,一般不用 root 用户
user nginx;
# 指定worker进程的数量,一般都是小于或者等于物理cpu核心数
worker_processes 1;
# nginx错误日志存放文件,错误日志级别调整为warn,减少日志量,用于调试可设置为info或debug
error_log /var/log/nginx/error.log warn;
# pid文件存放nginx主控进程的进程号,通常不需要修改
pid /var/run/nginx.pid;
events {
# 单个worker进程允许客户端最大连接数,这个数值一般根据服务器性能和内存来制定,实际最大值就是worker 进程数乘以work_connections。
worker_connections 65535;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式及位置
log_format main '$remote_addr [$time_local] $upstream_response_time "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent"';
access_log /var/log/nginx/access.log main;
# sendfile系统调用在两个文件描述符之间直接传递数据,从而避免了数据在内核缓冲区和用户缓冲区之间的拷贝,操作效率很高,被称之为零拷贝。
sendfile on;
tcp_nopush on;
# head中下划线支持
underscores_in_headers on;
# 超时相关设置
keepalive_timeout 120;
client_header_timeout 80;
client_body_timeout 80;
# 虚拟主机多站点设置
server_names_hash_max_size 512;
server_names_hash_bucket_size 128;
# 关闭显示nginx信息
server_tokens off;
# gizp 配置段落
gzip on;
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
# 后端错误码处理
fastcgi_intercept_errors on;
proxy_intercept_errors on;
# 静态资源缓存
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
# 加载配置文件所在的目录
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
server {
listen 80;
charset utf-8;
# 通过域名+端口的虚拟站点
server_name www.xiaobaidonghui.cn;
# 日志配置,设置缓存区及写入时间间隔
access_log /var/log/nginx/xiaobaidonghui.log main buffer=32k flush=30s;
# 默认首页配置
index index.html;
# 根目录配置
root /etc/nginx/html/blog/;
# 防止XSS攻击
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
# 通过UA禁止爬虫抓取
if ($http_user_agent ~* "Scrapy|Sogou web spider|Baiduspider") {
return 403;
}
# 配置密码访问
location /upload/ {
auth_basic "please input user&passwd";
auth_basic_user_file key/auth.key;
}
# 打开目录浏览功能
location /download/ {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
# 配置允许访问的黑白名单
location /admin/ {
#allow 192.168.1.0/24;
#allow 123.183.157.83
deny all;
}
# 图片防盗链
location /images/ {
valid_referers none blocked www.xiaobaidonghui.cn;
if ($invalid_referer) {
return 403;
}
}
# 反向代理
location /gateway/ {
# 配置请求包体限制
client_max_body_size 100m;
# 通过 upstream 或配置后端地址
# proxy_pass http://172.26.114.113:6680/;
proxy_pass http://gateway/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
# 不允许通过IP访问
server {
listen 80 default;
server_name _;
return 404;
}
# 配置 HTTPS 访问
server {
listen 443;
charset utf-8;
server_name www.xiaobaidonghui.cn;
access_log /var/log/nginx/https.access.log main;
ssl_certificate /etc/nginx/auth/ssl_20201201.crt;
ssl_certificate_key /etc/nginx/auth/ssl_20201201.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_prefer_server_ciphers on;
}
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。