一、nginx配置文件结构
Nginx 的主配置文件一般是 /etc/nginx/nginx.conf,其层级结构大致如下:
nginx
# 全局配置
events {
# 事件驱动模块
}
http {
# HTTP 服务配置
server {
# 虚拟主机配置
location {
# 请求匹配规则
}
}
}
#例
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
gzip_types text/plain text/css application/json application/javascript;
include /etc/nginx/conf.d/*.conf;
}1.全局块
配置Nginx全局运行参数(如工作进程数、日志路径、PID 文件等),影响整个Nginx实例。
nginx
# 运行用户和组(建议使用非 root 用户)
user www-data www-data;
# 工作进程数(推荐设置为 CPU 核心数或 `auto`)
worker_processes auto;
# 错误日志路径及级别(级别:debug | info | notice | warn | error | crit)
error_log /var/log/nginx/error.log warn;
# 主进程 PID 文件路径
pid /var/run/nginx.pid;
# 每个进程可打开的最大文件数(需与系统 ulimit 一致),即工作进程打开文件数限制
worker_rlimit_nofile 65535;
# 动态模块加载(可选)
load_module modules/ngx_http_geoip_module.so;
load_module modules/ngx_stream_geoip_module.so;- user nginx;指定运行 Nginx 进程的用户,推荐使用非 root 用户运行,提升安全性。
- worker_processes auto;表示自动根据 CPU 核心数分配工作进程。每个 worker 是单线程事件驱动的,合理分配能最大化性能。
- error_log与pid ;分别指定错误日志路径和进程 ID 文件,便于监控与维护。
2.Events块
定义事件模型(如 epoll)与连接处理方式,配置网络连接模型和并发参数。Nginx的高性能核心之一是它的事件驱动机制。
nginx
events {
# 事件模型(Linux 推荐 epoll,FreeBSD 用 kqueue,默认自动选择)
use epoll;
# 每个 worker 进程的最大并发连接数(需小于 worker_rlimit_nofile)
worker_connections 10240;
# 开启同时接受多个连接(默认 off,高并发建议 on)
multi_accept on;
# 启用"接受互斥锁"减少连接等待延迟(默认on)
accept_mutex on;
# 延迟接受新连接(仅在 FreeBSD 或 Linux ≥3.9 有效)
accept_mutex_delay 100ms;
}- worker_connections 10240;定义单个 worker 能同时处理的最大连接数。 若服务器有 4 个 worker,则理论上最大可处理 4×10240=40960 个并发连接。
- use epoll;明确启用 Linux 下高效的 IO 多路复用模型 epoll,适合高并发场景。
3.HTTP块
配置 HTTP 服务器相关的所有功能,包含多个子模块(如 server、location)。
shell
http {
# 1.基础配置
# 包含 MIME 类型文件(默认已定义常见类型)
include /etc/nginx/mime.types; #或者直接 include mime.types;
# 默认响应类型(若无法识别 MIME 类型时使用)
default_type application/octet-stream;
#或者直接default_type application/octet-stream;
# 2.日志格式
#可定义多个格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format json_combined escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"request_time":$request_time,'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for"'
'}';
# 访问日志路径及格式(可针对不同 server 单独定义)
access_log /var/log/nginx/access.log main buffer=32k flush=5s;
# 3.性能优化
# 开启高效文件传输模式(静态文件必选)
sendfile on;
# 仅在 sendfile on 时生效,减少网络报文数量
tcp_nopush on;
# 禁用 Nagle 算法(高实时性场景开启)
tcp_nodelay off;
# 客户端保持连接的超时时间(单位:秒)
keepalive_timeout 65;
# 单个连接的最大请求数(需结合 keepalive_timeout)
keepalive_requests 1000;
# 客户端请求头超时时间(防止慢速攻击)
client_header_timeout 15s;
# 客户端请求体超时时间(上传大文件时调整)
client_body_timeout 15s;
# 客户端最大请求体大小(上传文件需调整)
client_max_body_size 100m;
# 4.响应头配置
# 关闭错误页面的 Nginx 版本号(安全建议)
server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# 5.Gzip压缩(建议开启)
gzip on;
# 最小压缩文件大小
gzip_min_length 1k;
# 根据 Accept-Encoding 头返回压缩版本
gzip_vary on;
gzip_proxied any;
# 压缩级别(1-9,越高 CPU 消耗越大)
gzip_comp_level 6;
# 压缩类型
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
# 6.文件缓存配置(静态资源优化)
# 最大缓存文件数,非活跃时间
open_file_cache max=10000 inactive=30s;
# 缓存验证周期
open_file_cache_valid 60s;
# 最少访问次数才缓存
open_file_cache_min_uses 2;
# 缓存错误信息
open_file_cache_errors on;
# 7.客户端限制
client_max_body_size 10m;
client_body_timeout 12;
client_header_timeout 12;
client_body_buffer_size 128k;
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
# 8.连接限制
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
# 9.请求限制
limit_req_zone $binary_remote_addr zone=reqperip:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=2r/m;
# 10.反向代理通用配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m
max_size=1g inactive=60m use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
# 11.包含其他配置文件
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}- include mime.types;让 Nginx 根据扩展名返回正确的 Content-Type,比如 .html 为 text/html。
- sendfile on;使用零拷贝机制发送文件,大幅降低 CPU 消耗。
- tcp_nopush 与 tcp_nodelay这两个参数控制 TCP 包发送策略,前者适合批量传输静态文件,后者适合实时响应。
- gzip on;启用压缩以减少带宽消耗。配合 gzip_types 指定压缩的 MIME 类型。
4.Server块(虚拟主机)
网站的可访问核心在于 server 块。
shell
#虚拟主机1
server {
# 1.监听端口和协议(IPv4和IPv6)
listen 80;
listen [::]:80;
#2.域名或主机名(支持通配符和正则)
server_name example.com www.example.com; # 域名 如localhost等
#3. 网站根目录
root /var/www/html;
# 默认首页文件
index index.html index.htm;
# 4.错误页面配置
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
# 5.静态文件缓存设置
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d; # 客户端缓存30天
add_header Cache-Control "public, no-transform";
}
# 6.其他配置(如 SSL、反向代理等)
#7.API接口
location / {
root /usr/share/nginx/html;
index index.html;
}
location /api/ {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location = /50x.html {
root /usr/share/nginx/html;
internal;
}
# 8.强制HTTPS重定向
return 301 https://$server_name$request_uri;
}
#虚拟主机2
server {
# HTTPS配置
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# SSL证书
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
# SSL优化,加密套件(推荐现代浏览器兼容配置)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# SSL 会话缓存(提升性能)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP 装订(提升 SSL 验证速度)
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 根目录配置
root /var/www/html;
index index.html index.htm;
# 安全头
add_header Content-Security-Policy "default-src 'self';" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
#防止缓存旧文件:
add_header Cache-Control "no-store, no-cache, must-revalidate";
# 静态文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
# API接口
location /api/ {
proxy_pass http://backend-server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
# 限制
limit_req zone=reqperip burst=20 nodelay;
limit_conn perip 10;
}
# WebSocket支持
location /ws/ {
proxy_pass http://websocket-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400s;
}
# 访问控制
location /admin/ {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
# 错误页面
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
internal;
}
# 健康检查
location /nginx_status {
stub_status;
access_log off;
allow 127.0.0.1;
deny all;
}
# 常见安全配置,禁止访问隐藏文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
}
#虚拟主机3
#强制跳转 HTTPS
server {
listen 80;
server_name www.example.com;
return 301 https://$server_name$request_uri;
}- listen 80;:监听 HTTP 默认端口。若需 HTTPS,则改为 listen 443 ssl;。
- server_name:定义域名或 IP,可用通配符支持多域名。
- root 定义了网站根目录,Nginx 会直接从该目录读取文件返回。
- try_files $uri $uri/ =404; 是一个关键语句,用于防止目录遍历漏洞。
- location /api/ 前端请求 /api/* 时,会被转发到本地后端应用端口。通过 proxy_set_header,可让后端知道真实客户端 IP 与域名信息。
5.Stream模块(TCP/UDP代理)
shell
stream {
# 定义上游服务器组
upstream backend_tcp {
hash $remote_addr consistent;
server backend1.example.com:3306 weight=3;
server backend2.example.com:3306 weight=2;
server backup.example.com:3306 backup;
}
# 数据库代理
server {
listen 3306;
proxy_pass backend_tcp;
proxy_timeout 3s;
proxy_connect_timeout 1s;
}
# DNS代理
server {
listen 53 udp reuseport;
proxy_pass 8.8.8.8:53;
proxy_responses 1;
}
}6.Mail模块
shell
mail {
server_name mail.example.com;
auth_http localhost/auth.php;
# IMAP服务
server {
listen 143;
protocol imap;
proxy on;
proxy_pass_error_message on;
}
# POP3服务
server {
listen 110;
protocol pop3;
proxy on;
}
# SMTP服务
server {
listen 25;
protocol smtp;
proxy on;
smtp_auth login plain cram-md5;
}
}二、常用性能优化
Nginx 被称为高性能服务器,不仅因为事件驱动模型,还因为它提供了众多优化参数。
- 连接与缓冲优化
nginx
client_max_body_size 20M;
client_body_buffer_size 128k;
send_timeout 60;
keepalive_timeout 75;注:这些参数直接决定了上传、下载与长连接的表现。
- 缓存与静态加速
location ~* \.(jpg|png|gif|ico|css|js)$ {
expires 30d;
access_log off;
}注:静态文件可长期缓存,减少服务器负载与用户延迟。
- Gzip 与 Brotli 双压缩
brotli on;
brotli_types text/html text/css application/javascript;注:若系统支持,可安装 Brotli 模块,比 Gzip 效率更高。
- 使用负载均衡分发流量
upstream backend {
server 127.0.0.1:8080;
server 127.0.0.1:8081;
}
server {
location /api/ {
proxy_pass http://backend;
}
}注:这实现了简单的轮询负载均衡。 Nginx 还支持权重、IP 哈希、最少连接等高级策略。
三、生产环境示例
1.主配置文件:/etc/nginx/nginx.conf
shell
# 全局配置
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
# 加载动态模块
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_stream_geoip2_module.so;
# 事件模块
events {
use epoll;
worker_connections 65535;
multi_accept on;
accept_mutex on;
}
# HTTP模块
http {
# 基础配置
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$request_time $upstream_response_time';
log_format json escape=json
'{'
'"timestamp":"$time_iso8601",'
'"remote_addr":"$remote_addr",'
'"x_forwarded_for":"$http_x_forwarded_for",'
'"remote_user":"$remote_user",'
'"bytes_sent":$body_bytes_sent,'
'"request_time":$request_time,'
'"status":$status,'
'"vhost":"$host",'
'"request_proto":"$server_protocol",'
'"path":"$uri",'
'"query":"$args",'
'"request_method":"$request_method",'
'"referer":"$http_referer",'
'"agent":"$http_user_agent",'
'"upstream":"$upstream_addr",'
'"upstream_status":"$upstream_status",'
'"upstream_response_time":"$upstream_response_time"'
'}';
# 访问日志
access_log /var/log/nginx/access.log json buffer=32k flush=5s;
# 性能优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_names_hash_bucket_size 128;
# 连接设置
keepalive_timeout 75s;
keepalive_requests 1000;
reset_timedout_connection on;
# 客户端限制
client_max_body_size 50m;
client_body_timeout 15s;
client_header_timeout 15s;
client_body_buffer_size 256k;
client_header_buffer_size 8k;
large_client_header_buffers 4 16k;
# 文件缓存
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# 缓冲控制
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 4 16k;
proxy_busy_buffers_size 32k;
# 响应头安全
server_tokens off;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Gzip压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/otf
font/ttf
image/bmp
image/svg+xml
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# 速率限制
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# 代理缓存
proxy_cache_path /var/cache/nginx/proxy_cache levels=1:2
keys_zone=proxy_cache:100m max_size=10g
inactive=60m use_temp_path=off;
# FastCGI缓存
fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2
keys_zone=fastcgi_cache:100m max_size=5g
inactive=60m use_temp_path=off;
# 包含其他配置
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
# Stream模块
stream {
log_format stream '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
access_log /var/log/nginx/stream-access.log stream;
include /etc/nginx/stream.conf.d/*.conf;
}2.站点配置文件:/etc/nginx/sites-available/example.com
shell
# HTTP重定向到HTTPS
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
# 301永久重定向
return 301 https://$server_name$request_uri;
# 安全头
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
}
# HTTPS主配置
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
# SSL证书
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL配置(兼容性+安全性)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers off;
# 会话缓存
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# 安全头
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' api.example.com; frame-ancestors 'self';" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# 根目录
root /var/www/example.com/public;
index index.html index.htm index.php;
# 安全配置
location ~* /\.(?!well-known) {
deny all;
access_log off;
log_not_found off;
}
# 静态文件缓存
location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
try_files $uri $uri/ =404;
}
# 主页
location = / {
try_files /index.html =404;
}
# API接口
location /api/v1/ {
# 速率限制
limit_req zone=api burst=50 nodelay;
limit_conn addr 10;
# 代理设置
proxy_pass http://backend_api;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
# 超时设置
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
# 缓存
proxy_cache proxy_cache;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
# 健康检查
health_check interval=10 fails=3 passes=2 uri=/health;
}
# 登录接口特殊限制
location /api/v1/auth/login {
limit_req zone=login burst=3 nodelay;
proxy_pass http://backend_api;
proxy_cache_bypass 1;
proxy_no_cache 1;
}
# PHP处理
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# FastCGI缓存
fastcgi_cache fastcgi_cache;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_valid 200 301 302 30m;
fastcgi_cache_methods GET HEAD;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
}
# WebSocket
location /ws/ {
proxy_pass http://websocket_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
# 管理后台
location /admin/ {
# IP白名单
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
# 基础认证
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd_admin;
try_files $uri $uri/ /index.php?$query_string;
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Nginx状态
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
}
# 错误页面
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /404.html {
internal;
}
location = /50x.html {
root /usr/share/nginx/html;
internal;
}
# 禁止访问的文件类型
location ~* \.(log|sql|bak|inc|old|swp)$ {
deny all;
access_log off;
log_not_found off;
}
}
# 负载均衡配置
upstream backend_api {
zone backend_api 64k;
server api1.example.com:8080 weight=3 max_fails=3 fail_timeout=30s;
server api2.example.com:8080 weight=2 max_fails=3 fail_timeout=30s;
server api3.example.com:8080 weight=1 max_fails=3 fail_timeout=30s backup;
# 会话保持
sticky cookie srv_id expires=1h domain=.example.com path=/;
# 健康检查
health_check interval=5s fails=3 passes=2 uri=/health;
}
upstream websocket_backend {
ip_hash;
server ws1.example.com:8080;
server ws2.example.com:8080;
}四、生产环境最佳实践
1. 安全配置
shell
# 1.1 隐藏Nginx版本
server_tokens off;
# 1.2 安全头
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'" always;
# 1.3 SSL配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# 1.4 访问控制
location /admin {
allow 10.0.0.0/8;
deny all;
}2. 性能优化
shell
# 2.1 工作进程
worker_processes auto;
worker_rlimit_nofile 65535;
# 2.2 事件模型
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
# 2.3 缓冲优化
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 4 16k;
# 2.4 缓存配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m;3. 监控和日志
shell
# 3.1 JSON格式日志
log_format json_combined escape=json '{...}';
access_log /var/log/nginx/access.log json_combined;
# 3.2 状态监控
location /nginx_status {
stub_status;
allow 127.0.0.1;
deny all;
}
# 3.3 请求ID跟踪
set $request_id $request_id;
add_header X-Request-ID $request_id;4. 高可用配置
shell
# 4.1 负载均衡
upstream backend {
least_conn;
server backend1.example.com max_fails=3 fail_timeout=30s;
server backend2.example.com max_fails=3 fail_timeout=30s;
# 健康检查
health_check interval=5s;
}
# 4.2 故障转移
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;5. Docker环境配置
shell
# 5.1 动态配置
worker_processes auto;
daemon off;
# 5.2 环境变量
env BACKEND_HOST;
env BACKEND_PORT;
# 5.3 Docker健康检查
location /health {
access_log off;
return 200;
}五、实用脚本和工具
1.配置文件验证
shell
# 检查语法
nginx -t
# 测试配置
nginx -T
# 优雅重载
nginx -s reload
# 优雅停止
nginx -s quit2.日志轮转配置(logrotate)
shell
# /etc/logrotate.d/nginx
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 nginx adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}