popo

nginx-doc-配置

Posted on Edited on

默认配置

default.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
server {
    listen       80;
    listen  [::]:80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html/report;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

https配置

https证书

把对应的https证书丢到指定目录内
在对应的配置加上

1
2
ssl_certificate /usr/local/nginx/conf/ssl/xxxx.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/xxxx.key;

http跳转https

1
2
3
4
5
6
server
{
    listen          80;
    server_name xxx.xxx.com;
    return 301 https://xxx.xxx.com$request_uri;
}

跨域设置

配置对应的conf

1
2
3
4
5
# 在对应的localtion加上
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'PUT,POST,GET,DELETE,OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type,Content-Length, Authorization, Accept,X-Requested-With';

配置参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
server {
    listen 443 ssl;
    server_name xxx.xxx.com;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ....

    location /{
         root /home/wwwroot;
         index index.html index.htm;

        # 跨域处理
         add_header 'Access-Control-Allow-Origin' *;
         add_header 'Access-Control-Allow-Credentials' 'true';
         add_header 'Access-Control-Allow-Methods' 'GET';
    }

    ....
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
server {
    listen 80;
    server_name      xx.xx.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen           443;
    server_name      xx.xx.com;
    set $site_dir    /data/gameweb/web-mobile;
    root             "$site_dir";
    index index.html index.htm index.php;

    ssl on;
    ssl_certificate cert/1_gameorse.com_bundle.crt;
    ssl_certificate_key cert/2_gameorse.com.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    charset utf-8;

    location / {
        add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
        if ($request_method = "OPTIONS") {
            add_header 'Access-Control-Max-Age' 86400;
            add_header Access-Control-Allow-Origin *;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE';
            add_header 'Access-Control-Allow-Headers' 'reqid, nid, host, x-real-ip, x-forwarded-ip, event-type, event-id, accept, content-type, token';
            add_header 'Content-Length' 0;
            add_header 'Content-Type' 'text/plain, charset=utf-8';
            return 204;
        }
        proxy_pass http://127.0.0.1:8080;
    }

    access_log  /home/wwwlogs/xx.xx.com.cn.log;

    location ~ /\.ht {
        deny all;
    }

   }

支持php

默认不加php支持的时候,打开php文件是变成下载的,需要在对应的server里面加如下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
set $site_dir   /??/??/??;
root            "$site_dir/??";

location / {
    #try_files $uri $uri/ /index.php?$query_string;
    try_files $uri $uri/ /index.php?s=$uri&$args;
}


location ~ [^/]\.php(/|$){
    try_files $uri =404;
    fastcgi_pass  unix:/tmp/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
    fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:$site_dir/:/tmp/:/proc/";
}

多个域名目录

创建www用户

1
2
3
4
5
6
id www
# id: www:无此用户
groupadd www
useradd -g www -s /sbin/nologin www
id www
# uid=501(www) gid=501(www) 组=501(www)

创建wwwroot目录

1
2
3
4
cd /home
mkdir wwwroot
// 一定要将归属改成www
chown -R www www

修改配置

简单流程

  • 修改user为www
  • 配置include vhost
  • 创建vhost目录
  • 创建对应的conf配置

nginx.conf配置参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# 修改user为www
user  www www;

worker_processes auto;

error_log  /home/wwwlogs/nginx_error.log  crit;

pid        /usr/local/nginx/logs/nginx.pid;

#Specifies the value for maximum file descriptors that can be opened by this process.
worker_rlimit_nofile 51200;

events
    {
        use epoll;
        worker_connections 51200;
        multi_accept on;
    }

http
    {
        include       mime.types;
        default_type  application/octet-stream;

        server_names_hash_bucket_size 128;
        client_header_buffer_size 32k;
        large_client_header_buffers 4 32k;
        client_max_body_size 50m;

        sendfile   on;
        tcp_nopush on;

        keepalive_timeout 60;

        tcp_nodelay on;

        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 256k;

        gzip on;
        gzip_min_length  1k;
        gzip_buffers     4 16k;
        gzip_http_version 1.1;
        gzip_comp_level 2;
        gzip_types     text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
        gzip_vary on;
        gzip_proxied   expired no-cache no-store private auth;
        gzip_disable   "MSIE [1-6]\.";

        #limit_conn_zone $binary_remote_addr zone=perip:10m;
        ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

        server_tokens off;
        access_log off;

server
    {
        listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;
        server_name _;
        index index.html index.htm index.php;
        root  /home/wwwroot/default;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        include enable-php.conf;

        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }

# 配置include vhost
include vhost/*.conf;
}

vhost的conf配置参考

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
server
    {
    listen          80;
        server_name xxx.xxx.com;
        return 301 https://xxx.xxx.com$request_uri;
    }

server
    {
        listen 443 ssl;
        #listen [::]:443 ssl http2;
        server_name xxx.xxx.com ;
        index index.html index.htm index.php default.html default.htm default.php;
        #index entry.html;
        root  /home/wwwroot/xxx;
        #ssl on;
        ssl_certificate /usr/local/nginx/conf/ssl/xxx.pem;
        ssl_certificate_key /usr/local/nginx/conf/ssl/xxx.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        #include enable-php-pathinfo.conf;

        add_header 'Access-Control-Allow-Origin' *;
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET';


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log off;
    }

配置参考

QQ头像跨域

在对应的conf里面加,可能还有更多的域名,参考加就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
location /thirdapp2_qqlogo/ { #添加访问目录为/apis的代理配置
    #   proxy_set_header Host $host;
    # proxy_set_header X-Real-Ip $remote_addr;
    # proxy_set_header X-Forwarded-For $remote_addr;
    # proxy_pass   http://thirdapp2.qlogo.cn/qzopenapp/;
    return 200 "ok";
 }


 location /thirdapp3_qqlogo/ {
    proxy_set_header Host $host;
    proxy_set_header X-Real-Ip $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_pass   http://thirdapp3.qlogo.cn/qzopenapp/;
 }

 location /{
     root /home/wwwroot/wb;
    index index.html index.htm;

     add_header 'Access-Control-Allow-Origin' *;
     add_header 'Access-Control-Allow-Credentials' 'true';
     add_header 'Access-Control-Allow-Methods' 'GET';
}

qq游戏大厅

需要配置跨域和option,不然经常404

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
add_header 'Access-Control-Allow-Origin' *;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'PUT,POST,GET,DELETE,OPTIONS,HEAD';
add_header 'Access-Control-Allow-Headers' 'Content-Type, Content-Length, Authorization, Accept, X-Requested-With, Origin, XRequestedWith, LastModified';


location /qqgame/ { #添加访问目录为/apis的代理配置

    if ( $request_method = 'OPTIONS' ) {
        add_header Access-Control-Allow-Origin $http_origin;
        add_header Access-Control-Allow-Headers Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,X-Data-Type,X-Requested-With;
        add_header Access-Control-Allow-Methods GET,POST,OPTIONS,HEAD,PUT;
        add_header Access-Control-Allow-Credentials true;
        add_header Access-Control-Allow-Headers X-Data-Type,X-Auth-Token;
        return 200;
    }

    # proxy_set_header Host $host;
    # proxy_set_header X-Real-Ip $remote_addr;
    # proxy_set_header X-Forwarded-For $remote_addr;
    rewrite  ^/qqgame/(.*)$ /$1 break;
    #proxy_pass   http://openapi.sparta.html5.qq.com/;
    proxy_pass   http://openapi.tencentyun.com/;
    #proxy_pass https://www.baidu.com/;
    #return 200 "ok";
}

应用宝微端

区别80和443

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
server
    {
    listen          80;
        server_name pok-yybwd-web.gameorse.com;

     location / {
            root   /home/wwwroot/yybw;
            index  index.html index.htm;
        }

    location /checkUserToken {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://account.6873.com/2.0/411/checkUserToken;
        }

    location /login {
        proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass https://pok-mxw-auth.gameorse.com/api/login;

    }

    location /gameservers {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass https://pok-mxw-auth.gameorse.com/api/gameservers;

        }


    error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }

server
    {
        listen 443 ssl;
        #listen [::]:443 ssl http2;
        server_name pok-yybwd-web.gameorse.com ;
        index index.html index.htm index.php default.html default.htm default.php;
        #index entry.html;
        root  /home/wwwroot/yybw;
        #ssl on;
        ssl_certificate /usr/local/nginx/conf/ssl/gameorse.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/gameorse.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        #include enable-php-pathinfo.conf;

     add_header 'Access-Control-Allow-Origin' *;
         add_header 'Access-Control-Allow-Credentials' 'true';
         add_header 'Access-Control-Allow-Methods' 'POST';

      location /thirdapp2_qqlogo/ { #添加访问目录为/apis的代理配置
                      proxy_set_header Host $host;
               proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp2.qlogo.cn/qzopenapp/;
               #return 200 "ok";
     }


     location /thirdapp3_qqlogo/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp3.qlogo.cn/qzopenapp/;
     }
       location /thirdapp1_qqlogo/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp1.qlogo.cn/qzopenapp/;
     }

    location /checkUserToken {
        proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp1.qlogo.cn/qzopenapp/;
    }


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log off;
    }

百度小游戏

80跳转到443

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

server
    {
    listen          80;
        server_name farm-qqxyx-web.gameorse.com;
        return 301 https://farm-qqxyx-web.gameorse.com$request_uri;
    }

server
    {
        listen 443 ssl;
        #listen [::]:443 ssl http2;
        server_name farm-qqxyx-web.gameorse.com ;
        index index.html index.htm index.php default.html default.htm default.php;
        #index entry.html;
        root  /home/wwwroot/farm-qqxyx;
        #ssl on;
        ssl_certificate /usr/local/nginx/conf/ssl/gameorse.crt;
        ssl_certificate_key /usr/local/nginx/conf/ssl/gameorse.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_session_cache builtin:1000 shared:SSL:10m;
        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
        #ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;

        #include rewrite/none.conf;
        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        #include enable-php-pathinfo.conf;

     add_header 'Access-Control-Allow-Origin' *;
         add_header 'Access-Control-Allow-Credentials' 'true';
         add_header 'Access-Control-Allow-Methods' 'POST';

      location /thirdapp2_qqlogo/ { #添加访问目录为/apis的代理配置
                      proxy_set_header Host $host;
               proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp2.qlogo.cn/qzopenapp/;
               #return 200 "ok";
     }


     location /thirdapp3_qqlogo/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp3.qlogo.cn/qzopenapp/;
     }
       location /thirdapp1_qqlogo/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_pass   http://thirdapp1.qlogo.cn/qzopenapp/;
     }


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log off;
    }

真实ip获取

1
2
3
4
5
6
7
location / {
    # proxy_redirect off; # 根据情况添加
    proxy_pass http://127.0.0.1:9998;
    # proxy_set_header Host $host; # 根据情况添加
    proxy_set_header X-real-ip $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

日志

  • 日志类型
日志 描述
access.log http 记录访问日志。
error.log server 操作记录日志 
1
2
3
4
5
6
7
# 关闭 http 记录访问日志
access_log off;

access_log /dev/null;

# 关闭 server  操作日志:
error_log /dev/null;
  • 参考
1
2
3
4
5
6
7
8
9
10
11
# 这里会关闭所有行为日志
# access_log off;

location / {
        proxy_pass http://182.254.179.143:8922;
        proxy_set_header X-real-ip $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # 这里只会关闭进入这个location行为的日志
        # access_log off;
}