Skip to content

Nginx

Nginx 已被证明具有极高的稳定性、高性能和高可靠性,并提供了一套强大的工具.

Apache 相比, Nginx 具有的优势:

  • 轻量
  • 占用内存少
  • 配置项更丰富
  • 高负载下性能更好

Installation

官方 repo 配置 请参考 nginx.org

Configuration

/etc/nginx/nginx.conf 包含全局配置文件

/etc/nginx/conf.d 目录下包含站点配置文件

Performance

1. 启用gzip压缩
2. 添加upstream响应时间
3. 为静态内容设置适当的过期时间
4. 在启用HTTPS的站点总是启用HTTP/2

Caching

Security

Nginx 有许多提供Web Application Firewall(WAF)的模块,但是几乎所有模块都需要从源码编译 Nginx.

Naxsi 和 modsecurity 是两个流行的选择

典型配置

Mollzia提供了一个非常优秀的Nginx配置生成工具

/etc/nginx/nginx.conf 

user nginx;  #Use for CentOS
#user www-data;  #Use for Debian
worker_processes auto; #Or set to number of CPU cores
error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      '"$request_time" "$upstream_response_time" $upstream_cache_status';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    server_tokens       off;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
}

/etc/nginx/conf.d/example.conf 

upstream www {
    server unix:/run/php-fpm/www.sock;
}
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    access_log  /var/log/nginx/example.com.access.log main;
    error_log   /var/log/nginx/example.com.error.log;

    root /path/to/your/web/root;
    index index.php index.html index.htm;

        #SSL settings
        #https://ssl-config.mozilla.org/#hsts=false
    ssl_certificate /etc/letsencrypt/live/exmaple.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;
        resolver 8.8.8.8;

        #Performance settings
    server_tokens   off;
    gzip on;
    gzip_vary on;
    gzip_types text/plain text/css text/xml text/javascript application/json application/x-javascript application/javascript application/xhtml+xml application/xml application/atom+xml application/xml+rss font/opentype image/svg+xml image/x-icon;
    gzip_proxied no-cache no-store private expired auth;
    gzip_min_length 1000;
    gzip_disable "msie6";
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        keepalive_timeout 65;
        sendfile on;

    location / {
        try_files $uri $uri/;
        gzip_static on;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_intercept_errors on;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_pass   www;
    }

       location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|js|css|pdf)$ {
    access_log off; 
        log_not_found off; 
        expires max;
        }

    client_max_body_size 8m;
    client_body_timeout 60;

}