Nginx: Difference between revisions
No edit summary |
No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[http://nginx.org/ Nginx] | ===[http://nginx.org/ Nginx]=== | ||
Nginx 已被证明具有极高的稳定性、高性能和高可靠性,并提供了一套强大的工具。 | Nginx 已被证明具有极高的稳定性、高性能和高可靠性,并提供了一套强大的工具。 | ||
与 [https://httpd.apache.org/ Apache] 相比, Nginx 具有的优势: | 与 [https://httpd.apache.org/ Apache] 相比, Nginx 具有的优势: | ||
# 轻量 | #轻量 | ||
# 占用内存少 | #占用内存少 | ||
# 配置项更丰富 | #配置项更丰富 | ||
# 高负载下性能更好 | #高负载下性能更好 | ||
=== Installation === | ===Installation=== | ||
官方 repo 配置 请参考 [http://nginx.org/en/linux_packages.html nginx.org] | 官方 repo 配置 请参考 [http://nginx.org/en/linux_packages.html nginx.org] | ||
=== Configuration === | ===Configuration=== | ||
<code>/etc/nginx/nginx.conf</code> 包含全局配置, 任何站点配置请放在 <code>/etc/nginx/conf.d/</code> 目录下. | <code>/etc/nginx/nginx.conf</code> 包含全局配置, 任何站点配置请放在 <code>/etc/nginx/conf.d/</code> 目录下. | ||
=== Performance === | ===Performance=== | ||
#启用gzip压缩 | |||
#添加upstream响应时间 | |||
#为静态内容设置适当的过期时间 | |||
#在启用HTTPS的站点总是启用HTTP/2 | |||
# | |||
===Caching=== | |||
===Security=== | |||
Nginx 有许多提供Web Application Firewall(WAF)的模块,但是几乎所有模块都需要从源码编译 Nginx. | |||
Naxsi 和 modsecurity是两个流行的选择 | |||
===典型配置=== | |||
Mollzia提供了一个非常优秀的[https://ssl-config.mozilla.org/ Nginx配置生成工具]. | |||
<code>/etc/nginx/ngxin/conf</code> | |||
<syntaxhighlight lang="bash"> | |||
user nginx; #Use for CentOS | |||
#user www-data; #Use for Debian | |||
worker_processes auto; #Or set to number of CPU cores | |||
error_log /var/log/nginx/error.log warn; | |||
pid /run/nginx.pid; | |||
include /usr/share/nginx/modules/*.conf; | |||
events { | |||
worker_connections 1024; | |||
} | |||
http { | |||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |||
'$status $body_bytes_sent "$http_referer" ' | |||
'"$http_user_agent" "$http_x_forwarded_for"' | |||
'"$request_time" "$upstream_response_time" $upstream_cache_status'; | |||
access_log /var/log/nginx/access.log main; | |||
sendfile on; | |||
tcp_nopush on; | |||
tcp_nodelay on; | |||
keepalive_timeout 65; | |||
types_hash_max_size 2048; | |||
server_tokens off; | |||
include /etc/nginx/mime.types; | |||
default_type application/octet-stream; | |||
include /etc/nginx/conf.d/*.conf; | |||
} | |||
</syntaxhighlight> | |||
<code>/etc/nginx/conf.d/example.conf</code><syntaxhighlight lang="bash"> | |||
upstream www { | |||
server unix:/run/php-fpm/www.sock; | |||
} | |||
server { | |||
listen 80; | |||
server_name example.com www.example.com; | |||
return 301 https://$server_name$request_uri; | |||
} | |||
server { | |||
listen 443 ssl http2; | |||
server_name example.com www.example.com; | |||
access_log /var/log/nginx/example.com.access.log main; | |||
error_log /var/log/nginx/example.com.error.log; | |||
root /path/to/your/web/root; | |||
index index.php index.html index.htm; | |||
#SSL settings | |||
#https://ssl-config.mozilla.org/#hsts=false | |||
ssl_certificate /etc/letsencrypt/live/exmaple.com/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |||
ssl_session_timeout 1d; | |||
ssl_session_cache shared:SSL:50m; | |||
ssl_session_tickets off; | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |||
ssl_prefer_server_ciphers on; | |||
resolver 8.8.8.8; | |||
#Performance settings | |||
server_tokens off; | |||
gzip on; | |||
gzip_vary on; | |||
gzip_types text/plain text/css text/xml text/javascript application/json application/x-javascript application/javascript application/xhtml+xml application/xml application/atom+xml application/xml+rss font/opentype image/svg+xml image/x-icon; | |||
gzip_proxied no-cache no-store private expired auth; | |||
gzip_min_length 1000; | |||
gzip_disable "msie6"; | |||
gzip_comp_level 6; | |||
gzip_buffers 16 8k; | |||
keepalive_timeout 65; | |||
sendfile on; | |||
location / { | |||
try_files $uri $uri/; | |||
gzip_static on; | |||
} | |||
location ~ \.php$ { | |||
try_files $uri =404; | |||
fastcgi_intercept_errors on; | |||
fastcgi_index index.php; | |||
include fastcgi_params; | |||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |||
fastcgi_pass www; | |||
} | |||
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|js|css|pdf)$ { | |||
access_log off; | |||
log_not_found off; | |||
expires max; | |||
} | |||
client_max_body_size 8m; | |||
client_body_timeout 60; | |||
} | |||
</syntaxhighlight><br /> | |||
[[Category:Nginx]] | |||
[[Category:Web]] | |||
Latest revision as of 02:22, 17 May 2020
Nginx
Nginx 已被证明具有极高的稳定性、高性能和高可靠性,并提供了一套强大的工具。
与 Apache 相比, Nginx 具有的优势:
- 轻量
- 占用内存少
- 配置项更丰富
- 高负载下性能更好
Installation
官方 repo 配置 请参考 nginx.org
Configuration
/etc/nginx/nginx.conf 包含全局配置, 任何站点配置请放在 /etc/nginx/conf.d/ 目录下.
Performance
- 启用gzip压缩
- 添加upstream响应时间
- 为静态内容设置适当的过期时间
- 在启用HTTPS的站点总是启用HTTP/2
Caching
Security
Nginx 有许多提供Web Application Firewall(WAF)的模块,但是几乎所有模块都需要从源码编译 Nginx.
Naxsi 和 modsecurity是两个流行的选择
典型配置
Mollzia提供了一个非常优秀的Nginx配置生成工具.
/etc/nginx/ngxin/conf
user nginx; #Use for CentOS
#user www-data; #Use for Debian
worker_processes auto; #Or set to number of CPU cores
error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'"$request_time" "$upstream_response_time" $upstream_cache_status';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
}
/etc/nginx/conf.d/example.conf
upstream www {
server unix:/run/php-fpm/www.sock;
}
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
access_log /var/log/nginx/example.com.access.log main;
error_log /var/log/nginx/example.com.error.log;
root /path/to/your/web/root;
index index.php index.html index.htm;
#SSL settings
#https://ssl-config.mozilla.org/#hsts=false
ssl_certificate /etc/letsencrypt/live/exmaple.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
resolver 8.8.8.8;
#Performance settings
server_tokens off;
gzip on;
gzip_vary on;
gzip_types text/plain text/css text/xml text/javascript application/json application/x-javascript application/javascript application/xhtml+xml application/xml application/atom+xml application/xml+rss font/opentype image/svg+xml image/x-icon;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_buffers 16 8k;
keepalive_timeout 65;
sendfile on;
location / {
try_files $uri $uri/;
gzip_static on;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_intercept_errors on;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass www;
}
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|js|css|pdf)$ {
access_log off;
log_not_found off;
expires max;
}
client_max_body_size 8m;
client_body_timeout 60;
}