1、nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# 隐藏nginx版本
server_tokens off;
# 防止 Click-jacking 点击劫持
add_header X-Frame-Options SAMEORIGIN;
# 禁用内容嗅探,防止 XSS 跨站脚本攻击
add_header X-Content-Type-Options nosniff;
# CSP 内容安全策略,告诉浏览器它只能从你明确允许的域下载内容,防止 XSS 跨站脚本攻击
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
# 启用 HSTS 功能,只允许客户端(Web 浏览器)使用 HTTPS 进行通信,保证了 HTTPS 严格安全传输问题。
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 开启gzip
gzip on;
# 低于1kb的资源不压缩
gzip_min_length 1k;
# 设置压缩所需要的缓冲区大小
gzip_buffers 4 16k;
# 压缩级别【1-9】,越大压缩率越高,同时消耗cpu资源也越多,建议设置在4左右。
gzip_comp_level 4;
# 需要压缩哪些响应类型的资源,缺少的类型自己补。
gzip_types text/css text/javascript application/javascript;
# 配置禁用gzip条件,支持正则。此处表示ie6及以下不启用gzip(因为ie低版本不支持)
gzip_disable "MSIE [1-6]\.";
# 是否添加“Vary: Accept-Encoding”响应头,
gzip_vary on;
# 设置gzip压缩针对的HTTP协议版本,没做负载的可以不用
# gzip_http_version 1.0;
upstream gdstats {
server 127.0.0.1:8082;
}
upstream storage {
server 127.0.0.1:9300;
}
include /etc/nginx/conf.d/*.conf;
}
2、vhost.conf
vhost.conf的文件放到conf.d/下面( java版本)
server {
listen 80;
server_name test.ts;
root /home/projects/ui;
client_max_body_size 100m;
location / {
try_files $uri $uri/ /index.html;
index index.html index.htm;
}
location /prod-api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:9000/;
}
location /upload {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://storage;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
https/443端口配置参考 (php版本)
证书可以阿里云上免费申请
server {
listen 443 ssl;
server_name test.ts;
root /home/projects/ui;
client_max_body_size 20m;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
index index.html index.htm index.php;
ssl_certificate /etc/nginx/cert/kunyuan.tech.pem;
ssl_certificate_key /etc/nginx/cert/kunyuan.tech.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass php:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$
{
expires 7d;
}
location ~ .*\.(?:js|css)$
{
expires 7d;
}
location ~ .*\.(?:htm|html)$
{
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
gzip on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
location ~ /\.(?!well-known).* {
deny all;
}
}3、操作命令
sudo nginx -s stop #停止
sudo nginx -c /usr/local/etc/nginx/nginx.conf #启动
sudo nginx -s reload #重启4、设置开机启动
systemctl enable nginx.service