nginxfanxiangdaili-83bce.png

Nginx/Tengine通用配置教程,包含多域名共用一个端口指向不同程序、Nginx负载均衡配置、Https配置、禁止通过IP访问、设置访问流量并发速率、Nginx反代PHP、Nginx反代Tomcat。

Nginx通用配置:

user www www;
worker_processes auto;
worker_cpu_affinity auto;
dso {
load ngx_http_concat_module.so;
load ngx_http_sysguard_module.so;
    }

error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;

events {
  use epoll;
  worker_connections 51200;
  multi_accept on;
}

http {
  include mime.types;
  default_type application/octet-stream;
  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 1024m;
  client_body_buffer_size 10m;
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 120;
  server_tokens off;
  tcp_nodelay on;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  #Gzip Compression
  gzip on;
  gzip_buffers 16 8k;
  gzip_comp_level 6;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_proxied any;
  gzip_vary on;
  gzip_types
text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest+json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject
image/x-icon;
  gzip_disable "MSIE [1-6]\.(?!.*SV1)";

  #If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
  open_file_cache max=1000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

#如果不是域名访问,就直接返回444错误
server {  
    listen       80  default_server;  
    server_name  _;  
    return       444;  
} 

server {
    listen 80;
    server_name v.4xx.me;
    access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
    index index.html index.htm index.jsp;
    root /data/wwwroot/v.4xx.me;    #可不需要
    
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    location ~ {
        proxy_pass http://127.0.0.1:8080;
        proxy_connect_timeout 300s;
        proxy_send_timeout 900;
        proxy_read_timeout 900;
        proxy_buffer_size 32k;
        proxy_buffers 4 64k;
        proxy_busy_buffers_size 128k;
        proxy_redirect off;
        proxy_hide_header Vary;
        proxy_set_header Accept-Encoding '';
        proxy_set_header Referer $http_referer;
        proxy_set_header Cookie $http_cookie;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

Nginx共用一个端口指向不同程序

#主要通过域名判断
server {
    listen 80;
    server_name 域名1;
    access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
    index index.html index.htm index.jsp;
    root /data/wwwroot/v.4xx.me;    #可不需要
    
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    location ~ {
        proxy_pass http://127.0.0.1:8080;
        include proxy.conf;
    }
}
server {
    listen 80;
    server_name 域名2;
    access_log /data/wwwlogs/v.4xx.me_nginx.log combined;
    index index.html index.htm index.jsp;
    root /data/wwwroot/v.4xx.me;    #可不需要
    
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    location ~ {
        proxy_pass http://127.0.0.1:8080;
        include proxy.conf;
    }
}

Nginx负载均衡配置

#tomcat例子,php同理
upstream tomcats {
     # session共享
     session_sticky cookie=SESSION.V.4XX.ME fallback=on mode=insert option=direct;
     server 127.0.0.1:9001 weight=1;
     server 192.168.128.1:80 weight=1;  #weight权重,可负载内网机器
   }

server {
    listen       80;
    server_name  域名;
    location / { 
        session_sticky_hide_cookie upstream=tomcats;    # session共享
        proxy_pass http://tomcats;
        include proxy.conf;
    }
}

Nginx开启Https

#需要nginx先安装了ssl相关模块

#php typeoch博客的配置,用的fastcgi_pass unix:/dev/shm/php-cgi.sock;
server {
  listen 80;
  listen 443 ssl http2;
  ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt;       #ssl证书路径
  ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_name 4xx.me;
  access_log /data/wwwlogs/4xx.me_nginx.log combined;
  index index.html index.htm index.php;
  root /data/wwwroot/4xx.me;
  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }     #http请求自动301跳转到https

  if (!-e $request_filename) {  #重定向
    rewrite ^(.*)$ /index.php$1 last;
}
  location ~ [^/]\.php(/|$) {
  fastcgi_pass unix:/dev/shm/php-cgi.sock;
  fastcgi_index index.php;
  
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

  set $path_info "";
  set $real_script_name $fastcgi_script_name;
  if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
          set $real_script_name $1;
          set $path_info $2;
     }
  fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
  fastcgi_param SCRIPT_NAME $real_script_name;
  fastcgi_param PATH_INFO $path_info;
}

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
  }
  location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
  }
  location ~ /\.ht {
    deny all;
  }
}
#java tomcat配置
server {
  listen 80;
  listen 443 ssl http2;
  ssl_certificate /usr/local/tengine/conf/ssl/4xx.me_ssl.crt;       #ssl证书路径
  ssl_certificate_key /usr/local/tengine/conf/ssl/4xx.me_ssl.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers     EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security max-age=15768000;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_name 域名;
  access_log /data/wwwlogs/4xx.me_nginx.log     combined;
  index index.html index.htm index.jsp;
  root /data/wwwroot/4xx.me;
  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }     #http请求自动301跳转到https

   #error_page 404 /404.html;
    #error_page 502 /502.html;
    location ~ {
    proxy_pass http://127.0.0.1:8080;
    include proxy.conf;
}

}

禁止通过IP访问

#如果不是域名访问,就直接返回444错误
server {  
    listen       80  default_server;  
    server_name  _;  
    return       444;  
} 

设置访问流量并发速率,可防御少量ddos、cc流量攻击

limit_req_zone $binary_remote_addr zone=qpscon:10m rate=10r/s;   #1秒接收10个请求
server {
listen       80;
server_name  域名;
location / { 
    limit_req zone=qpscon burst=10 nodelay; #burst 突发流量时10个请求缓冲
    proxy_pass http://tomcats;
    include proxy.conf;
    }
}

使用的hostker洛杉矶1核1g的主机,速度良好,很满意,拉回本地带宽峰值31M 300-400ms,36¥一个月足够日常建站使用。
781109861286951915_看图王.jpg

typecho下使用极验证

  • 下载安装包
  • 放入插件文件夹
  • 开启插件

下载插件包

这里使用的是me@jinfeijie.cn的极验证插件,可以去链接内下载使用。极验技术支持

下载代码至usr/plugins

可以使用wget

下载链接

wget https://jinfeijie.cn/Doc/Geetest.zip

解压方法

unzip Geetest.zip

开启方法

  • 进入后台——>控制台——>插件
  • CAPTCHA_ID 和PRIVATE_KEY在极验后台管理页面获取