一、常用命令
开启服务:start nginx
停止服务:nginx -s stop
nginx -s quit
nginx停止命令stop与quit参数的区别在于stop是快速停止nginx,可能并不保存相关信息,quit是完整有序的停止nginx ,并保存相关信息。
nginx启动与停止命令的效果都可以通过Windows任务管理器中的进程选项卡观察。
重启服务:nginx -s reload
Windows 操作
启动
直接点击Nginx目录下的nginx.exe 或者 cmd运行start nginx
查看nginx是否启动
1)命令方式 tasklist /fi "imagename eq nginx.exe"
动静分离要点,必须把访问服务器的端口写成nginx监听的端口,这样才能避免跨域
配置参数说明:
nigix做反向代理
注意 :$proxy_port 与 :$server_port 区别
$server_port :nigix监听的端口
$proxy_port : 服务器真正访问的端口
#一般情况都用这个host
proxy_set_header Host $host;
#获取到用户真实IP配置
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
二、平常http请求配置
前后端分离普通配置
server {
listen 8203;
location / {
root /usr/www/validation-demo/h5-1-advance;
index index.html;
try_files $uri $uri/ /index.html;
if ($request_filename ~* .*\.(?:htm|html)$){
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
}
location /api/ {
proxy_pass http://192.168.8.10:5001/;
}
}
增加了强制HTTPS的前后端分离配置
server {
listen 443 ssl;
server_name www.huzhihui.com;
ssl_certificate /etc/nginx/cert/5673168_www.huzhihui.com.pem;
ssl_certificate_key /etc/nginx/cert/5673168_www.huzhihui.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /alidata/view/eip-home;
index index.html;
try_files $uri $uri/ /index.html;
if ($request_filename ~* .*\.(?:htm|html)$){
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
expires 7d;
}
location /api/ {
proxy_pass http://127.0.0.1:56000/;
}
}
server{
listen 80;
server_name www.huzhihui.com;
rewrite ^/(.*)$ https://www.huzhihui.com/$1 permanent;
}
老项目强制HTTPS POST出现问题的解决方案
server{
listen 80;
server_name wx.huzhihui.cn;
add_header Strict-Transport-Security max-age=15768000;
location / {
if ($request_method ~ ^(POST|DELETE|OPTIONS)$) {
proxy_pass https://wx.huzhihui.cn;
break ;
}
rewrite ^/(.*)$ https://wx.huzhihui.cn/$1 permanent;
}
}
普通前后端一起的工程网站部署
server{
listen 80;
server_name www.huzhihui.com;
location /{
proxy_redirect default;
proxy_pass http://127.0.0.1:8093;
proxy_set_header Host $host;
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
动静分离+负载均衡配置
upstream web_servers {
server localhost:8080;
server localhost:8081;
}
server {
listen 80;
server_name www.huzhihui.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://web_servers;
}
location ~.*\.(js|css)$ {
root /opt/static-resources;
expires 12h;
}
location ~.*\.(html|jpg|jpeg|png|bmp|gif|ico|mp3|mid|wma|mp4|swf|flv|rar|zip|txt|doc|ppt|xls|pdf)$ {
root /opt/static-resources;
expires 7d;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
通用https配置
server {
listen 443 ssl;
server_name www.huzhihui.com;
ssl_certificate cert-tues/214069203020278.pem;
ssl_certificate_key cert-tues/214069203020278.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:9002/;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server{
listen 80;
server_name www.huzhihui.com;
rewrite ^/(.*)$ https://server.ourtues.com/$1 permanent;
}
三、平常TCP请求配置
stream {
upstream backend {
hash $remote_addr consistent;
server 127.0.0.1:7100 max_fails=3 fail_timeout=10s;
server 127.0.0.1:7102 max_fails=3 fail_timeout=10s;
}
server {
listen 8000;
proxy_connect_timeout 2s;
proxy_timeout 5m;
proxy_pass backend;
}
}
Nginx基于连接探测,如果发现后端异常,在单位周期为fail_timeout设置的时间,中达到max_fails次数, 这个周期次数内,如果后端同一个节点不可用,那么接将把节点标记为不可用,并等待下一个周期(同样时常为fail_timeout)再一次去请求,判断是否连接是否成功。 如果成功,将恢复之前的轮询方式,如果不可用将在下一个周期(fail_timeout)再试一次。
-
默认:fail_timeout为10s,max_fails为1次
-
特别注意TCP模块的反向代理配置在 stream模块的
tcp 证书配置加密TLS
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 192.168.137.110:4000;
}
server {
listen 443 ssl;
proxy_pass stream_backend;
ssl_certificate /cert/local-110.huzhihui.com.crt;
ssl_certificate_key /cert/local-110.huzhihui.com.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
}
}
动态反向代理配置
如果访问
http://192.168.137.191:8060/file-proxy/http://192.168.137.2:18206/abc/111,这样的地址,我们想实际访问http://192.168.137.2:18206/abc/111,这个服务器上,我们则可以使用如下的规则。(外部服务不能访问内网的接口,就可以使用这种方式方式动态反向代理,或者外部是https,而调用的接口是http)
rewrite:重写请求路径proxy_pass:设置反向代理地址
location /file-proxy/ {
resolver 8.8.8.8;
rewrite ^/file-proxy/(https?):\/([^/]+)(.*)$ $3 break;
proxy_pass $1://$2;
}
