@[TOC](Nginx 第三方模块echo 自定义 小节7)
ngx_http_gzip_module(压缩)
- ngx_http_gzip_module
用gzip方法压缩响应数据,节约带宽
- gzip on | off;
启用或禁用gzip压缩
- gzip_comp_level level;
压缩比由低到高:1 到 9
默认:1
- gzip_disable regex ...;
匹配到客户端浏览器不执行压缩
示例:gzip_disable "MSIE[1-6].";
- gzip_min_length length;
启用压缩功能的响应报文大小阈值
- gzip_http_version 1.0 | 1.1;
设定启用压缩功能时,协议的最小版本,默认:1.1
- gzip_buffers number size;
支持实现压缩功能时缓冲区数量及每个缓存区的大小
默认:32 4k 或 16 8k
- gzip_types mime-type ...;
指明仅对哪些类型的资源执行压缩操作;即压缩过滤器
默认包含有text/html,不用显示指定,否则出错
- gzip_vary on | off;
如果启用压缩,是否在响应报文首部插入“Vary: Accept-Encoding”
[root@nginx site1]# cat /etc/nginx/conf.d/test.conf
charset utf-8;
server_tokens off;
server {
access_log /var/log/nginx/a_net.access.log access_json;
server_name www.a.net;
root /data/site1;
gzip on; <--
gzip_comp_level 6; <--
gzip_min_length 64; <--
gzip_vary on; <--
gzip_types text/xml text/css application/javascript; <--
limit_rate 100k;
location / {
}
location /download {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
limit_rate 100k;
index index.html;
}
location /nginx_status {
stub_status;
allow 127.0.0.1;
allow 192.168.37.0/24;
deny all;
}
location /admin {
root /data;
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/conf.d/.nginx_passwd;
}
}
server {
server_name *.a.tech;
root /data/site2/;
}
[root@nginx site1]# nginx -s reload
ngx_http_ssl_module
- ngx_http_ssl_module模块:
- ssl on | off;
为指定虚拟机启用HTTPS protocol,建议用listen指令代替
- ssl_certificate file;
当前虚拟主机使用PEM格式的证书文件
- ssl_certificate_key file;
当前虚拟主机上与其证书匹配的私钥文件
- ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];支持ssl协议版本,默认为后三个
- ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
none: 通知客户端支持ssl session cache,但实际不支持
builtin[:size]:使用OpenSSL内建缓存,为每worker进程私有
[shared:name:size]:在各worker之间使用一个共享的缓存
- ssl_session_timeout time;
客户端连接可以复用ssl session cache中缓存的有效时长,默认5m 示例:
server { listen 443 ssl; server_name www.magedu.com; root /vhosts/ssl/htdocs; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; }
[root@nginx ~]# cd /etc/pki/tls/certs/
[root@nginx certs]# make a.net.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > a.key
Generating RSA private key, 2048 bit long modulus
.................+++
....................................................+++
e is 65537 (0x10001)
Enter pass phrase: #123.com
Verifying - Enter pass phrase: #123.com
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key a.key -x509 -days 365 -out a.crt
Enter pass phrase for a.key: #123.com
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing #城市
Organization Name (eg, company) [Default Company Ltd]:a.net #公司
Organizational Unit Name (eg, section) []:opt #部门
Common Name (eg, your name or your server's hostname) []:www.a.net #域名
Email Address []: #邮箱
#解密
[root@nginx certs]# openssl rsa -in a.key -out a.net.key
Enter pass phrase for a.key: #123.com
writing RSA key
[root@nginx certs]# ls
a.key a.net.key ca-bundle.trust.crt Makefile
a.net.crt ca-bundle.crt make-dummy-cert renew-dummy-cert
#创建加密文件夹
[root@nginx certs]# mkdir /etc/nginx/ssl
#把两个文件移动过去
[root@nginx certs]# mv a.net.* /etc/nginx/ssl/
#为了安全更改权限
[root@nginx certs]# chmod 600 /etc/nginx/ssl/*
[root@nginx certs]# mkdir /data/ssl
[root@nginx certs]# echo /data/ssl/index.html > /data/ssl/index.html
[root@nginx certs]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
listen 443 ssl; <--
server_name www.a.net;
root /data/site1/;
ssl_certificate /etc/nginx/ssl/a.net.crt; <--
ssl_certificate_key /etc/nginx/ssl/a.net.key; <--
ssl_session_cache shared:sslcache:20m; <--
ssl_session_timeout 10m; <--
access_log /var/log/nginx/a_net.ssl.access.log access_json;
}
server {
listen 80;
server_name *.a.tech;
root /data/site2/;
}
[root@nginx certs]# nginx -s reload
ngx_http_rewrite_module(一)
- ngx_http_rewrite_module模块:
将用户请求的URI基于PCRE regex所描述的模式进行检查,而后完成重定向替换
- 示例:
www.a.com/hn --> www.a.com/henan
www.a.com --> www.a.com/
- if (condition) { ... }
条件满足时,执行配置块中的配置指令;server, location condition: 比较操作符: = 相同 != 不同 ~ 模式匹配,区分字符大小写 ~* 模式匹配,不区分字符大小写 !~ 模式不匹配,区分字符大小写 !~* 模式不匹配,不区分字符大小写 文件及目录存在性判断: -e,!-e 存在与否(包括文件,目录,软链接) -f,!-f 文件 -d,!-d 目录 -x,!-x 执行
跳转
nginx
#重定向实现网页、访问http时自动跳转到https
[root@nginx certs]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
listen 443 ssl;
server_name www.a.net;
root /data/site1/;
ssl_certificate /etc/nginx/ssl/a.net.crt;
ssl_certificate_key /etc/nginx/ssl/a.net.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.ssl.access.log access_json;
location / { <--
if ( $scheme = http ){ <--if判断、如果访问http://www.a.net/
return 301 https://www.a.net/; <--跳转到https://www.a.net/
} <--
} <--
}
server {
listen 80;
server_name *.a.tech;
root /data/site2/;
}
[root@nginx certs]# nginx -s reload
centos6
[root@centos6 ~]$ curl www.a.net/
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
[root@centos6 ~]$ curl -Lk www.a.net/
/data/site1/index.html
nginx10
[root@nginx10 nginx]# vim /apps/nginx/conf/nginx.conf
#access_log logs/host.access.log main;
...
location /echo {
default_type text/plain;
echo hello;
if ( $scheme = http ) {
echo http;
}
...
[root@nginx10 nginx]# nginx -s reload
centos6
[root@centos6 ~]$ curl -L 192.168.37.10/echo
http
[root@centos6 ~]$ curl -L www.test.com/echo
http
ngx_http_rewrite_module(二)
- return
return code [text]; #返回客户端指定的状态码和文本说明 return code URL; return URL; 停止处理,并返回给客户端指定的响应码,对 301, 302, 303, 307, 308跳转到URL
- rewrite_log on | off;
是否开启重写日志, 发送至error_log(notice level)
- set $variable value;
用户自定义变量
注意:变量定义和调用都要以$开头
拒绝某种浏览器访问
nginx
[root@nginx ~]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
server_tokens off;
server {
listen 80;
listen 443 ssl;
server_name www.a.net;
root /data/site1/;
ssl_certificate /etc/nginx/ssl/a.net.crt;
ssl_certificate_key /etc/nginx/ssl/a.net.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.ssl.access.log access_json;
location / { <--
if ( $http_user_agent ~* curl ){ <--
return 301; <--
} <--
} <--
}
server {
listen 80;
server_name *.a.tech;
root /data/site2/;
}
[root@nginx ~]# nginx -s reload
centos6
[root@centos6 ~]$ curl http://www.a.net
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
跳转到指定网页
nginx
[root@nginx ~]# vim /etc/nginx/conf.d/test.conf
server_tokens off;
server {
listen 80;
listen 443 ssl;
server_name www.a.net;
root /data/site1/;
ssl_certificate /etc/nginx/ssl/a.net.crt;
ssl_certificate_key /etc/nginx/ssl/a.net.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
access_log /var/log/nginx/a_net.ssl.access.log access_json;
location / { <--
if ( $http_user_agent ~* curl ){ <--
return http://www.baidu.com; <--跳转到指定网页、如baidu
} <--
}
}
server {
listen 80;
server_name *.a.tech;
root /data/site2/;
}
[root@nginx ~]# nginx -s reload
centos6
#可以'-L'显示更详细
[root@centos6 ~]$ curl http://www.a.net
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
