default.conf 文件
upstream server_backend {
server 后台服务1 weight=1 max_fails=3 fail_timeout=30s;
server 后台服务2 weight=1 max_fails=3 fail_timeout=30s;
keepalive 32;
}
server {
listen 80;
server_name 访问域名;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
http2 on;
server_name 访问域名;
# 安全头
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; frame-src 'self' https://open.weixin.qq.com;";
# SSL配置
ssl_certificate 证书路径;
ssl_certificate_key 证书路径;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
# 启用OCSP Stapling
resolver 8.8.8.8 8.8.4.4 valid=30s;
# resolver 127.0.0.11 valid=30s;
resolver_timeout 5s;
# 每个IP最多100个并发连接
limit_conn addr 100;
# 静态文件服务
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|ttf|otf|woff|woff2|mp4|webm|mp3|pdf)$ {
expires 7d;
add_header Cache-Control "public, max-age=2592000, must-revalidate" always;
access_log off;
log_not_found off;
sendfile on;
etag on;
}
}
# 图片接口缓存配置
location /image {
# 启用缓存
add_header X-Cache-Status $upstream_cache_status;
proxy_cache STATIC_CACHE;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
proxy_cache_valid 500 10s;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_pass http://代理服务图片路径;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_http_version 1.1;
}
# 图片资源
location /img-url {
# 启用缓存
add_header X-Cache-Status $upstream_cache_status;
proxy_cache STATIC_CACHE;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 10m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_pass https://图片代理服务路径;
proxy_set_header Host 远程主机名;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/nginx/trusted.crt;
proxy_ssl_verify_depth 5;
proxy_ssl_server_name on;
proxy_set_header Connection "";
proxy_http_version 1.1;
}
}
nginx.conf 文件
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections 4096;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt:$request_time uct:"$upstream_connect_time" urt:"$upstream_response_time" '
'cache:"$upstream_cache_status"';
access_log /var/log/nginx/access.log main_ext;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120s;
send_timeout 120s;
server_tokens off;
reset_timedout_connection on;
limit_conn_zone $binary_remote_addr zone=addr:10m;
underscores_in_headers on;
# 打开文件缓存
open_file_cache max=20000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# 压缩处理
gzip on;
gzip_types text/plain text/css text/javascript application/json application/javascript application/xml image/svg+xml;
gzip_min_length 256;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_vary on;
# 代理缓存
proxy_buffering on;
proxy_buffer_size 5M;
proxy_buffers 8 5M;
proxy_busy_buffers_size 5M;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC_CACHE:500m max_size=2g inactive=60m use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_temp_path /var/cache/nginx/proxy_temp;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
client_body_buffer_size 5M;
client_max_body_size 100M;
client_header_timeout 120s;
client_body_timeout 120s;
client_body_temp_path /var/cache/nginx/client_temp;
include /etc/nginx/conf.d/*.conf;
}
