一、NG介绍
略
二、NG部署与配置
略
三、系统参数优化
1、系统支持的最大连接数
# 查看系统最大连接数
ulimit -n
如果不是 65535,则修改 /etc/security/limits.conf
#
* soft nofile 65535
* hard nofile 65535
2、内核参数优化
# 编辑 /etc/sysctl.conf
# 支持更多连接
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
# TCP 优化
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_reuse = 1
# 减少TIME_WAIT连接
net.ipv4.tcp_timestamps = 0
# 启用端口复用
net.ipv4.ip_local_port_range = 1024 65000
# 防止DDOS
net.ipv4.tcp_max_orphans = 32768
应用生效
sysctl -p
四、ng配置优化
1、编辑 /etc/nginx/nginx.conf
user www-data;
# 通常 = CPU核心数(8核心)
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
# 每个worker可处理的最大连接数
worker_connections 16384;
# 当 worker 进程被触发时,尽可能一次性接受多个连接(而不是每次只 accept 一个)
multi_accept on;
# # Linux平台推荐使用epoll。epoll 相比 select、poll 更适合处理成千上万的并发连接
use epoll;
}
最大连接数 = worker_processes * worker_connections。一个请求可能占用 1~2 个连接(尤其启用 keep-alive 时)
2、http优化
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 10000;
client_header_timeout 10s;
client_body_timeout 10s;
send_timeout 10s;
reset_timedout_connection on;
server_tokens off; # 隐藏版本信息
# 缓存优化
open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Gzip 压缩
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
include mime.types;
default_type application/octet-stream;
##
# Logging Settings
##
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=32k flush=5s;
error_log /var/log/nginx/error.log;
# SSL 和 HTTP/2
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# 缓存连接池
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=STATIC:100m inactive=1d max_size=10g;
}
3、启用连接限制
防止某 IP 过渡访问(限流/可选)
http {
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 100; # 每IP最大100并发连接
}
4、日志优化
生产环境中,建议关闭或转 syslog
access_log off;
如果不关闭日志,可以使用 buffer 缓存日志写入
##
# Logging Settings
##
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=32k flush=5s;
error_log /var/log/nginx/error.log;
五、补充
略
