Nginx 配置指南
基本架构
Nginx 采用事件驱动的异步架构,以 master 进程管理多个 worker 进程。
Nginx
├── master process (配置管理、worker 管理)
├── worker process 1 (处理请求)
├── worker process 2 (处理请求)
└── worker process N (处理请求)
全局配置
# /etc/nginx/nginx.conf
user nginx;
worker_processes auto; # 自动匹配 CPU 核心数
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024; # 每个 worker 最大连接数
multi_accept on; # 一次接受所有新连接
use epoll; # Linux 最优事件模型
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on; # 优化数据包发送
tcp_nodelay on;
keepalive_timeout 65;
# Gzip 压缩
gzip on;
gzip_types text/plain text/css application/json application/javascript;
gzip_min_length 1000;
gzip_vary on;
include /etc/nginx/conf.d/*.conf;
}
静态资源服务器
server {
listen 80;
server_name static.example.com;
root /var/www/static;
# 文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# 禁止访问隐藏文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
}
反向代理
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://backend:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时配置
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
proxy_send_timeout 30s;
# 缓冲配置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
}
# WebSocket 支持
location /ws {
proxy_pass http://ws-backend:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400s;
}
}
负载均衡
upstream backend {
# 轮询(默认)
server 10.0.0.1:8080 weight=3; # 权重为 3
server 10.0.0.2:8080 weight=2;
server 10.0.0.3:8080 backup; # 备用服务器
# 最少连接
# least_conn;
# IP 哈希(保持会话)
# ip_hash;
keepalive 32; # 保持连接池
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
HTTPS 配置
server {
listen 443 ssl http2;
server_name example.com;
# 证书路径
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# 其他安全头
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
}
# HTTP 自动跳转 HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
限流配置
# 定义限流区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
location /api/ {
# 请求频率限制:每秒最多 10 个请求,允许突发 20 个
limit_req zone=api_limit burst=20 nodelay;
# 并发连接限制:每个 IP 最多 5 个连接
limit_conn conn_limit 5;
# 超出限制时的响应
limit_req_status 429;
proxy_pass http://backend;
}
}
访问控制
server {
# IP 白名单
location /admin/ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://admin-backend;
}
# 基本认证
location /private/ {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://backend;
}
}
日志配置
# 自定义日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time ut=$upstream_response_time';
# 详细的 API 日志
log_format api '$remote_addr | $time_local | $request_method $uri '
'$status | $body_bytes_sent | $request_time';
server {
access_log /var/log/nginx/access.log main buffer=32k flush=5s;
error_log /var/log/nginx/error.log warn;
location /api/ {
access_log /var/log/nginx/api.log api;
proxy_pass http://backend;
}
}
性能调优
# 系统层面
worker_processes auto;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
http {
# 文件缓存
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 3;
open_file_cache_errors off;
# 代理缓冲
proxy_buffers 16 16k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 64k;
# 超时
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s;
}
总结
Nginx 是一个功能强大、性能卓越的 Web 服务器和反向代理。掌握其核心配置(静态文件、反向代理、负载均衡、HTTPS、限流、访问控制)是运维工程师的基本功。配置时注意安全性和性能的平衡,使用安全头保护用户,通过缓存和压缩优化性能。