nginx从安装到配置详细说明
安装nginx
- 安装前置依赖
sudo apt-get update
sudo apt-get install build-essential
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install zlib1g-dev
- 下载nginx
从官网下载源码包:http://nginx.org/en/download.html
- 解压源码包
tar -zxvf nginx-1.14.0.tar.gz
cd nginx-1.14.0/
- 配置并编译
sudo ./configure
sudo make
sudo make install
安全配置
- 修改配置文件
/usr/local/nginx/conf/nginx.conf,添加用户组并更改权限
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
...
}
# 添加下面两行配置来指定用户组并更改权限
user nginx;
worker_processes 1;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
# 更改权限
daemon off;
worker_rlimit_nofile 65535;
# 修改nginx进程的umask值
# 文件的权限为644,目录的默认权限为755
# umask 027限制了组和其他用户对文件的写权限
# umask 002限制了其他用户对文件的写权限
# 如果想让其他用户也有写权限,则可以使用umask 002,默认值为umask 022
umask 027;
- 配置http响应头
...
http {
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
...
}
防盗链
- 配置
http段,定义一个map块,防止被盗链的域名名单,然后由if判断是否存在于名单中
...
http {
...
map $http_referer $bad_referer {
default 0;
"~*.(domain1|domain2)\.com" 1;
"~*.(domain3)\.com" 1;
}
server {
...
location / {
valid_referers none blocked server_names ~\.google\. ~\.yahoo\. ~\.bing\. ~\.facebook\.;
if ($invalid_referer) {
return 403;
}
}
...
}
...
}
- 可以使用
ngx_http_referer_module模块,这个模块可以允许或者禁止特定的来源访问某些内容。该模块可以通过add_header指令将来源信息加入响应报文头。这时,后端应用程序可以读取该响应头来确认当前访问者的来源。如果应用程序无法读取该响应头,或者该响应头值不匹配应用程序设置的值,则应用程序可以认为当前访问者属于非法来源。
动静分离
- 安装nginx的perl模块
sudo apt-get install libperl-dev
- 安装perl扩展
从cpantesters.org安装uri和digest-md5,cpantesters.org/modules/index.html
sudo wget http://www.cpan.org/authors/id/G/GA/GAAS/Digest-1.17.tar.gz
sudo tar -zxvf Digest-1.17.tar.gz
cd Digest-1.17/
sudo perl Makefile.PL
sudo make
sudo make install
sudo wget http://search.cpan.org/CPAN/authors/id/E/ET/ETHER/URI-1.59.tar.gz
sudo tar -zxvf URI-1.59.tar.gz
cd URI-1.59/
sudo perl Makefile.PL
sudo make
sudo make install
- 修改nginx配置文件
http {
perl_modules perl/lib;
perl_require forks/Parallel_ForkManager.pm;
}
- 编写perl脚本用来处理静态文件
#!/usr/bin/perl
use forks::Parallel::ForkManager;
use URI;
use Fcntl qw(LOCK_EX LOCK_NB);
use Digest::MD5 qw(md5_hex);
use constant NGINX_ROOT => "/usr/local/nginx-1.4.5";
my $pm = Parallel::ForkManager->new(20);
sub handle_line {
my ($file, $dest_dir, $line) = @_;
chomp($line);
my $uri = URI->new($line);
if ($uri->scheme !~ /^(?:https?|ftp)$/i) {
print("scheme not supported: " . $line."\n");
return;
}
my ($dest_file, $dest_ext) =
($uri->path =~ m!(.*)/([^/]+\.[^/]+)$!);
if (!$dest_ext) {
print("extension not found: " . $line . "\n");
return;
}
$dest_ext =~ s/\?.+//;
my $uri_md5 = md5_hex($uri->as_string);
my $dest_file_md5 = md5_hex($dest_file);
my $dest_path = sprintf("%s/nginx-static/%s/%s/%s.%s",
NGINX_ROOT, $dest_dir, $dest_file_md5,
$uri_md5, $dest_ext);
if (!-d dirname($dest_path)) {
mkdir(dirname($dest_path));
}
my @stat = stat($dest_path);
if (@stat) {
return;
}
open(my $fh, ">", $dest_path);
flock($fh, LOCK_EX | LOCK_NB);
if ($?) {
print("lock error: ".$line."\n");
close($fh);
unlink($dest_path);
return;
}
my $cmd = sprintf("curl -s -f -L --max-time 30 --retry 3 -A \"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)\" \"%s\" >> %s",
$line, $dest_path);
system($cmd);
flock($fh, LOCK_UN);
close($fh);
chmod(0640, $dest_path);
print("fetch succeed: " . $line . "\n");
}
sub main {
my ($file, $dest_dir) = @_;
open my $fh, "<", $file or die "open $file: $!\n";
while (my $line = <$fh>) {
$pm->start and next;
handle_line($file, $dest_dir, $line);
$pm->finish;
}
close $fh or die "close $file: $!\n";
$pm->wait_all_children;
}
main($ARGV[0], $ARGV[1]);
- 修改nginx配置文件
location ~* \.(gif|jpg|jpeg|png|js|css)$ {
root /usr/local/nginx-1.4.5/nginx-static/$1/$2/$3;
expires 30d;
add_header Pragma public;
add_header Cache-Control "max-age=2592000, public";
add_header X-Nginx-Static true;
add_header X-Cache-Status $upstream_cache_status;
add_header X-Served-By $server_addr:$server_port;
}
location ~* \.(htm|html|swf|mp3|flv|mp4)$ {
perl /usr/local/nginx-1.4.5/lib/staticfiles.pl /usr/local/nginx-1.4.5/www/static-files/tmpfile.txt $1;
}
- 使用命令行来下载文件,注意每个文件的完整URL应该单独写一行
echo "http://www.domain.com/test/image1.jpg" > /usr/local/nginx-1.4.5/www/static-files/tmpfile.txt
echo "http://www.domain.com/test/image2.jpg" >> /usr/local/nginx-1.4.5/www/static-files/tmpfile.txt
etc.
配置 HTTPS
- 为网站申请 SSL 证书
可以通过 Let’s Encrypt 免费申请证书。通过 Certbot,可以很容易的申请 Let’s Encrypt 免费 SSL 证书。首先安装 Certbot:
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
然后运行 Certbot 以下命令获取 SSL 证书:
sudo certbot certonly --standalone -d example.com -d www.example.com
- 配置 nginx
server {
listen 443;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/nginx/conf.d/ssl.conf;
}
- 配置 HTTPS 重定向
server {
listen 80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
性能优化
- 压缩
在 HTTP 响应头中加入 gzip 压缩。
gzip on;
gzip_comp_level 2;
gzip_types text/plain text/html text/css
application/json application/javascript
application/x-javascript text/javascript;
- 缓存
在 HTTP 响应头中加入缓存控制。
http {
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache:10m inactive=60m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
...
server {
...
location / {
proxy_pass http://localhost:3000;
proxy_cache_bypass $http_pragma;
proxy_cache_revalidate on;
add_header Cache-Control "public, max-age=604800, immutable";
}
...
}
}
以上是 nginx 从安装到配置的详细攻略,希望对您有所帮助。