Nginx配置备忘录
契机
基础
#nginx一般安装目录
cd /etc/nginx
#nginx配置文件
cat /etc/nginx/nginx.conf
cat /etc/nginx/conf.d/*.conf
#nginx日志
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log
#验证conf文件
nginx -t
#查看当前生效conf文件+验证
nginx -T
#更改后生效nginx文件
nginx -s reload
#生成basic密码
echo -n 'admin:' >> /etc/nginx/access_pwd
openssl passwd -apr1 >> /etc/nginx/access_pwd
#输入两次密码..
配置文件
不同用途的配置文件分开存放,有利于阅读和管理
主配置
user nginx;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
#日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#日志文件
error_log /var/log/nginx/error.log main;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
#conf文件分层
include /etc/nginx/conf.d/*.conf;
#禁止通过ip直接访问80端口
server {
listen 80 default_server;
server_name _;
return 444;
}
}
密码访问配置
server {
listen 80;
server_name password.com;
location / {
#basic密码访问
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/access_pwd;
proxy_pass http://192.168.12.34:1234/;
proxy_set_header Host $host:$server_port;
}
}
限制ip访问配置
server {
listen 80;
server_name ip.com;
location / {
#只允许特定ip段访问
allow 192.168.12.34/24;
deny all;
proxy_pass http://192.168.12.34:9876/;
proxy_set_header Host $host:$server_port;
}
}
SSL访问配置
server {
listen 443;
server_name ssl.cn;
ssl_certificate /etc/nginx/cert/_.x.pem;
ssl_certificate_key /etc/nginx/cert/_.x.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.0.1:7654/;
proxy_set_header Host $host:$server_port;
}
}
静态资源访问配置
server {
listen 80;
server_name xxx.cn;
location / {
root /home/www/xxx;
}
}
其他配置
server {
listen 80;
server_name xxx.cn;
#域名禁止访问(openWrt攻击)
location /cgi-bin {
deny all;
}
#域名禁止访问(springboot相关)
location /actuator {
deny all;
}
location / {
#真实ip获取
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://xxxx;
proxy_set_header Host $host:$server_port;
}
}
总结
- nginx配置文件分开存放
- 80和443配置,静态文件配置
- basic密码访问
- 安全隔离,ip防护,禁止访问特定路径
- REALIP获取等
写到最后
欢迎访问:https://bothsavage.github.io