nginx
说明
一款高性能的 HTTP 和反向代理 Web 服务器。
下载
yum版
# 安装 EPEL 源
sudo yum install -y epel-release
# 下载
sudo yum install -y nginx
# 启动 Nginx
sudo systemctl start nginx
# 设置开机自启
sudo systemctl enable nginx
# 查看状态
sudo systemctl status nginx
# 查看版本
nginx -v
# 开放防火墙端口 (如果开启了 firewalld)
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
# 防火墙知识
# 查看服务运行状态 (Active: running 表示开启)
systemctl status firewalld
# 开启防火墙
sudo systemctl start firewalld
# 设置开机自启
sudo systemctl enable firewalld
# 关闭防火墙
sudo systemctl stop firewalld
# 禁止开机自启
sudo systemctl disable firewalld
# 查看所有开放的端口和服务
sudo firewall-cmd --list-all
# 仅查看开放的端口
sudo firewall-cmd --list-ports配置
配置示例
main (全局块)
└── events { ... } (事件块)
└── http { ... } (HTTP 块)
├── upstream { ... } (上游服务器组,用于负载均衡)
├── server { ... } (虚拟主机块,可包含多个)
│ ├── location /path { ... } (路由匹配块,可包含多个)
│ └── location /api { ... }
└── server { ... } (另一个虚拟主机)全局块
描述:配置全局内容,日志,工作进程数
user nginx; # 运行 Nginx 的用户
worker_processes auto; # 工作进程数,通常设置为 CPU 核心数 (auto 自动检测)
error_log /var/log/nginx/error.log warn; # 错误日志路径及级别
pid /var/run/nginx.pid; # PID 文件路径事件块
描述:配置网络连接处理机制,每个进程对应连接数。
events {
worker_connections 10240; # 每个 worker 进程最大连接数 (总并发 = worker_processes * worker_connections)
use epoll; # Linux 推荐使用 epoll 模型,性能最高
multi_accept on; # 允许一个 worker 一次接受多个新连接
}http块
配置http服务器,可以配置负载均衡**upstream**和虚拟主机server
http {
include mime.types; # 引入 MIME 类型定义
default_type application/octet-stream;
sendfile on; # 开启高效文件传输模式
keepalive_timeout 65; # 长连接超时时间
# 开启 Gzip 压缩 (节省带宽)
gzip on;
gzip_types text/plain application/javascript text/css;
# 引入其他配置文件 (最佳实践)
include /etc/nginx/conf.d/*.conf;
}负载均衡
描述:多台ngix服务器负载均衡
upstream backend_cluster {
# 负载均衡算法
# ip_hash; # 基于 IP 哈希 (解决 Session 共享问题)
# least_conn; # 最少连接数
# sticky cookie srv_id expires=1h domain=.example.com path=/; # 1.29.6 新特性:粘性会话
server 192.168.1.10:8080 weight=3; # 权重越高,分配请求越多
server 192.168.1.11:8080;
server 192.168.1.12:8080 backup; # 备用服务器,其他挂了才用
}虚拟主机
描述:本地端口对外映射
server {
listen 80; # 监听端口
server_name example.com www.example.com; # 域名
# 访问日志
access_log /var/log/nginx/example_access.log;
# 根路径配置
location / {
root /var/www/html;
index index.html;
}
}标准
nginx.conf
# 运行用户 (根据实际系统调整,通常是 www-data, nginx, 或 nobody)
user nginx;
# 工作进程数:建议设置为 CPU 核心数,auto 表示自动检测
worker_processes auto;
# 错误日志路径及级别 (warn, error, crit, alert, emerg)
error_log /var/log/nginx/error.log warn;
# PID 文件路径
pid /var/run/nginx.pid;
# 最大文件打开数限制 (需配合系统 ulimit 设置)
worker_rlimit_nofile 65535;
events {
# 单个 worker 进程最大连接数
worker_connections 10240;
# 使用 epoll 模型 (Linux 高性能首选)
use epoll;
# 允许一个 worker 进程同时接受多个新连接
multi_accept on;
}
http {
# --- 基础优化配置 ---
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 隐藏 Nginx 版本号 (安全加固)
server_tokens off;
# 开启高效文件传输模式
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# 长连接超时时间
keepalive_timeout 65;
keepalive_requests 100;
# --- Gzip 压缩 (节省带宽) ---
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1k;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
# --- 日志格式定义 ---
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log main;
# --- 临时文件路径 (避免权限问题) ---
client_body_temp_path /tmp/client_body;
proxy_temp_path /tmp/proxy;
fastcgi_temp_path /tmp/fastcgi;
uwsgi_temp_path /tmp/uwsgi;
scgi_temp_path /tmp/scgi;
# --- 上传文件大小限制 ---
client_max_body_size 100M;
# --- 后端服务器池 (负载均衡) ---
# 假设你有多个后端服务实例
upstream backend_pool {
# 负载均衡算法 (默认轮询)
# ip_hash; # 如果需要 Session 保持,取消注释
# 后端服务器列表 (权重 weight 越高,分配越多)
server 127.0.0.1:8080 weight=5;
server 127.0.0.1:8081 weight=5;
server 127.0.0.1:8082 backup; # 备用节点
# 健康检查参数 (被动检查)
keepalive 32; # 保持长连接池
}
# --- HTTP (80) 服务器配置 ---
server {
listen 80;
server_name example.com www.example.com; # 替换为你的域名
# 【推荐】强制跳转 HTTPS (如果已配置 SSL)
# return 301 https://$host$request_uri;
# 如果不使用 HTTPS,直接指向 root 或 proxy
location / {
# 此处可放前端静态文件或代理,通常建议生产环境用 HTTPS
root /app/web/testweb;
index index.html;
try_files $uri $uri/ /index.html;
}
}
# --- HTTPS (443) 服务器配置 (生产环境核心) ---
server {
listen 443 ssl http2; # 开启 HTTP/2
server_name example.com www.example.com; # 替换为你的域名
# SSL 证书配置 (路径需替换为实际路径)
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL 优化配置
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# 现代安全加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# OCSP Stapling (提升 SSL 握手速度)
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
# --- 1. 前端静态资源配置 ---
location / {
root /app/web/testweb; # 前端代码部署目录
index index.html index.htm;
# SPA (单页应用) 核心配置:防止刷新 404
try_files $uri $uri/ /index.html;
# 静态资源缓存策略 (根据文件类型)
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2|ttf|svg)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off; # 静态资源不记录访问日志,减少 IO
}
}
# --- 2. 后端 API 反向代理配置 ---
# 匹配 /api 开头的请求转发给后端
location /api/ {
# 去掉 /api 前缀转发 (如果后端不需要 /api 前缀)
# rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://backend_pool/; # 指向定义的 upstream
# 重要 Header 设置 (让后端获取真实 IP)
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时设置 (根据业务调整)
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置 (优化大文件传输)
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
}
# --- 3. WebSocket 支持 (如果需要) ---
location /ws/ {
proxy_pass http://backend_pool;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# --- 4. 健康检查接口 (用于负载均衡器探测) ---
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# --- 5. 禁止访问敏感文件 ---
location ~ /\.git { deny all; }
location ~ /\.env { deny all; }
location ~ /WEB-INF { deny all; }
}
}nginx
http://example.com/2026/03/14/nginx/