nginx

About 1215 wordsAbout 4 min

2019-07-02

Service management

sudo systemctl status nginx # Current status of nginx
sudo systemctl reload nginx # Reload nginx
sudo systemctl restart nginx # Restart nginx

sudo nginx -t # Check syntax
nginx # Start
nginx -s reload # Restart
nginx -s stop # Shutdown process
nginx -s quit # Smoothly shut down nginx
nginx -V # Check the installation status of nginx

Global variables

Variable	Description
`$args`	This variable is equal to the parameters in the request line, the same as `$query_string`
`$remote_port`	The client's port
`$content_length`	The `Content-length` field in the request header
`$remote_user`	The username that has been authenticated by the `Auth Basic Module`
`$content_type`	The `Content-Type` field in the request header
`$request_filename`	The file path of the current request, generated by the `root` or alias directive and the URI request
`$document_root`	The value specified in the `root` directive of the current request
`$scheme`	HTTP method (such as http, https)
`$host`	The request host header field, otherwise it is the server name
`$hostname`	Host name
`$http_user_agent`	Client `agent` information
`$http_cookie`	Client `cookie` information
`$server_protocol`	The protocol used in the request, usually `HTTP/1.0` or `HTTP/1.1`
`$server_addr`	Server address, this value can be determined after completing a system call
`$server_name`	Server name
`$server_port`	Port number of the request to reach the server
`$limit_rate`	This variable can limit the connection rate
`$request_method`	The action requested by the client, such as GET/POST
`$request_uri`	The original URI including request parameters, without host name, such as: `/foo/bar.php?arg=baz`
`$remote_addr`	Client IP address
`$uri`	Current URI without request parameters, `$uri` does not include host name, such as `/foo/bar.html`
`$document_uri`	Same as `$uri` Same
`$nginx_version`	`nginx` version

Listening ports

server {
listen 80; # Standard HTTP protocol
listen 443 ssl; # Standard HTTPS protocol
listen 443 ssl http2; # For http2
listen [::]:80; # Listen on 80 with IPv6
# Listen only with IPv6
listen [::]:80 ipv6only=on;
}

Domain name (server_name)

server {
# Listen on example.com
server_name example.com;
# Listen on multiple domains
server_name example.com www.example.com;
# Listen on all subdomains
server_name *.example.com;
# Listen on all top-level domains
server_name example.*;
# Listen on unspecified hostname (listen on the IP address itself)
server_name "";
}

Load balancing

Simple example

upstream node_js {
server 0.0.0.0:3000;
server 0.0.0.0:4000;
server 127.155.142.421;
}

Weight

upstream test {
server localhost:8080 weight=9;
server localhost:8081 weight=1;
}

ip_hash

Solve the problem of load balancing session

upstream test {
ip_hash;
server localhost:8080;
server localhost:8081;
}

fair

Prioritize the response time

upstream backend {
fair;
server localhost:8080;
server localhost:8081;
}

url_hash

Allocate requests according to the hash result of the accessed url

upstream backend {
hash $request_uri;
hash_method crc32;
server localhost:8080;
server localhost:8081;
}

keepalive

Activate cache to connect to upstream servers

upstream memcached_backend {
server 127.0.0.1:11211;
server 10.0.0.2:11211;
keepalive 32;
}

server optional parameters

Parameter name	Description
`weight`	The higher the access weight value, the more requests received
`fail_timeout`	A response must be provided within the specified time
`max_fails`	The maximum number of failed server connection attempts
`down`	Mark a server to no longer accept any requests
`backup`	If a server is down, the marked machine receives requests

Reverse proxy

server {
listen 80;
server_name example.com;

location / {
proxy_pass http://0.0.0.0:3000;
# 0.0.0.0:3000 is the Node.js server bound to the list
# 0.0.0.0 port 3000
}
}

Load balancing + reverse proxy

upstream node_js {
server 0.0.0.0:3000;
# 0.0.0.0:3000 is the Node.js server bound to the list
# 0.0.0.0 port 3000
}

server {
listen 80;
server_name example.com;

location / {
proxy_pass http://node_js;
}
}

Upgrade connection (for applications that support WebSockets)

upstream node_js {
  server 0.0.0.0:3000;
}

server {
  listen 80;
  server_name example.com;

  location / {
    proxy_pass http://node_js;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;

  }
}

Cross domain

server {
 listen 80;
 server_name api.xxx.com;

 add_header 'Access-Control-Allow-Origin' '*';
 add_header 'Access-Control-Allow-Credentials' 'true';
 add_header 'Access-Control-Allow-Methods' 'GET,POST,HEAD';

 location/{
 proxy_pass http://127.0.0.1:3000;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header Host $http_host;
 }
}

Redirect URI

upstream test {
 server 127.0.0.1:8080;
server localhost:8081;
}
server {
listen 80;
server_name api.xxx.com;
location / {
root html; # Request files in the ../html folder
index index.html index.htm; # Home page response address
}
# Used to intercept requests, match any address starting with /api/,
# After matching, stop searching for regular expressions.
location ^~/api/{
# Represents rewriting intercepted requests, and can only work on the string after the domain name except the passed parameters
# For example, www.a.com/api/msg?meth=1&par=2 rewrites only /api/msg.
# The parameter after rewrite is a simple regular expression ^/api/(.*)$,
# $1 represents the first () in the regular expression, $2 represents the value of the second (), and so on.
rewrite ^/api/(.*)$ /$1 break;

# Proxy the request to another host
# The difference between writing http://www.b.com/ and http://www.b.com is as follows
# If your request address is http://server/html/test.jsp
# Configuration 1: http://www.b.com/ has a "/" after it
# Reverse proxy to http://www.b.com/html/test.jsp for access
# Configuration 1: http://www.b.com does not have a "/" after it
# Reverse proxy to http://www.b.com/test.jsp for access
proxy_pass http://test;

# If the proxy_pass URL is http://a.xx.com/platform/ in this case
# Proxy_cookie_path should be set to /platform/ / (note that there is a space between the two slashes).
proxy_cookie_path /platfrom/ /;

# Set Cookie header pass
proxy_pass_header Set-Cookie;
}
}

Block IP

Can be put in http, server, location, limit_except statement block

include blockip.conf;
Enter the content in blockip.conf, such as:

deny 165.91.122.67;

deny IP; # Block single IP access
allow IP; # Allow single IP access
deny all; # Block all IP access
allow all; # Allow all IP access
deny 123.0.0.0/8; # Block the entire segment, that is, the command from 123.0.0.1 to 123.255.255.254
deny 124.45.0.0/16; # The command to block IP ranges from 123.45.0.1 to 123.45.255.254
deny 123.45.6.0/24; # The command to block IP ranges from 123.45.6.1 to 123.45.6.254

# If you want to implement such an application, except for a few IPs, all others are denied
allow 1.1.1.1;
allow 1.1.1.2;
deny all;

Proxy forwarding rewrite path

location ^~/api/upload {
rewrite ^/(.*)$ /wfs/v1/upload break;
proxy_pass http://wfs-api;
}

Image hotlink protection

location ~* \.(gif|jpg|png|swf|flv)$ {
root html;

valid_referers none blocked *.nginx.com;

if ($invalid_referer) {
rewrite ^/ www.nginx.cn;
# return 404;
}
}

Shield file directory

General backup and archive files

location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
deny all;
}
Deny access to .git and .svn directories

location ~ (.git|.svn) {
deny all;
}
Deny access to hidden files and directories

location ~ /\.(?!well-known\/) {
deny all;
}

Gzip configuration

gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
    text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
    text/javascript application/javascript application/x-javascript
    text/x-json application/json application/x-web-app-manifest+json
    text/css text/plain text/x-component
    font/opentype application/x-font-ttf application/vnd.ms-fontobject
    image/x-icon;
gzip_disable  "msie6";