Nginx 线上配置实例

1 /etc/nginx/nginx.conf，在主配置下设置 /etc/nginx/conf.d/*.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

2 /etc/nginx/conf.d/ 下设置一个 default.conf，server_name 设置为 localhost，如果有其他非法域名 A 记录到该机器上，则返回默认的 Nginx 页面：

server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

3 后端 http 接口配置实例：

upstream oone_backend_http {
    server 127.0.0.1:9100;
}

server {
    listen       80;
    server_name  oone.oone.top;

    location /api/ {
        proxy_pass     http://oone_backend_http/api/;
        proxy_redirect off;

        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;

        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;
        keepalive_timeout 30;
    }

    location / {
        proxy_pass     http://oone_backend_http/;
        proxy_redirect off;
    }
}

4 https 与 websocket 配置实例：

upstream oone_api {
    server 127.0.0.1:8000;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen      443;
    server_name  api.oone.com;

    ssl on;
    root   /usr/share/nginx/html;
    index  index.html index.htm;

    ssl_certificate    /etc/nginx/sslkey/api.oone.com.crt;
    ssl_certificate_key /etc/nginx/sslkey/api.oone.com.key;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
    ssl_prefer_server_ciphers on;

    #access_log  /var/log/nginx/log/host.access.log  main;

    location /test/v2/ {
        proxy_pass http://oone_api/;
        proxy_redirect off;

        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;

        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;
        keepalive_timeout 30;
    }

    location /test/v2/websocket {
        proxy_pass http://oone_api/websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location ^~ /to_closest_node/websocket {
        internal;
        proxy_pass http://$host/websocket;

        proxy_buffering off;
        proxy_method GET;
        proxy_pass_request_body off;
        proxy_max_temp_file_size 0;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

5 前端静态文件站点与后端接口配置在同一个域名下：

server {
    listen       80;
    server_name  oone.oone.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/log/host.access.log  main;

    root /var/oone/public;
    index index.html index.htm;

    location ^~ /api {
          proxy_pass http://127.0.0.1:8000;
          proxy_redirect off;
    }

    location / {
          try_files $uri $uri/ /index.html;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

6 开启 gzip 以及根据不同的 host 做不同的跳转配置：

server {
    listen       80;
    server_name  www.oone.com;
    #开启 gzip 并且设置 gzip_type
    gzip  on;
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;

    #access_log  /var/log/nginx/log/host.access.log  main;

    root /var/oone/dist;
    index index.html index.htm;

    # 根据不同的 host 做不同的跳转
    location = /app {
        if ($http_user_agent ~* (android)) {
                rewrite ^ https://m.pp.cn/detail.html?appid=7658720&ch_src=pp_dev&ch=default redirect;
        }
        if ($http_user_agent ~* (iphone)) {
            rewrite ^ https://itunes.apple.com/cn/app/nikki/id1214764672?mt=8 redirect;
        }
    }

    location / {
          try_files $uri $uri/ /index.html;
    }

    #error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

7 http 跳转到 https 实例（以部署私有 docker 仓库为例）：

upstream docker-backend {
  server 127.0.0.1:5000;
}

# 80 端口访问跳转到 443 端口
server {
  server_name oone.oone.com;
  listen 80;
  return 301 https://$server_name$request_uri;
}

map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
  '' 'registry/2.0';
}

server {
  server_name oone.oone.com;
  listen 443 ssl;

  ssl_certificate /etc/letsencrypt/live/oone.oone.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/oone.oone.com/privkey.pem;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  # disable any limits to avoid HTTP 413 for large image uploads
  client_max_body_size 0;

  # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
  chunked_transfer_encoding on;

  location /v2 {
    # Do not allow connections from docker 1.5 and earlier
    # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
    if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
      return 404;
    }

    ## If $docker_distribution_api_version is empty, the header will not be added.
    ## See the map directive above where this variable is defined.
    add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;

    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;

    proxy_pass http://docker-backend;
    auth_basic "Docker Registry";
    auth_basic_user_file /etc/nginx/auth/registry_passwd;
  }
}