cat /etc/nginx.conf

user git git;
#pid logs/nginx.pid;

worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
worker_rlimit_nofile 65535;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

events {
use epoll;
worker_connections 4096;
multi_accept on;
}

http {
include mime.types;
default_type application/octet-stream;
add_header Nginx-Cache "$upstream_cache_status";

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"'
                  '"$upstream_cache_status"';

access_log  /data/nginx/nginx_access/access.log  main;

server_tokens              off;
sendfile                   on;
tcp_nopush                 on;
tcp_nodelay                on;
keepalive_timeout          65; 

server_names_hash_bucket_size     256;
client_header_buffer_size         32k;
large_client_header_buffers       4        32k;
client_max_body_size              10m;

open_file_cache max=100000 inactive=60s;
open_file_cache_valid      90s;
open_file_cache_min_uses   2;
open_file_cache_errors     on;

proxy_buffering            on;
proxy_buffers              4      64k;
proxy_connect_timeout      600;
proxy_read_timeout         600;
proxy_send_timeout         600;
proxy_buffer_size          16k;
proxy_busy_buffers_size    128k;
proxy_temp_file_write_size 128k;
proxy_temp_path   /data/nginx/nginx_cache/proxy_temp_dir;
proxy_cache_path  /data/nginx/nginx_cache/proxy_cache_dir  levels=1:2  keys_zone=cache_one:2000m inactive=15d max_size=10g;

# Force use nginx error pages
proxy_intercept_errors  on;

 include gzip .conf;

#vhost define
include vhost/images.conf;
include vhost/img01.conf;
include vhost/img02.conf;
include vhost/img03.conf;
include gzip.conf;

}
各个配置文件的conf配置:
[root@test_03 conf]# vim gzip.conf

1 gzip on;
2 gzip_vary on;
3 gzip_proxied expired no-cache no-store private auth;
4 gzip_http_version 1.0;
5 gzip_disable "MSIE [1-6].";
6 gzip_min_length 1k;
7 gzip_buffers 4 16k;
8 gzip_comp_level 2;
9 gzip_types text/plain text/css text/javascript application/javascript application/x-javascript application/json application/xml;

vim /data/nginx/nginx/conf/gzip.conf
gzip on;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_http_version 1.0;
gzip_disable "MSIE [1-6].";
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/javascript text/css application/xml;

1 server {
2 listen 80;
3 server_name nyapp.ny.cn;
4 root /web/ny_mobile_app/;
5 location / {
6 proxy_pass http://127.0.0.1:10002;
7 }
8 location ~ ^/(WEB-INF)/ { deny all;}
9 location = /testWorker.jsp {
10 proxy_pass http://127.0.0.1:10002;
11 allow 1.192.156.65/32;
12 deny all;
13 }
14 include bug/*.conf;
15 include static.conf;
16 include error.conf;
17 access_log /var/log/nginx/access.log main;
18 }
[root@test_03 vhost]# vim ../static.conf

location ~ ..(gif|jpg|jpeg|png|bmp|ico)$ {
2 expires 30d;
3 access_log off;
4 }
5 location ~ .*.(js|css)$ {
6 expires 1d;
7 access_log off;
8 }
~

[root@test_03 vhost]# vim ../error.conf

1 error_page 500 502 503 504 /50x.html;
2 location = /50x.html {
3 root html;
4 }
5 error_page 404 /404.html;
6 location = /404.html {
7 root html;
8 }

[root@test_03 vhost]# cd ../bug/
[root@test_03 bug]# ls
agents.conf file_injections.conf overflow.conf spam.conf spider.conf sql_injections.conf struts.conf
[root@test_03 bug]# cat agents.conf
set $block_user_agents 0;
#Don't disable wget if you need it to run cron jobs!
#if ($http_user_agent ~ "Wget" ) {
#set $block_user_agents 1;
#}

Disable Akeeba Remote Control 2.5 and earlier

if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}

Common bandwidth hoggers and hacking tools.

if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "WebBench") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "ApacheBench") {
set $block_user_agents 1;
}
if ($http_user_agent ~ ^$) {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Python-urllib") {
set $block_user_agents 1;
}
if ($block_user_agents = 1) {
return 444;
}
[root@test_03 bug]# cat
agents.conf overflow.conf spider.conf struts.conf
file_injections.conf spam.conf sql_injections.conf
[root@test_03 bug]# cat overflow.conf
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).script.(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|[|%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|[|%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($querystring ~ "mosConfig[a-zA-Z_]{1,21}(=|%3D)") {
set $block_common_exploits 1;
}
if ($querystring ~ "base64(en|de)code(.)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 444;
}
[root@test_03 bug]# ca
cacertdir_rehash caller capsh case catchsegv
cal canberra-gtk-play captoinfo cat
[root@test_03 bug]# cat
cat catchsegv
[root@test_03 bug]# cat sp
spam.conf spider.conf
[root@test_03 bug]# cat spider.conf
if ($http_user_agent ~
(bingbot|youdao|YoudaoBot|robozilla|YisouSpider|BLEXBot|EasouSpider|EtaoSpider|YYSpider|yahoo|sohu-search|msnbot|MSNBot|MJ12bot|AhrefsBot|FeedDemon|JikeSpider|Indy\ Library|Alexa\ Toolbar|AskTbFXTV|CrawlDaddy|CoolpadWebkit|Feedly|UniversalFeedParser|Microsoft|URL\ Control|Swiftbot|ZmEu|oBot|jaunty|lightDeckReports\ Bot|DigExt|heritrix|Ezooms|sqlmap|BSQL\ Hacker|The\ Mole|Pangolin|Havij|Enema\ SQLi|SQLninja|sqlsus|safe3\ SQL\ Injector|SQL\ Poizon)) {
return 444;
}
[root@test_03 bug]# cat struts.conf
if ($args ~ "redirect:"){
return 444;
}
if ($args ~
"action:") {
return 444;
}
if ($args ~* "redirectAction:") {
return 444;
}

[root@test_03 bug]# cat sql_injections.conf
set $block_sql_injections 0;
if ($query_string ~ "union.select.") {
set $block_sql_injections 1;
}
if ($query_string ~ "union.all.select.") {
set $block_sql_injections 1;
}
if ($query_string ~ "concat.
") {
set $block_sql_injections 1;
}
#if ($query_string ~ ".['<>].") {
#set $block_sql_injections 1;
#}
if ($block_sql_injections = 1) {
return 444;
}
[root@test_03 bug]# cat struts.conf
if ($args ~
"redirect:"){
return 444;
}
if ($args ~ "action:") {
return 444;
}
if ($args ~
"redirectAction:") {
return 444;
}

server{
listen80;
server_namezhangge.net;
#缓存清理模块
location~/purge(/.){
allow127.0.0.1;
allow192.168.1.101;#此处表示允许访问缓存清理页面的IP
denyall;
proxy_cache_purgecache_one$host$1$is_args$args;
}
#缓存html页面,可以缓存伪静态【这是亮点!】
location~.
.html${
proxy_passhttp://127.0.0.1:8080;
proxy_redirectoff;
proxy_set_headerHost$host;
proxy_cachecache_one;
#状态为200、302的缓存1天
proxy_cache_valid2003021d;
#状态为301的缓存2天
proxy_cache_valid3012d;
proxy_cache_validany1m;
#浏览器过期时间设置4小时
expires4h;
#忽略头部禁止缓存申明,类似与CDN的强制缓存功能
proxy_ignore_headers"Cache-Control""Expires""Set-Cookie";
#在header中插入缓存状态,命中缓存为HIT,没命中则为MISS
add_headerNginx-Cache"$upstream_cache_status";
}
#图片缓存设置,如果不是使用了Nginx缩略图功能,这个可以不用,效果不明显
location~..(gif|jpg|png|css|jsico)(.){
proxy_passhttp://127.0.0.1:8080;
proxy_redirectoff;
proxy_set_headerHost$host;
proxy_cachecache_one;
proxy_cache_valid20030230d;
proxy_cache_valid3011d;
proxy_cache_validany1m;
expires30d;
proxy_ignore_headers"Cache-Control""Expires""Set-Cookie";
add_headerNginx-Cache"$upstream_cache_status";
}
#动态页面直接放过不缓存
location~..(php)(.){
proxy_passhttp://127.0.0.1:8080;
proxy_set_header Host$host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
}
#设置缓存黑名单,不缓存指定页面,比如wp后台或其他需要登录态的页面,用分隔符隔开
location~^/(wp-admin|system)(.)${
proxy_passhttp://127.0.0.1:8080;
proxy_set_header Host$host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
}
#缓存以斜杠结尾的页面,类似于CDN的目录缓存,如果存在问题请取消缓存机制
location~^(.
)/${
proxy_passhttp://127.0.0.1:8080;
proxy_redirectoff;
proxy_set_headerHost$host;
proxy_cachecache_one;
proxy_cache_valid2003021d;
proxy_cache_valid3011d;
proxy_cache_validany1m;
expires1h;
proxy_ignore_headers"Cache-Control""Expires""Set-Cookie";
add_headerNginx-Cache"$upstream_cache_status";
}
location/{
proxy_passhttp://127.0.0.1:8080;
proxy_set_header Host$host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
}
}

location ~* /static/img/ {
proxy_pass http://zhannei.baidu.com;
proxy_redirect off;
#支持purge缓存的环境可以取消以下三行注释,让资源缓存到服务器,注意cache_oneg改成实际名称
#proxy_cache cache_one;
#proxy_cache_valid 200 302 304 7d;
#proxy_cache_valid any 1m;
}

location ~* ^/(cse|static|api) {
    proxy_pass http://zhannei.baidu.com;
    proxy_redirect off;
    #支持purge缓存的环境可以取消以下三行注释,让资源缓存到服务器,注意cache_oneg改成实际名称
    #proxy_cache cache_one;
    #proxy_cache_valid 200 302 304 7d;
    #proxy_cache_valid any 1m;
    expires max;
}

location ~* "customer(.+)search" {
    proxy_pass http://znsv.baidu.com;
    proxy_redirect off;
    #支持purge缓存的环境可以取消以下三行注释,让资源缓存到服务器,注意cache_oneg改成实际名称
    #proxy_cache cache_one;
    #proxy_cache_valid 200 302 304 7d;
    #proxy_cache_valid any 1m;
    expires max;

    }