大侠曾
文章 标签 分类
大侠曾

目录

Nginx使用手札

大侠曾 收录于 Web
   约 1456 字   预计阅读 3 分钟 

0.一个可以参考的Nginx配置

upstream tomcat_search-ug.chuqufeng.cn {
  server 127.0.0.1:8001  weight=10 max_fails=2 fail_timeout=30s;
}
log_format main_new    '$remote_addr - [$time_local] "$request" [:$server_port] $status $bytes_sent "$http_referer" "$http_user_agent" "$request_time" "$upstream_response_time" "$upstream_addr" [$http_true_client_ip] [$http_x_forwarded_for][$http_x_api_request_id][$upstream_http_ccb_request_id]';

log_format main    '$remote_addr - [$time_local] "$request" [:$server_port] $status $bytes_sent "$http_referer" "$http_user_agent" "$request_time" "$upstream_response_time" "$upstream_addr" [$http_true_client_ip] [$http_x_forwarded_for][$http_x_api_request_id][$upstream_http_ccb_request_id]';


server {
  listen 80;
  # server_name              *.jd.com *.chuqufeng.cn *.jd.jd search-ug.chuqufeng.cn;
  access_log /export/Logs/servers/nginx/logs/search-ug.chuqufeng.cn/search-ug.chuqufeng.cn_access.log main_new;
  error_log /export/Logs/servers/nginx/logs/search-ug.chuqufeng.cn/search-ug.chuqufeng.cn_error.log warn;
  error_page 411 = @my_error;
  root /export/App/search-ug.chuqufeng.cn/;
  
  ssi on;
  ssi_silent_errors on;
  
      ## 服务器IP
  if ($server_addr ~* "((\w+)[\:\.](\w+))$") {
      set $server_addr_tail $1;
  }
  add_header ser $server_addr_tail;

  location / {
      proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
      proxy_set_header Host  $host;
      proxy_set_header X-Forwarupided-For $proxy_add_x_forwarded_for;
      proxy_pass http://tomcat_search-ug.chuqufeng.cn;
      expires 0;
  }
}

1. nginx返回头包含机器IP后两段

nginx返回头包含服务器相关信息,在分布式环境定位问题

server{
    ...
    if ($server_addr ~* "((\d+)\.(\d+))$") {
        set $server_addr_tail $1;
    }
    add_header ser $server_addr_tail;
}

效果如下: https://ooo.0o0.ooo/2016/06/01/574ea61871f6a.png

2.给nginx开启文件目录模式,用于文件下载

location /download{
    root /zen/data/;
    autoindex on;
    autoindex_exact_size off;
    autoindex_localtime on;
}

3.给nginx开启简单加密模式

1) 修改nginx配置文件

location /download/ {
    # 下载目录为 /home/myname/download
    root /home/myname;

    # 设置目录浏览
    autoindex on; 

    # 默认为on,显示出文件的确切大小,单位是bytes。 
    # 改为off后,显示出文件的大概大小,单位是kB或者MB或者GB 
    autoindex_exact_size off;

    # 默认为off,显示的文件时间为GMT时间
    # 注意:改为on后,显示的文件时间为文件的服务器时间 
    autoindex_localtime on;

    # 在第一次访问目录时,会弹出输入验证框
    auth_basic "Restricted";

    # 存放密码的文件,/etc/nginx/passwd/download
    auth_basic_user_file passwd/download;

    # 设置charset,解决中文乱码问题
    charset utf-8,gbk;
}

2)修改密码配置文件

输入用户名和密码(密码会在第三步被替换)

vi /etc/nginx/passwd/download

admin:admin

3) 设置 admin 的密码:

安装htpasswd工具

apt-get install apache2-utils

htpasswd /etc/nginx/passwd/download admin

4)重启nginx

service nginx restart

参考:http://wenzhixin.net.cn/2013/10/19/nginx_http_auth

4.查看nginx安装了哪些模块

nginx -V

5.nginx中获取自定义header

如果自定义header为CUSTOM_HEAD则,在nginx中的变量http_custom_head对应它的值。也就是:http_header小写变量

6.设置请求头

proxy_set_header Host $http_host; proxy_set_header X-Forward-For $remote_addr;

7.nginx黑白名单

deny IP; 
deny subnet; 
allow IP; 
allow subnet; 
# block all ips 
deny    all; 
# allow all ips 
allow    all;

这样设置以后,该服务器上所有的网站都会按照这个设置来拒绝或允许访问。如果想只针对某个网站,可以在具体的网站的配置中加入:

location / { 
  allow   192.168.0.0/24; 
  deny    all; 
}

这样就只允许192.168.0.0网段的ip访问,其他ip访问会返回一个403错误。

还可以自定义一个403错误的页面,可以在/usr/local/nginx/html下新建个error403.html文件,里面按照html的语法写个文档,写上一些说明文字。 然后编辑nginx.conf,加入:

error_page   403  /error403.html; 
location = /error403.html { 
         root   html; 
}

8.window版本nginx

启动:nginx.exe 或者 start nginx.exe

重载:nginx.exe -s reload

关闭:nginx -s stop 或taskkill /F /IM nginx.exe > nul

window下 nginx http concat模块的版本: http://pan.baidu.com/s/1hrAdm0c

参考:http://www.cnblogs.com/chuncn/archive/2011/10/14/2212291.html

9.cors

方式一:

    location ^~ /api  {
        set $cors "";
        if ($http_origin ~* (\.eagleon\.id|\.eagleon\.com)) {
            set $cors "true";
        }

        proxy_set_header Cookie $http_cookie;
        proxy_pass http://tomcat.eagleon;

        if ($cors = "true") {
            add_header 'Access-Control-Allow-Origin' "$http_origin";
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
            add_header 'Access-Control-Allow-Credentials' 'true';
            add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type';
        }
        if ($request_method = OPTIONS) {
            add_header Access-Control-Allow-Origin $http_origin;
            add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
            add_header Access-Control-Allow-Credentials true;
            add_header Access-Control-Allow-Headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type;
            add_header Access-Control-Allow-Headers Content-Type;
            add_header Access-Control-Max-Age 1728000;
            return 204;
        }
    }

方式二:

#跨域访问
map $http_origin $corsHost {
    default 0;
    "~http://www.123admin.com" http://www.123admin.com;
    "~https://www.123admin.com" https://www.123admin.com;
    "~http://m.123admin.com" http://m.123admin.com;
    "~http://wap.123admin.com" http://wap.123admin.com;
}

server {
    listen 80;
    server_name search.123admin.com;
    root /nginx;
    location / {
        add_header Access-Control-Allow-Origin $corsHost;
        add_header Access-Control-Allow-Headers Content-Type;
        add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
        add_header Access-Control-Allow-Credentials true;
        # 其他逻辑
    }
}

10.按地域禁止用户访问

以OpenResty为基础,从源码进行安装处理

安装依赖

apt-get install libpcre3-dev \
    libssl-dev perl make build-essential curl

编译

# 安装libmaxminddb
https://github.com/maxmind/libmaxminddb

# 安装ngx_http_geoip2_module
https://github.com/leev/ngx_http_geoip2_module

# 安装OpenResty
tar -xvf openresty-VERSION.tar.gz
cd openresty-VERSION/
./configure -j2 --add-module=/root/soft/ngx_http_geoip2_module
make -j2
sudo make install

# better also add the following line to your ~/.bashrc or ~/.bash_profile file.
export PATH=/usr/local/openresty/bin:$PATH

配置Nginx

http {
    ...
    geoip2 /opt/geo/maxmind-country.mmdb {
        auto_reload 5m;
        $geoip2_metadata_country_build metadata build_epoch;
        $geoip2_data_country_code default=US country iso_code;
        $geoip2_data_country_name country names en;
    }
    log_format main    '$remote_addr - [$time_local] "$request" [:$server_port] $status $bytes_sent "$http_referer" "$http_user_agent" "$request_time" "$upstream_response_time" "$upstream_addr" [$http_true_client_ip] [$http_x_forwarded_for][$http_x_api_request_id][$upstream_http_ccb_request_id][$geoip2_data_country_code]';

    server {
      server_name tdlz-cd-test.ccb.today;
      access_log /usr/local/nginx/logs/tdlz.access.log main;

      listen 80;
      if ($geoip2_data_country_code != "CN") {
        return 403;
      }

      location /tdlz {
        ...
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      }
      
}
更新于 2023-08-17
 NginxOpenResty
返回 | 主页