Nginx
Introduction
One of NGINX’s strongest features is the ability to efficiently serve static content such as HTML and media files.
NGINX hands off dynamic content to CGI, FastCGI, or other web servers such as Apache. This content is then passed back to NGINX for delivery to the client.
Install
从 Nginx 仓库 nginx.org 来安装预编译好的二进制:The stable version of NGINX Open Source was installed from the nginx.org repository.
start & stop
测试配置是否有问题:
sudo nginx -t
To start nginx, run the executable file. Once nginx is started, it can be controlled by invoking the executable with the -s
parameter. Use the following syntax:
nginx -s signal
Where signal may be one of the following:
stop
— fast shutdownquit
— graceful shutdownreload
— reloading the configuration filereopen
— reopening the log files
A signal may also be sent to nginx processes with the help of Unix tools such as the kill
utility. In this case a signal is sent directly to a process with a given process ID. The process ID of the nginx master process is written, by default, to the nginx.pid
in the directory /usr/local/nginx/logs
or /var/run
. For example, if the master process ID is 1628, to send the QUIT signal resulting in nginx’s graceful shutdown, execute:
kill -s QUIT 1628
For getting the list of all running nginx processes, the ps
utility may be used, for example, in the following way:
ps -ax | grep nginx
Centos 7 可以通过 Systemd 来控制 Nginx
sudo systemctl start nginx
开启开机启动 Nginx
sudo systemctl enable nginx
此时可以通过浏览器访问 Nginx 默认提供的首页,如果无法访问,则可能是由于服务器上的防火墙限制,解除防火墙限制,允许 HTTP 和 HTTPS 流量:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
查看 Niginx 的状态:
sudo systemctl status nginx
Configuration
basic
All NGINX configuration files are located in the /etc/nginx/
directory. The primary configuration file is /etc/nginx/nginx.conf
.
Configuration options in NGINX are called directives. Directives are organized into groups known as blocks or contexts.
Lines containing directives must end with a ;
or NGINX will fail to load the configuration and report an error.
Lines preceded by a #
character are comments and not interpreted by NGINX.
/etc/nginx/nginx.conf
默认配置内容:
The file starts with 5 directives: user
, worker_processes
, error_log
, and pid
. These are outside any specific block or context, so they’re said to exist in the main
context. The events
and http
blocks are areas for additional directives, and they also exist in the main
context.
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
. . .
}
http {
. . .
}
http block
The http
block contains directives for handling web traffic. These directives are often referred to as universal because they are passed on to to all website configurations NGINX serves.
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
server block
The http
block above contains an include
directive which tells NGINX where website configuration files are located.
If you installed from the official NGINX repository, this line will say include /etc/nginx/conf.d/*.conf;
as it does in the http
block above. Each website you host with NGINX should have its own configuration file in /etc/nginx/conf.d/
, with the name formatted as example.com.conf
. Sites which are disabled (not being served by NGINX) should be named example.com.conf.disabled
.
server configuration files will contain a server
block (or blocks) for a website.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
root /var/www/example.com;
index index.html;
try_files $uri /index.html;
}
The listen
directive tells NGINX the hostname/IP and the TCP port where it should listen for HTTP connections. The argument default_server
means this virtual host will answer requests on port 80 that don’t specifically match another virtual host’s listen statement.
The server_name
directive allows multiple domains to be served from a single IP address. The server decides which domain to serve based on the request header it receives. The server_name
directive can also use wildcards. *.example.com
and .example.com
both instruct the server to process requests for all subdomains of example.com
. Process requests for all domain names beginning with ‘example.’ using example.
.
NGINX allows you to specify server names that are not valid domain names. NGINX uses the name from the HTTP header to answer requests, regardless of whether the domain name is valid or not.
location block
The location
setting lets you configure how NGINX will respond to requests for resources within the server. Just like the server_name
directive tells NGINX how to process requests for the domain, location
directives cover requests for specific files and folders
specify request path match:
-
literal string matches
location / { } location /images/ { } location /blog/ { } location /planet/ { } location /planet/blog/ { }
-
regular expression match (case-sensitive)
location ~ IndexPage\.php$ { } location ~ ^/BlogPlanet(/|/index\.php)$ { }
-
regular expression match (case-insensitive)
location ~* \.(pl|cgi|perl|prl)$ { } location ~* \.(md|mdwn|txt|mkdn)$ { }
-
stop searching for more specific matches
location ^~ /images/IndexPage/ { } location ^~ /blog/BlogPlanet/ { }
-
exact match
location = / { }
specify how to response the request:
Once NGINX has determined which location
directive best matches a given request, the response to this request is determined by the contents of the associated location
directive block.
location / {
root html;
index index.html index.htm;
}
In this example, the document root is located in the html/
directory. Under the default installation prefix for NGINX, the full path to this location is /etc/nginx/html/
.
Request: http://example.com/blog/includes/style.css
Returns: NGINX will attempt to serve the file located at /etc/nginx/html/blog/includes/style.css
The index
variable tells NGINX which file to serve if none is specified. If no index
files are found, the server will return a 404 error.
来看一个同时配置文档根目录和 FastCGI 的 location 配置
location / {
root /srv/www/example.com/public_html;
index index.html index.htm;
}
location ~ \.pl$ {
gzip off;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index index.pl;
fastcgi_param SCRIPT_FILENAME /srv/www/www.example.com/public_html$fastcgi_script_name;
}
除了以 .pl
结尾的资源请求外,其它请求都有文件系统来提供响应。.pl
由 FastCGI 来响应。注意:fastcgi_param
还指定了用来处理响应的脚本位置。
all requests for resources that end in a .pl
extension are handled by the second location block, which specifies a fastcgi
handler for these requests. Otherwise, NGINX uses the first location directive.
part1: baisc
Nginx 和 Apache 的配置的一些区别:
-
多站点配置文件位置不同
multiple site configuration files should be stored in
/etc/nginx/conf.d/
asexample.com.conf
, orexample.com.disabled
. Do not addserver
blocks directly to/etc/nginx/nginx.conf
either, even if your configuration is relatively simple. This file is for configuring the server process, not individual websites. -
运行服务的用户不同
The NGINX process also runs as the username
ngnix
in thenginx
group, so keep that in mind when adjusting permissions for website directories. For more information, see Creating NGNIX Plus Configuration Files . -
Apache 配置中的术语 Virtual Host 在 Nginx 中叫做 Server Block
as the NGINX docs point out, the term Virtual Host is an Apache term, even though it’s used in the
nginx.conf
file supplied from the Debian and Ubuntu repositories, and some of NGINX’s old documentation. A Server Block is the NGINX equivalent
根据使用服务器的目的不同应该采取不同的配置,因此没有唯一标准正确的配置,这里只提供关于配置的最佳实践原则They’re not essential to the function of your site or server, but they can have unintended and undesirable consequences if disregarded.:
首先在配置之前应该备份默认的配置文件 nginx.conf
,这样在配置出问题时可以回退
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup-original
配置完成后重新载入配置文件,使得配置生效
nginx -s reload
设置 Worker 进程数量:
Add or edit the following line in /etc/nginx/nginx.conf
, in the area just before the http
block. This is called the main
block, or context, though it’s not marked in nginx.conf
like the http
block is. The first choice would be to set it to auto
, or the amount of CPU cores available to your Linode.
worker_processes auto;
使 Nginx 不返回版本号
NGINX’s version number is visible by default with any connection made to the server, whether by a successful 201 connection by cURL, or a 404 returned to a browser. Disabling server tokens makes it more difficult to determine NGINX’s version, and therefore more difficult for an attacker to execute version-specific attacks
Add the following line to the http
block of /etc/nginx/nginx.conf
:
server_tokens off;
网站的文档根目录
The directory NGINX serves sites from differs depending on how you installed it. At the time of this writing, NGINX supplied from NGINX Inc.’s repository uses /usr/share/nginx/
.
The NGINX docs warn that relying on the default location can result in the loss of site data when upgrading NGINX. You should use /var/www/
, /srv/
, or some other location that won’t be touched by package or system updates.
假设要为网站 example.com
指定目录 /var/www/example.com/
作为托管的根目录,首先需要创建该目录。
然后,相应的需要在该站点的配置文件 /etc/nginx/conf.d/example.com.conf
中指定该路径,在其中的 server
块中添加如下内容:
root /var/www/example.com;
开启对 IPv6 以及 SSL/TLS 的服务
Default NGINX configurations listen on port 80
and on all IPv4 addresses. Unless you intend your site to be inaccessible over IPv6 (or are unable to provide it for some reason), you should tell NGINX to also listen for incoming IPv6 traffic.
Add a second listen
directive for IPv6 to the server
block of /etc/nginx/conf.d/example.com.conf
:
listen [::]:80;
If your site uses SSL/TLS, you would add:
listen [::]:443 ssl;
灵活配置内容压缩:
对所有内容开启压缩,容易受到攻击。
You do not want to universally enable gzip compression because, depending on your site’s content and whether you set session cookies, you risk vulnerability to the CRIME and BREACH exploits.
Compression has been disabled by default in NGINX for years now, so it’s not vulnerable to CRIME out of the box.
对所有内容关闭压缩,网站加载速度会降低。
On the other hand, if you leave gzip compression totally disabled, you rule out those vulnerabilities and use fewer CPU cycles, but at the expense of decreasing your site’s performance.
因此我们仅压缩静态内容。
For now, and unless you know what you’re doing, the best solution is to compress only static site content such as images, HTML, and CSS.
压缩配置建议放在针对各个站点的 server
块,而不是针对所有站点的 http
块
Below is an example of how to do that, and you can view all available mime types with cat /etc/nginx/mime.types
. Though gzip
directives can go in the http
block if you want it to apply to all sites served by NGINX, it’s safer to use it only inside server
blocks for individual sites and content types.
gzip on;
gzip_types text/html text/plain text/css image/*;
基本配置的结果
将关于站点的配置都放在站点配置文件,全局配置文件中不要出现 server
块
站点配置 /etc/nginx/conf.d/example.com.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
root /var/www/example.com;
index index.html;
gzip on;
gzip_comp_level 3;
gzip_types text/plain text/css application/javascript image/*;
}
全局配置 /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
server_tokens off;
}
part2: improve performance
Nginx 性能调优。虽然网上不乏各种 Nginx 性能调优的教程,但要明白,大多调优都是针对特定环境的,不一定可以放之四海而皆准,所以不要盲目跟随,这样反而有可能会降低系统性能和安全性。更多性能调优:https://www.nginx.com/blog/tuning-nginx/
托管多个网站
配置文件
In NGINX speak, a Server Block basically equates to a website (same as Virtual Host in Apache terminology). NGINX can host multiple websites, and each site’s configuration should be in its own file, with the name formatted as example.com.conf
. That file should be located at /etc/nginx/conf.d/
.
关闭托管
If you then want to disable the site example.com, then rename example.com.conf
to example.com.conf.disabled
.
日志文件
When hosting multiple sites, be sure to separate their access and error logs with specific directives inside each site’s server block
缓存内容
NGINX can cache files served by web applications and frameworks such as WordPress, Drupal and Ruby on Rails.
-
Create a folder to store cached content:
mkdir /var/www/example.com/cache/
-
Add the
proxy_cache_path
directive to NGINX’shttp
block. Make sure the file path references the folder you just created in Step 1.-
/etc/nginx/nginx.conf
1``proxy_cache_path /var/www/example.com/cache/ keys_zone=one:10m max_size=500m inactive=24h use_temp_path=off;
-
keys_zone=one:10m
sets a 10 megabyte shared storage zone (simply calledone
, but you can change this for your needs) for cache keys and metadata. -
max_size=500m
sets the actual cache size at 500 MB. -
inactive=24h
removes anything from the cache which has not been accessed in the last 24 hours. -
use_temp_path=off
writes cached files directly to the cache path. This setting is recommended by NGNIX.
-
-
Add the following to your site configuration’s
server
block. If you changed the name of the storage zone in the previous step, change the directive below fromone
to the zone name you chose.Replace ip-address and port with the URL and port of the upstream service whose files you wish to cache. For example, you would fill in
127.0.0.1:9000
if using WordPress or127.0.0.1:2638
with Ghost./etc/nginx/conf.d/example.com
proxy_cache one; location / { proxy_pass http://ip-address:port; }
-
If you need to clear the cache, the easiest way is with the command:
find /var/www/example.com/cache/ -type f -delete
If you want more than just a basic cache clear, you can use the proxy_cache_purge directive.
修改响应头
Use add_header directives in your configuration carefully. Unlike other directives, an add_header
directive is not inherited from parent configuration blocks. If you have the directive in both, an add_header
directive in a server
block will override any in your http
area.
Below are some of the more universally-applicable header modifications. There are many more available, and you should read through the OWASP Secure Headers Project for more information.
Disable Content Sniffing:Content sniffing allows browsers to inspect a byte stream in order to determine the file format of its contents. It is generally used to help sites that do not correctly identify the MIME type of their content, but it also presents a vector for cross-site scripting and other attacks. To disable content sniffing, add the following line to your configuration’s http
block:
add_header X-Content-Type-Options nosniff;
Limit or Disable Content Embeddin
Content embedding is when a website renders a 3rd party element (div, img, etc.), or even an entire page from a completely different website, in a <frame>
, <iframe>
, or <object>
HTML block on its own site.
The X-Frame-Options
HTTP header stops content embedding so your site can’t be presented from an embedded frame hosted on someone else’s website, one undesirable outcome being a clickjacking attack. See X-Frame-Options, Mozilla Developer Network for more information.
To disallow the embedding of your content from any domain other than your own, add the following line to your configuration:
add_header X-Frame-Options SAMEORIGIN;
To disallow embedding entirely, even from within your own site’s domain:
add_header X-Frame-Options DENY;
Cross-Site Scripting (XSS) FilterPermalink This header signals to a connecting browser to enable its cross-site scripting filter for the request responses. XSS filtering is usually enabled by default in modern browsers, but there are occasions where it’s disabled by the user. Forcing XSS filtering for your website is a security precaution, especially when your site offers dynamic content like login sessions:
add_header X-XSS-Protection "1; mode=block";
part3: server website via https
https://linode.com/docs/web-servers/nginx/enable-tls-on-nginx-for-https-connections/
Performance & Security
Serve Python Project
Server PHP Project
托管静态内容
https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/