Nginx 基础配置详解
一、Nginx 简介
Nginx 是一个高性能的HTTP和反向代理服务器,特点:
- 轻量级:内存占用低
- 高性能:支持高并发连接
- 模块化:丰富的模块扩展能力
- 反向代理:支持负载均衡、缓存等功能
二、安装与启动
1. 安装方式
CentOS/RHEL
# 安装依赖
yum install -y gcc pcre-devel zlib-devel openssl-devel
# 编译安装(以1.23.3为例)
wget http://nginx.org/download/nginx-1.23.3.tar.gz
tar -zxvf nginx-1.23.3.tar.gz
cd nginx-1.23.3
# 配置编译参数
./configure \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-stream
# 编译安装
make && make install
Ubuntu/Debian
# 直接安装
apt-get install nginx
Docker安装
# 拉取镜像
docker pull nginx:stable
# 启动容器
docker run -d \
-p 80:80 -p 443:443 \
-v /path/nginx.conf:/etc/nginx/nginx.conf \
-v /path/html:/usr/share/nginx/html \
--name nginx nginx:stable
2. 常用命令
# 启动Nginx
nginx
# 平滑重启
nginx -s reload
# 重新加载配置
nginx -s reopen
# 停止Nginx
nginx -s stop
# 检查配置文件语法
nginx -t
# 查看版本
nginx -v
三、配置文件结构
1. 配置文件位置
- 默认路径:
/etc/nginx/nginx.conf - 编译安装路径:
/usr/local/nginx/conf/nginx.conf
2. 基础配置结构
# 全局块
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
# events块
events {
worker_connections 1024;
use epoll; # Linux下推荐使用epoll
}
# http块
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
# gzip压缩配置
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# 虚拟主机配置
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}
四、核心模块配置
1. 全局块配置
| 配置项 | 说明 |
|---|---|
user | 运行Nginx的用户 |
worker_processes | 工作进程数,建议设为CPU核心数 |
error_log | 错误日志路径及级别 |
pid | 进程ID文件路径 |
2. events块配置
| 配置项 | 说明 |
|---|---|
worker_connections | 每个工作进程最大连接数 |
use | 事件驱动模型,Linux推荐epoll,Windows使用select |
multi_accept | 允许工作进程一次接受多个新连接 |
3. http块配置
常用配置项
http {
# 设定mime类型,类型由mime.types文件定义
include mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# 开启高效文件传输模式
sendfile on;
# 减少网络IO
tcp_nopush on;
# 长连接超时时间
keepalive_timeout 65;
# 客户端请求头缓冲区大小
client_header_buffer_size 128k;
large_client_header_buffers 4 128k;
}
五、虚拟主机配置(server块)
1. 基本虚拟主机
server {
# 监听端口
listen 80;
# 域名绑定
server_name example.com www.example.com;
# 访问日志
access_log /var/log/nginx/example.access.log main;
# 根目录与默认索引页
location / {
root /var/www/example;
index index.html index.htm;
}
# 错误页面配置
error_page 404 /404.html;
location = /404.html {
root /var/www/error;
}
}
2. 基于端口的虚拟主机
# 80端口虚拟主机
server {
listen 80;
server_name site1.com;
root /var/www/site1;
}
# 8080端口虚拟主机
server {
listen 8080;
server_name site2.com;
root /var/www/site2;
}
3. 基于HTTPS的虚拟主机
server {
listen 443 ssl;
server_name example.com;
# SSL证书配置
ssl_certificate /etc/nginx/certs/example.crt;
ssl_certificate_key /etc/nginx/certs/example.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/example;
index index.html index.htm;
}
}
六、location匹配规则
1. 匹配优先级
- 精准匹配
location = /path/ - 以
^~开头的普通匹配location ^~ /path/ - 正则匹配(以
~或~*开头) - 普通匹配
location /path/ - 通用匹配
location /
2. 常见location配置
server {
listen 80;
server_name example.com;
# 精准匹配
location = /favicon.ico {
root /var/www/static;
}
# 以指定字符串开头
location ^~ /api/ {
proxy_pass http://backend;
}
# 正则匹配(不区分大小写)
location ~* \.(js|css|png|jpg|jpeg|gif)$ {
root /var/www/assets;
expires 7d; # 缓存7天
}
# 普通匹配
location / {
root /var/www/html;
index index.html;
}
}
七、反向代理与负载均衡
1. 反向代理配置
http {
# 定义上游服务器
upstream backend {
server 192.168.1.101:8080;
server 192.168.1.102:8080;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend;
# 传递客户端真实IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 超时设置
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}
}
2. 负载均衡策略
upstream backend {
# 轮询(默认策略)
server 192.168.1.101:8080;
server 192.168.1.102:8080;
# 权重轮询(weight越大,分配的请求越多)
server 192.168.1.103:8080 weight=2;
# IP哈希(相同IP的请求会转发到同一台服务器)
ip_hash;
# 最少连接数(转发到连接数最少的服务器)
least_conn;
# 服务器状态
# down: 标记服务器不可用
# weight: 权重
# max_fails: 失败次数
# fail_timeout: 失败超时时间
server 192.168.1.104:8080 down;
}
八、HTTPS与HTTP/2配置
1. 基础HTTPS配置
server {
listen 443 ssl http2;
server_name example.com;
# SSL证书路径
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL会话缓存
ssl_session_timeout 1d;
ssl_session_tickets off;
# 加密套件配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
# HSTS配置(强制使用HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}
2. HTTP/2配置
server {
listen 443 ssl http2;
server_name example.com;
# 启用HTTP/2
http2 on;
# 其他HTTPS配置...
}
九、性能优化配置
1. 连接优化
worker_processes 4; # 设置为CPU核心数
worker_connections 10240;
events {
use epoll;
multi_accept on;
worker_connections 10240;
}
http {
keepalive_timeout 65;
tcp_nodelay on;
# 开启TCP快速打开
tcp_fastopen 3000;
}
2. 缓存优化
http {
# 开启浏览器缓存
location ~* \.(js|css|png|jpg|jpeg|gif|ico|webp)$ {
expires 7d;
add_header Cache-Control "public";
}
# 开启Nginx本地缓存
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m;
proxy_cache my_cache;
proxy_cache_valid 200 302 12h;
proxy_cache_valid 404 1m;
}
3. Gzip压缩
http {
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
gzip_proxied any;
}
十、常见问题与解决方案
1. 跨域问题
location / {
# 允许所有域名跨域
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
# 处理OPTIONS预检请求
if ($request_method = 'OPTIONS') {
return 204;
}
proxy_pass http://backend;
}
2. 静态资源403错误
# 检查文件权限
location / {
root /var/www/html;
index index.html;
# 确保Nginx用户有文件读取权限
# chown -R nginx:nginx /var/www/html
}
3. 解决Nginx转发后URL带端口号
proxy_set_header Host $host;
十一、Nginx配置最佳实践
分离配置文件
将不同站点配置放在/etc/nginx/conf.d/目录下,便于管理:# nginx.conf http { include conf.d/*.conf; }日志切割
使用logrotate工具定期切割日志:# /etc/logrotate.d/nginx /var/log/nginx/*.log { daily rotate 7 missingok notifempty compress delaycompress create 640 nginx adm }安全配置
- 隐藏Nginx版本号:
server_tokens off; - 限制HTTP方法:
limit_except GET POST { deny all; } - 防止SQL注入:
if ($request_uri ~* "select|insert|update|delete|union|into|load_file|outfile") { return 403; }
- 隐藏Nginx版本号:
十二、Nginx与其他服务配合
1. Nginx + Node.js
upstream node_app {
server 127.0.0.1:3000;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://node_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
2. Nginx + PHP-FPM
server {
listen 80;
server_name example.com;
root /var/www/php;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}