服务及服务器说明:8核的服务器,承载的站点有俩个
#user webapp;
worker_processes 8;
worker_cpu_affinity 10000000 01000000 00100000 00010000 00001000 00000100 00000010 00000001;
worker_rlimit_nofile 10240;
pid tmp/nginx.pid;
# 事件机制配置
events {
use epoll;
worker_connections 15000;
# worker的工作方式
multi_accept on;
}
# 配置全局的错误日志
error_log logs/error.log;
http {
include mime.types;
default_type application/octet-stream;
charset utf-8;
# 配置全局的日志格式
log_format accesslog '$remote_addr - $remote_user [$time_local] "$request" '
'$status $request_time $body_bytes_sent $upstream_status '
'$upstream_addr $upstream_response_time "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$http_CFBundleShortVersionString"';
# 开启高效传输模式
sendfile off;
tcp_nopush on;
tcp_nodelay on;
client_header_buffer_size 32k;
# 一个HTTP产生的TCP连接在传输玩最后一个响应后,还需要多久才能关闭连接
# 建议配置为用户平均挺住本站的市场
keepalive_timeout 65;
# 关闭服务器版本号信箱
server_tokens off;
open_file_cache max=65535 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
# 开启gzip传输
gzip on;
gzip_min_length 1000;
gzip_buffers 4 16k;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css text/javascript image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
# HTTP_PROXY设置
client_max_body_size 20m;
# 用于指定客户端请求主体缓冲区大小,可以理解为先保存到本地再传给用户
client_body_buffer_size 500k;
# 禁止使用临时文件
proxy_max_temp_file_size 0;
# 与后端服务器连接超时时间
proxy_connect_timeout 60;
# 表示后端服务器的数据回传时间,即在规定的时间内后端服务器必须传完所有的数据,否则断开连接
proxy_send_timeout 60;
# nginx从后端服务获取信息的时间,连接后nginx等待后端服务响应时间,
proxy_read_timeout 60;
# 设置缓冲区大小,默认,该缓冲区大小等于指令proxy_buffers舍子的大小
proxy_buffer_size 128k;
# 设置缓冲区的数量和大小
proxy_buffers 8 128k;
# 用户系统很忙是使用的proxy_buffers大小,官方推荐的大小为proxy_buffers * 2
proxy_busy_buffers_size 256k;
# 指定proxy缓存临时文件的大小
proxy_temp_file_write_size 1024k;
# 开启4xx和5xx错误消息传递
fastcgi_intercept_errors on;
underscores_in_headers on;
# 配置重原生工程的负载均衡
upstream Client {
server 135.191.168.68:9182;
server 135.191.168.69:9182;
check interval=3000 rise=2 fall=5 timeout=1000 type=http;
check_http_send "GET /Client HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
}
# 配置H5后端的负载均衡
upstream ClientH5 {
server 135.191.168.68:9183;
server 135.191.168.69:9183;
check interval=3000 rise=2 fall=5 timeout=1000 type=http;
check_http_send "GET /ClientH5 HTTP/1.0\r\n\r\n";
check_http_expect_alive http_2xx http_3xx;
}
# 设置变量
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
}
# 配置静态资源网站的信息
server {
listen 80;
server_name st.aaabbb.com 127.0.0.1;
# 添加安全的HTTP头-精致资源类型探测
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1;mode=block"
add_header Content-Security-Policy "default-src 'self' https://mp.weixin.qq.com";
# 添加分割日志
access_log /webapp01/nginxlog/st_access-$year$month$day.log accesslog;
# 设置网站根目录
root /webapp01/www/static/;
# 禁止GET以为的所有的HTTP方法
if ($request_method !~* GET) {
return 403;
}
# 开启本地缓存/关闭本地缓存 off; 如果root目录在本地磁盘可以考虑关闭
# proxy_store on;
# proxy_store_access user:rw group:rw all:rw;
# proxy_temp_path /data/nginx/sttmp/;
# 限流,防止被单一资源占满带宽
location / {
limit_rate_after 100k;
limit_rate 100k;
}
# 关闭无意义的资源访问日志,并设置缓存有效期
location ~ .*\.(html|htm|css|js|ico|gif|jpg|jpeg|png|bmp|swf|woff)$ {
etag off;
if ($request_filename ~* .*.(html|htm|js)$){
expires -1s;
}
if ($request_filename ~* .*.(css|gif|jpg|png|jpeg|bmp|zip|mp3|mp4|hs|ipa)$){
# 关闭未找到日志记录
log_not_found off;
access_log off;
expires 100d;
}
}
# 常见的服务端脚本不被允许
location ~* \.(php|php5|jsp|asp|aspx|py|java|jar|class|groovy|scala|sh)$ {
deny all;
}
location ~ .*\.(bak|rar|zip)$ {
# 禁止bak,rar ,zip文件输出
return 403;
}
# 配置监控
# curl -I http://127.0.0.1/ngx_status
location /ngx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
# 配置st.aaaccc.com
server {
listen 80;
server_name st.aaaccc.com 127.0.0.1;
#配置安全HTTP头
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff"
add_header X-XSS-Protection "1;mode=block"
add_header Content-Security-Policy "default-src 'self' https://mp.weixin.qq.com";
access_log /webapp01/nginxlog/h5_access-$year$month$day.log accesslog;
if ($request_method !~* GET|POST) {
return 403;
}
proxy_store off;
error_page 500 502 503 504 /50x.html;
# 设置根目录(将项目的静态资源文件抽离出来部署在与Nginx同在的服务器上)
root /webapp01/www/;
# 跟目录设置,并且设置显示
location / {
limit_rate_after 100k;
limit_rate 100k;
}
# 关闭静态资源的访问日志,并且设置缓存,注意此处不包括html文件
location ~* \.(js|css|gif|jpg|png|jpeg)$ {
log_not_found off;
access_log off;
expires 30d;
}
# 常见的服务端脚本不被允许(网站全部JSON处理,因此不需要如下类型的请求)
location ~* \.(php|php5|jsp|asp|aspx|py|java|jar|class|scala|sh|properies|xml)$ {
deny all;
}
# 将后台请求转发到后台服务器上
location ~ ^/qhmccClientH5/.*\.(action|do|json)$ {
# 用于指向反向代理的服务器池
proxy_pass http://Client/mccClientWap;
# 是否修改应答头location和refresh
proxy_redirect off;
# 设置ip以便于后台服务能获取请求的真实IP,以及代理者的IP
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 传递useragent
proxy_set_header http_user_agent $http_user_agent;
# 是否请求转发到下一台服务器
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
}
location /ClientH5 {
proxy_pass http://ClientH5/mccClientH5;
proxy_redirect off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
}
location /ngx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}
}