YUM方式安装
# 安装nginx
yum -y install nginx
# 启动nginx
systemctl start nginx
/etc/nginx/nginx.conf #yum方式安装后默认配置文件的路径
/usr/share/nginx/html #nginx网站默认存放目录
/usr/share/nginx/html/index.html #网站默认主页路径
源码编译安装
# 安装基础依赖
yum -y install pcre pcre-devel zlib zlib-devel openssl openssl-devel wget
# 添加用户
useradd nginx -s /sbin/nologin -M
# 下载解压
wget https://nginx.org/download/nginx-1.20.1.tar.gz
tar -zxvf nginx-1.20.1.tar.gz
# 目录
cd nginx-1.20.1
# 配置
./configure \
--prefix=/usr/local/nginx \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--with-http_gunzip_module \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-file-aio \
--with-http_realip_module \
--with-stream
#编译安装
make && make install
# 创建软链接
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/nginx
# 查看nginx编译参数
/usr/local/nginx/sbin/nginx -V
# 检查配置文件并启动nginx进程
/usr/local/nginx/sbin/nginx -t
# 启动nginx进程
/usr/local/nginx/sbin/nginx
# 关闭nginx
/usr/local/nginx/sbin/nginx -s stop
# 查看nginx进程对应的端口是否成功启动
lsof -i:80
升级增加模块
# 查看当前编译参数
/usr/local/nginx/sbin/nginx -V
# 当前编译参数加上计划追加的模块参数 --with-stream
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-stream
# 只make不安装(make install)
make
配置文件
user nginx;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
stream {
server {
listen 9092;
proxy_pass bidp-host1.kafka.hycs.sitc:9092;
}
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#tcp_nodelay on;
#keepalive_timeout 0;
#gzip on; #开启gzip
#gzip_min_length 1k; #低于1kb的资源不压缩
#gzip_comp_level 3; #压缩级别【1-9】,越大压缩率越高,同时消耗cpu资源也越多,建议设置在4左右。
#gzip_types text/plain application/javascript text/javascript text/xml text/css application/json; #需要压缩哪些响应类型的资源
#gzip_disable "MSIE [1-6]\."; #配置禁用gzip条件,支持正则。此处表示ie6及以下不启用gzip(因为ie低版本不支持)
#gzip_vary on; #是否添加“Vary: Accept-Encoding”响应头
#server_tokens off; #隐藏响应头server信息
server {
listen 80;
server_name _;
#charset koi8-r;
#access_log logs/host.access.log main;
#首页重定向
rewrite ^/$ /ams/main permanent;
#静态资源访问
location /ams {
index index.html;
alias /opt/amsdist/main;
try_files $uri $uri /ams/index.html;
proxy_cookie_path / "/; secure; SameSite=None";
# 单页应用设置防止加载问题
if ($request_filename ~* .*\.(?:htm|html)$) {
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
if ($request_filename ~* .*\.(?:js|css)$) {
expires 7d;
}
if ($request_filename ~* .*\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$) {
expires 7d;
}
}
#接口访问
location /api/ {
index index.html index.htm index.jsp;
proxy_pass http://ams-gateway-runtime.apps.vmocp-prod.cxxx.com/;
}
#禁止访问
location ~ /ams/login {
deny all;
}
#配置防盗链
error_page 403 /403.html;
location /files/ {
valid_referers *.saxxx *.cxxx.com servicewechat.com;
if ($invalid_referer) {
return 403;
}
proxy_set_header X-Forwarded-For '';
proxy_pass https://prod-ams.obs.cloud.cxxx.com/;
}
#默认静态访问
location / {
root html;
index index.html index.htm;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# server {
# listen 443 ssl;
# server_name _;
#
# ssl_certificate 5548890__saxxx.pem;
# ssl_certificate_key 5548890__saxxx.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# location / {
# root html;
# index index.html index.htm;
# }
# }
}
BasicAuthentication
# 安装httpd
yum install httpd -y
# 使用htpasswd工具维护密码文件 -c 创建
htpasswd -cb chatpasswd chat chat123
htpasswd -b chatpasswd chat2 chat123
代理WebSocket
server {
listen 80;
server_name _;
location / {
proxy_pass http://127.0.0.1:8080/; // 代理转发地址
proxy_http_version 1.1;
proxy_read_timeout 3600s; // 超时设置,默认60s
// 启用支持websocket连接
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /upload { // 静态资源地址
root /mnt/resources;
}
}
URL配置
总结下来主要是看proxy_pass后面是否有“/”,有就忽略location,没有就追加location
location /static {
proxy_pass 192.168.2.123:81;
}
location /static/ {
proxy_pass 192.168.2.123:81;
}
访问地址:192.168.2.123:81/static/a.html
location /static {
proxy_pass 192.168.2.123:81/;
}
location /static/ {
proxy_pass 192.168.2.123:81/;
}
访问地址:192.168.2.123:81/a.html
安全配置
# CSP 通过指定允许浏览器加载和执行那些资源,使服务器管理者有能力减少或消除 XSS 攻击的可能性
add_header Content-Security-Policy "default-src 'self'; img-src 'self' *.alicdn.com; object-src 'none'; script-src 'self' *.alicdn.com; style-src 'self' *.alicdn.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'";
add_header Content-Security-Policy: frame-ancestors 'self' https://*.example.com
# X-Content-Type-Options 响应头相当于一个提示标志,被服务器用户提示浏览器一定要遵循 Content-Type 头中 MIME 类型的设定,而不能对其进行修改。
add_header X-Content-Type-Options nosniff;
# Strict-Transport-Security(HSTS) 告诉浏览器该站点只能通过 HTTPS 访问,如果使用了子域,也建议对任何该站点的子域强制执行此操作。
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# 给浏览器指示允许一个页面可否在frame嵌入
# DENY 表示该页面不允许在 frame 中展示,即便是在相同域名的页面中嵌套也不允许
# SAMEORIGIN # 表示该页面可以在相同域名页面的 frame 中展示
# ALLOW-FROM uri # 表示该页面可以在指定来源的 frame 中展示。
add_header X-Frame-Options SAMEORIGIN;
# 跨域访问
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Origin *.xx.com;
# xss攻击防护
add_header X-XSS-Protection "1; mode=block";
# cookie读取设置
add_header Set-Cookie "Path=/; HttpOnly; Secure";
# 反向代理时要设置参数解决Cookie跨域丢失
proxy_cookie_path / "/; httponly; secure; SameSite=None";