nginx配置文件示例
# 用户/组配置
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
# error日志和访问日志的路径和级别配置
error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;
# 工作进程配置
worker_rlimit_nofile 65535;
events {
worker_connections 65535;
use epoll;
multi_accept on;
}
# HTTP服务的配置
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志配置
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
# 安全性配置
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# 关闭 Nginx 版本号显示
server_tokens off;
# 防止点击劫持攻击
add_header X-Frame-Options SAMEORIGIN;
# 防止XSS攻击
add_header X-XSS-Protection "1; mode=block";
# 防止 MIME 类型欺骗攻击
add_header X-Content-Type-Options nosniff;
# 防止缓存欺骗攻击
add_header Cache-Control "no-cache, private";
# MIME类型映射配置
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 缓存配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;
proxy_cache_key "$scheme$request_method$host$request_uri";
# Gzip压缩配置
gzip on;
gzip_types text/plain text/css application/json application/javascript application/xml;
# 反向代理配置
upstream backend {
server backend1.example.com;
server backend2.example.com;
}
# HTTP server
server {
# 监听80端口并转发到HTTPS
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl http2;
server_name example.com;
# SSL证书和私钥
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# 安全协议配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
#配置静态资源
location / {
root /var/www/example.com;
index index.html;
}
# 反向代理配置
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 缓存配置
proxy_cache my_cache;
proxy_cache_valid 200 60m;
proxy_cache_valid 404 1m;
proxy_cache_revalidate on;
add_header X-Cache-Status $upstream_cache_status;
}
# 禁用不必要的HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}
# 禁用特定文件扩展名的访问
location ~ \.(ht|sql|conf)$ {
deny all;
}
# 防止意外的PHP脚本执行
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# 关闭服务器签名
server_tokens off;
# 限制连接速率
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one burst=10;
# 防止恶意请求
if ($http_user_agent ~* (bot|crawl|spider)) {
return 403;
}
# 防止恶意请求
if ($http_referer ~* (semalt.com|todaperfeita)) {
return 403;
}
# 防止SQL注入攻击
if ($args ~* "(<|%3C).*script.*(>|%3E)") {
return 403;
}
}
# Optimization
client_max_body_size 20m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain text/css application/json application/javascript application/xml;
}
