Nginx 的多个场景配置
Nginx 的多个场景配置
本文汇总了生产环境中最常见的 Nginx 配置场景,涵盖反向代理、负载均衡、静态资源优化、安全加固、特殊业务适配等核心场景,并提供可直接复用的配置模板。
一、基础配置与核心模块
1.1 最小化生产配置
# /etc/nginx/nginx.conf
user nginx; # 运行用户(建议与业务用户隔离,如 www-data)
worker_processes auto; # 工作进程数(建议与 CPU 核心数一致)
error_log /var/log/nginx/error.log warn; # 全局错误日志级别
pid /run/nginx.pid;events {worker_connections 10240; # 单进程最大连接数(需配合系统 ulimit 调整)use epoll; # 高效事件驱动模型(Linux 推荐)
}http {include /etc/nginx/mime.types;default_type application/octet-stream;# 自定义日志格式(含代理链 IP、请求耗时)log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for" ''$request_time $upstream_response_time';access_log /var/log/nginx/access.log main;sendfile on;tcp_nopush on; # 配合 sendfile 优化 TCP 包发送tcp_nodelay on; # 禁用 Nagle 算法(低延迟场景必备)keepalive_timeout 65; # 长连接超时时间# 引入子配置(模块化管理)include /etc/nginx/conf.d/*.conf;
}
二、反向代理场景
2.1 代理单节点 Web 服务(Tomcat/Node.js 等)
# /etc/nginx/conf.d/proxy-web.conf
server {listen 80;server_name web.example.com;location / {proxy_pass http://127.0.0.1:8080; # 后端服务地址proxy_set_header Host $host; # 传递客户端 Hostproxy_set_header X-Real-IP $remote_addr; # 真实客户端 IPproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 代理链 IPproxy_set_header X-Forwarded-Proto $scheme; # 协议(http/https)# 超时配置(按需调整,避免业务超时被 Nginx 中断)proxy_connect_timeout 30s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 缓冲区配置(大响应场景建议开启)proxy_buffer_size 16k;proxy_buffers 4 64k;proxy_busy_buffers_size 128k;}# 静态资源单独代理(减轻后端压力)location ~* \.(jpg|jpeg|png|css|js)$ {proxy_pass http://127.0.0.1:8080;expires 7d; # 静态资源缓存 7 天add_header Cache-Control "public, max-age=604800";}
}
2.2 代理 WebSocket 服务(RabbitMQ/即时通讯)
# /etc/nginx/conf.d/proxy-websocket.conf
server {listen 80;server_name ws.example.com;location /ws {proxy_pass http://127.0.0.1:15674/ws; # WebSocket 后端地址(如 RabbitMQ)# WebSocket 协议升级核心配置proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";# 长连接超时(需大于后端心跳间隔)proxy_connect_timeout 1d;proxy_send_timeout 1d;proxy_read_timeout 1d;}
}
2.3 代理 HTTPS 后端服务(SSL 透传)
# /etc/nginx/conf.d/proxy-https.conf
server {listen 443 ssl;server_name api.example.com;# 客户端 <-> Nginx 之间的 SSL 配置ssl_certificate /etc/nginx/ssl/api.crt;ssl_certificate_key /etc/nginx/ssl/api.key;ssl_trusted_certificate /etc/nginx/ssl/ca.crt; # 信任链证书ssl_protocols TLSv1.2 TLSv1.3; # 仅启用安全协议ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;ssl_prefer_server_ciphers on;# 代理到后端 HTTPS 服务location / {proxy_pass https://192.168.1.100:8443;proxy_ssl_verify off; # 生产环境建议开启并配置 CAproxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;}
}
三、负载均衡场景
3.1 基础轮询 + 健康检查
# /etc/nginx/conf.d/loadbalance.conf
http {upstream backend_servers {server 192.168.1.101:8080;server 192.168.1.102:8080;server 192.168.1.103:8080 down; # 手动下线# 健康检查(需 ngx_http_upstream_check_module 模块)check interval=3000 rise=2 fall=3 timeout=1000 type=http;check_http_send "HEAD /health HTTP/1.0\r\n\r\n";check_http_expect_alive http_2xx http_3xx;}server {listen 80;server_name lb.example.com;location / {proxy_pass http://backend_servers;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;# 失败时切换节点proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;}}
}
3.2 加权负载均衡(按服务器性能分配)
upstream backend_servers {server 192.168.1.101:8080 weight=3; # 处理 3/6 请求server 192.168.1.102:8080 weight=2; # 处理 2/6 请求server 192.168.1.103:8080 weight=1; # 处理 1/6 请求
}
3.3 IP 哈希(会话保持)
upstream backend_servers {ip_hash; # 同一 IP 固定到同一节点server 192.168.1.101:8080;server 192.168.1.102:8080;server 192.168.1.103:8080 backup; # 备份节点
}
四、静态资源优化场景
4.1 静态资源服务器(缓存 + 压缩 + 防盗链)
# /etc/nginx/conf.d/static.conf
server {listen 80;server_name static.example.com;root /data/static; # 静态资源根目录autoindex off; # 关闭目录浏览# 按文件类型配置缓存策略location ~* \.(jpg|jpeg|png|gif|ico|svg)$ {expires 30d;add_header Cache-Control "public, max-age=2592000";}location ~* \.(css|js)$ {expires 7d;add_header Cache-Control "public, max-age=604800";}location ~* \.(html|htm)$ {expires 1h;add_header Cache-Control "public, max-age=3600";}# Gzip 压缩(减少传输大小)gzip on;gzip_types text/css text/javascript text/plain application/json image/svg+xml;gzip_min_length 1k;gzip_comp_level 5;# 防盗链(仅允许指定域名引用)location ~* \.(jpg|jpeg|png|gif)$ {valid_referers none blocked example.com *.example.com;if ($invalid_referer) {return 403;}}
}
4.2 大文件下载优化(断点续传 + 限速)
# /etc/nginx/conf.d/download.conf
server {listen 80;server_name download.example.com;root /data/downloads;location / {# 断点续传支持add_header Accept-Ranges bytes;# 大文件传输优化sendfile on;tcp_nopush on;aio on;directio 4m; # 大于 4M 的文件直接 I/Ooutput_buffers 1 128k;# 限速(避免带宽耗尽)limit_rate 10m; # 单连接限速 10MB/slimit_rate_after 50m; # 前 50MB 不限速}
}
五、安全加固场景
5.1 强化 HTTPS 配置(TLS 1.2+ + HSTS)
# /etc/nginx/conf.d/https.conf
server {listen 443 ssl;server_name secure.example.com;ssl_certificate /etc/nginx/ssl/secure.crt;ssl_certificate_key /etc/nginx/ssl/secure.key;ssl_trusted_certificate /etc/nginx/ssl/ca.crt;ssl_protocols TLSv1.2 TLSv1.3;ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;# 强制客户端使用 HTTPS(HSTS)add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;# 防 XSS、点击劫持、MIME 嗅探add_header X-XSS-Protection "1; mode=block";add_header X-Frame-Options "SAMEORIGIN";add_header X-Content-Type-Options "nosniff";location / {proxy_pass http://127.0.0.1:8080;proxy_set_header Host $host;}
}# HTTP 强制跳转 HTTPS
server {listen 80;server_name secure.example.com;return 301 https://$host$request_uri;
}
5.2 访问控制(IP 白名单 + 密码认证)
# /etc/nginx/conf.d/access-control.conf
server {listen 80;server_name admin.example.com;location /admin {# IP 白名单allow 192.168.1.0/24;allow 123.123.123.123;deny all;# 密码认证(需先执行 htpasswd -c .htpasswd admin)auth_basic "Admin Area";auth_basic_user_file /etc/nginx/conf.d/.htpasswd;proxy_pass http://127.0.0.1:8080/admin;}
}
5.3 防 DDoS 配置(限流 + 连接数限制)
# /etc/nginx/conf.d/anti-ddos.conf
http {# 基于 IP 的请求限流limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;# 基于 IP 的连接数限制limit_conn_zone $binary_remote_addr zone=conn_limit:10m;server {listen 80;server_name api.example.com;location / {limit_req zone=req_limit burst=20 nodelay; # 突发 20 个请求不延迟limit_conn conn_limit 10; # 单 IP 最大 10 个连接limit_conn_status 503;proxy_pass http://backend_servers;}# 敏感接口更严格限流location /api/payment {limit_req zone=req_limit rate=5r/s burst=10;proxy_pass http://backend_servers;}}
}
六、特殊场景配置
6.1 反向代理 FastDFS 分布式存储
# /etc/nginx/conf.d/fastdfs.conf
server {listen 80;server_name fdfs.example.com;# 多组动态匹配(group1、group2...)location ~ ^/group([0-9])/M00/ {alias /data/fastdfs/storage/data/group$1/M00/;autoindex off;expires 30d;# 防盗链valid_referers none blocked *.example.com;if ($invalid_referer) {return 403;}}
}
6.2 适配 SPA 应用(前端路由重写)
# /etc/nginx/conf.d/spa.conf
server {listen 80;server_name spa.example.com;root /data/spa/dist;index index.html;# 前端路由重写(所有路径指向 index.html)location / {try_files $uri $uri/ /index.html;}# API 请求代理到后端location /api {proxy_pass http://127.0.0.1:8080/api;proxy_set_header Host $host;}
}
6.3 灰度发布(按 Cookie/Header 分流)
# /etc/nginx/conf.d/gray-release.conf
http {upstream gray_servers {server 192.168.1.201:8080; # 灰度环境}upstream prod_servers {server 192.168.1.101:8080; # 生产环境}server {listen 80;server_name app.example.com;location / {# 按 Cookie 分流(灰度用户携带 gray=1)if ($cookie_gray = "1") {proxy_pass http://gray_servers;break;}# 按 Header 分流(内部测试)if ($http_x_gray = "true") {proxy_pass http://gray_servers;break;}# 默认走生产proxy_pass http://prod_servers;proxy_set_header Host $host;}}
}
七、配置管理与最佳实践
7.1 模块化配置拆分
/etc/nginx/
├── nginx.conf # 主配置
├── conf.d/
│ ├── proxy-web.conf # Web 代理配置
│ ├── static.conf # 静态资源配置
│ ├── ssl.conf # SSL 通用配置(通过 include 引入)
│ └── ...
├── ssl/ # 证书目录
│ ├── example.crt
│ └── example.key
└── snippets/ # 配置片段(限流、缓存等)├── limit.conf└── cache.conf
7.2 常用运维命令
| 命令 | 作用 |
|---|---|
nginx -t | 配置语法检查 |
nginx -s reload | 平滑重启(不中断连接) |
nginx -V | 查看编译参数(确认已安装模块) |
curl http://localhost/nginx-status | 监控连接状态(需启用 stub_status) |
7.3 性能优化建议
- worker_processes:设置为 CPU 核心数(
grep ^processor /proc/cpuinfo | wc -l)。 - worker_connections:结合系统
ulimit -n调整(建议 10240+)。 - 缓存策略:静态资源启用浏览器缓存 + Nginx 本地缓存(
proxy_cache)。 - 日志级别:生产环境调整为
warn,避免日志 IO 阻塞。 - 模块精简:编译时仅保留必需模块(如
--without-http_autoindex_module)。
可扩展场景:Nginx + Lua 动态逻辑、WAF 集成、HTTP/2 配置、Kubernetes ingress 适配等。