nginx配置文件nginx.conf详细讲解

#  power by www.php.cn
#user  nobody;

      #nginx进程,一般设置为和cpu核数一样
worker_processes  1;

      #错误日志存放目录
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#进程pid存放位置
#pid        logs/nginx.pid;

#工作模式及连接数上限
events {
#epoll是多路复用IO(I/O Multiplexing)中的一种方式,但是仅用于linux2.6以上内核,可以大大提高nginx的性能
 use epoll;
 #;单个后台worker process进程的最大并发链接数
    worker_connections  1024;
}


http {
 #文件扩展名与类型映射表
    include       mime.types;
    #默认文件类型
    default_type  application/octet-stream;

#设置日志模式
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

  #开启高效传输模式
    sendfile        on;
    #tcp_nopush     on;

#连接超时时间,单位是秒
    #keepalive_timeout  0;
    keepalive_timeout  65;

  #激活tcp_nopush参数可以允许把httpresponse header和文件的开始放在一个文件里发布,
  #积极的作用是减少网络报文段的数量
  #tcp_nopush     on;

      #激活tcp_nodelay,内核会等待将更多的字节组成一个数据包,从而提高I/O性能
    #tcp_nodelay on;

    #FastCGI相关参数:为了改善网站性能:减少资源占用,提高访问速度
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 128k;
  fastcgi_buffers 4 128k;
  fastcgi_busy_buffers_size 256k;
  fastcgi_temp_file_write_size 256k;

#开启gzip压缩功能
  #gzip  on;
  gzip on;
  #设置允许压缩的页面最小字节数,页面字节数从header头的Content-Length中获取。默认值是0,表示不管页面多大都进行压缩。建议设置成大于1K。如果小于1K可能会越压越大。
  gzip_min_length  1k;
  #压缩缓冲区大小。表示申请4个单位为16K的内存作为压缩结果流缓存,默认值是申请与原始数据大小相同的内存空间来存储gzip压缩结果。
  gzip_buffers     4 32k;
  #压缩版本(默认1.1,前端为squid2.5时使用1.0)用于设置识别HTTP协议版本,默认是1.1,目前大部分浏览器已经支持GZIP解压,使用默认即可。
  gzip_http_version 1.1;
  #压缩比率。用来指定GZIP压缩比,1压缩比最小,处理速度最快;9压缩比最大,传输速度快,但处理最慢,也比较消耗cpu资源
  gzip_comp_level 2;
  #用来指定压缩的类型,“text/html”类型总是会被压缩
  gzip_types       text/plain application/x-javascript text/css application/xml;
    #vary header支持。该选项可以让前端的缓存服务器缓存经过GZIP压缩的页面,例如用

  #Squid缓存经过Nginx压缩的数据。
  gzip_vary on;

  gzip_disable "MSIE [1-6].";

#设定请求缓存
  server_names_hash_bucket_size 128;
  client_max_body_size     100m; 
  client_header_buffer_size 256k;
  large_client_header_buffers 4 256k;

#基于域名的虚拟主机
    server {
    #监听端口
        listen       80;
        server_name  localhost;
        #charset koi8-r;
        #access_log  logs/
        #站点根目录,即网站程序存放目录
        root    "D:/Work/phpstudy/PHPTutorial/WWW";
        location / {
        #首页排序
            index  index.html index.htm index.php l.php;
           autoindex  off;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php(.*)$  {#符合php扩展名的请求调度到fcgi server

            fastcgi_pass   127.0.0.1:9000;  #抛给本机的9000端口
            fastcgi_index  index.php; #设定动态首页
            fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            fastcgi_param  PATH_TRANSLATED  $document_root$fastcgi_path_info;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443;
    #    server_name  localhost;

    #    ssl                  on;
    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_timeout  5m;

    #    ssl_protocols  SSLv2 SSLv3 TLSv1;
    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers   on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

include vhosts.conf;

}
#######nginx防sql注入##########

###start####
if ( $query_string ~* ".*[\;'\<\>].*" ){
    return 444;
    }
if ($query_string  ~* ".*(insert|select|delete|update|count|\*|%|master|truncate|declare|\'|\;|and|or|\(|\)|exec).* ") {
    return 444;
    }
if ($request_uri ~* "(cost\()|(concat\()") {
                 return 444;
    }
if ($request_uri ~* "[+|(%20)]union[+|(%20)]") {
                 return 444;
    }
if ($request_uri ~* "[+|(%20)]and[+|(%20)]") {
                 return 444;
    }
if ($request_uri ~* "[+|(%20)]select[+|(%20)]") {
                 return 444;
    }
set $block_file_injections 0;
if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
set $block_file_injections 1;
}
if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
set $block_file_injections 1;
}
if ($block_file_injections = 1) {
return 448;
}
set $block_common_exploits 0;
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
set $block_common_exploits 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
set $block_common_exploits 1;
}
if ($query_string ~ "proc/self/environ") {
set $block_common_exploits 1;
}
if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
set $block_common_exploits 1;
}
if ($query_string ~ "base64_(en|de)code\(.*\)") {
set $block_common_exploits 1;
}
if ($block_common_exploits = 1) {
return 444;
}
set $block_spam 0;
if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
set $block_spam 1;
}
if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
set $block_spam 1;
}
if ($block_spam = 1) {
return 444;
}
set $block_user_agents 0;
if ($http_user_agent ~ "Wget") {
 set $block_user_agents 1;
}
# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
set $block_user_agents 1;
}
# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetRight") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GetWeb!") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go!Zilla") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Download Demon") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "Go-Ahead-Got-It") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "TurnitinBot") {
set $block_user_agents 1;
}
if ($http_user_agent ~ "GrabNet") {
set $block_user_agents 1;
}
if ($block_user_agents = 1) {
return 444;
}

###end####
     location ~ ^/list {
         #如果后端的服务器返回502、504、执行超时等错误,自动将请求转发到upstream负载均衡池中的另一台服务器,实现故障转移。
         proxy_next_upstream http_502 http_504 error timeout invalid_header;
         proxy_cache cache_one;
         #对不同的HTTP状态码设置不同的缓存时间
         proxy_cache_valid  200 301 302 304 1d;
         #proxy_cache_valid  any 1d;
         #以域名、URI、参数组合成Web缓存的Key值,Nginx根据Key值哈希,存储缓存内容到二级缓存目录内
         proxy_cache_key $host$uri$is_args$args;
         proxy_set_header Host  $host;
         proxy_set_header X-Forwarded-For  $remote_addr;
         proxy_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
         #proxy_ignore_headers Set-Cookie;
         #proxy_hide_header Set-Cookie;
         proxy_pass http://backend_server;
         add_header      Nginx-Cache     "$upstream_cache_status  from  km";

          expires      1d;
        }

    access_log  /data1/logs/abc.com.log access;    #nginx访问日志
  }
-----------------------ssl(https)相关------------------------------------

server {
  listen 13820; #监听端口
  server_name localhost;
  charset utf-8;                #gbk,utf-8,gb2312,gb18030 可以实现多种编码识别
  ssl on; #开启ssl
  ssl_certificate /ls/app/nginx/conf/mgmtxiangqiankeys/server.crt; #服务的证书
  ssl_certificate_key /ls/app/nginx/conf/mgmtxiangqiankeys/server.key; #服务端key
  ssl_client_certificate /ls/app/nginx/conf/mgmtxiangqiankeys/ca.crt; #客户端证书
  ssl_session_timeout 5m; #session超时时间
  ssl_verify_client on; # 开户客户端证书验证
  ssl_protocols SSLv2 SSLv3 TLSv1; #允许SSL协议
  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #加密算法
  ssl_prefer_server_ciphers on; #启动加密算法
  access_log /lw/logs/nginx/dataadmin.test.com.ssl.access.log access ; #日志格式及日志存放路径
  error_log /lw/logs/nginx/dataadmin.test.com.ssl.error.log; #错误日志存放路径

}
-------------END------------------------------------------------------------
}

發表回覆

你的電郵地址並不會被公開。 必要欄位標記為 *