Programming skills│A collection of common configurations in super practical nginx

🎈 Block IP

• Through deny can block the specified IP

 http {
    # ....
    # 封禁IP
    deny 192.168.4.3; 
    deny 31.42.145.0/24; 
    deny 51.12.35.0/24;
}

🎈 Only open intranet

• Need to ban first 192.168.1.1
• Open other intranet segments, and then ban all others IP

 location / { 
  # block one workstation 
  deny    192.168.1.1; 
  # allow anyone in 192.168.1.0/24 
  allow   192.168.1.0/24; 
  # drop rest of the world 
  deny    all; 
}

🎈 Load Balancer

• You need to configure the forwarding server information in nginx.conf
• Weight: weight=1 , the larger the assigned value, the higher the weight
• Maximum number of connections: max_fails=3 , the maximum number of connection failures is 3
• Connection failure time: fail_timeout=20s , the time of each connection failure
• Enable load balancing in site configuration default.conf

 # nginx.conf中配置转发服务器信息
upstream web {
    server 192.168.37.2 weight=1 max_fails=3 fail_timeout=20s;
    server 192.168.37.3 weight=1 max_fails=3 fail_timeout=20s;
}

# default.conf中开启负载均衡
location / {
    proxy_pass http://web/;
}

🎈 List files

• Sometimes the server acts as a resource server, providing users with download resources to use
• The files on the service need to be listed in the form of a directory
• You can configure autoindex on to allow listing of directories and enable directory traffic
• The exact size of the file can be displayed by autoindex_exact_size off , the unit is bytes
• The file time that can be displayed by autoindex_localtime on is the server time of the file

 location / {
    autoindex on;
    autoindex_exact_size on;
    autoindex_localtime on;
}

🎈 Route forwarding

• Sometimes users access the resources of the server through routing, but your resources are actually under another folder
• You can use the alias command to forward user requests

 # nginx服务器
location /static {
    alias /public;
}
 
# window服务器
location ^~ /static {
    alias "D:\\public\\静态资源";
}

🎈 Enable gzip compression

• gzip Compression is an optimization direction to improve access speed, which can greatly improve access speed

 http {
    # 开启gzip
    gzip on;

    # 是否在http header中添加Vary: Accept-Encoding，建议开启
    gzip_vary on;

    # 启用gzip压缩的最小文件，小于设置值的文件将不会压缩
    gzip_min_length 1k;

    gzip_proxied any;

    # gzip 压缩级别，1-9，数字越大压缩的越好，也越占用CPU时间
    gzip_comp_level 6;

    # 设置压缩所需要的缓冲区大小
    gzip_buffers 16 8k;

    # 设置gzip的版本
    gzip_http_version 1.1;

    # 进行压缩的文件类型。javascript有多种形式，后面的图片压缩不需要的可以自行删除
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}

🎈 Resolve cross domain

 server {
    location / {
        #允许跨域请求的域，*代表所有 
        add_header 'Access-Control-Allow-Origin' *; 
        #允许带上cookie请求 
        add_header 'Access-Control-Allow-Credentials' 'true'; 
        #允许请求的方法，比如 GET / POST / PUT / DELETE 
        add_header 'Access-Control-Allow-Methods' *; 
        #允许请求的header 
        add_header 'Access-Control-Allow-Headers' *;
    }
}

🎈 Resource anti-leech

• In order to prevent other websites from directly using our static resources, you can increase the anti-leech configuration

 server {
    location ~*/(js|image|css) {
        # 检测*.autofelix.cn的请求，如果检测是无效的，直接返回403
        valid_referers *.autofelix.cn; 
        if ($invalid_referer) {
            return 403;
        }
     }
}

🎈 Keepalived improves throughput

• Through keepalived you can set the number of long connection processing
• Long connection can be set by proxy_http_version http version
• By proxy_set_header can clear connection header information

 # nginx.conf中配置吞吐量
upstream web {
    server 192.168.37.3 weight=1;keepalive 32;
}

# default.conf中配置
location / {
     proxy_pass http://tomcats;
     proxy_http_version 1.1;
     proxy_set_header Connection "";
}

🎈 HTTP force redirect to HTTPS

• In many websites, it is mandatory to use the https protocol
• So we need to force http to jump to https

 server {
    # 监听的端口号
    listen 80;
    
    # 强制跳转
    rewrite ^(.*)$ https://$host$1 permanent;
}
 
server {
    # 监听的端口号
    listen       443;
    # 主机名
    server_name www.520web.cn;
    # 开启ssl验证
    ssl on;
    # 字符集
    charset utf-8;
    # 访问的根目录
    root   /var/www/html;
    # 错误页面
    error_page  404    ...404文件路径;
    
    # 图片视频静态资源缓存到客户端时间
    location ~ .*\.(jpg|jpeg|gif|png|ico|mp3|mp4|swf|flv){
      expires 10d;
    }
    
    # js/css静态资源缓存到客户端时间
    location ~ .*\.(js|css){
      expires 5d;
    }
    
    # ssl的相关配置，pem文件的地址
    ssl_certificate  ...pem文件的绝对路径;
    # key文件的绝对路径
    ssl_certificate_key  ...key文件的绝对路径;
    # 断开重连时间
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    # ssl协议
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    
    # 首页访问的文件
    location / {
        index  index.php index.html index.htm;
    }

    # php-ftm配置
    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}