Nginx

• /usr/share/nginx/html 静态文件目录

• /etc/nginx/nginx.conf 配置目录

• /etc/nginx/conf.d/*.conf 其他的配置目录

• /var/log/nginx/access.log 日志

• 核心变量

• 可在日志中使用 $request_time $upstream_response_time 来记录访问使用时间

• ngx_http_auth_request_module

  • 可将授权交由其他请求处理
  • 教程

• Reference

  • agentzh's Nginx Tutorials
  • Full Example Configuration
  • 第三方模块列表
  • Ngx PageSpeed
  • Doc
  • NGINX Reverse Proxy
  • NAXSI
    • is an open-source, high performance, low rules maintenance WAF for NGINX
    • NAXSI means Nginx Anti XSS & SQL Injection.

• denji/homebrew-nginx

• Virtual Hosts on nginx

# brew 安装brew install nginx# 查看已安装模块nginx -V 2>&1 | tr -- - '\n' | grep 'module[^a-z=]'
# 基于当前目录启动nginx -p $PWD -c nginx.conf -g 'daemon off;'

常用配置

Websocket 反向代理

location /chat/ {    proxy_pass http://backend;    proxy_http_version 1.1;    proxy_set_header Upgrade $http_upgrade;    proxy_set_header Connection "upgrade";}

也可以直接使用客户端的参数

http {    map $http_upgrade $connection_upgrade {        default upgrade;        ''      close;    }
    server {        # ...
        location /chat/ {            proxy_pass http://backend;            proxy_http_version 1.1;            proxy_set_header Upgrade $http_upgrade;            proxy_set_header Connection $connection_upgrade;        }    }}

简单暴力的映射

sites.conf

server {    listen 80 default_server;    listen [::]:80 default_server;
    server_name $http_host;    root /sites/$http_host;    access_log logs/$http_host;    gzip on;}

docker run --rm -it -v $PWD:/sites -v $PWD/sites.conf:/etc/nginx/conf.d/default.conf -p 8080:80 --name web wener/nginx

# 默认日志格式log_format combined '$remote_addr - $remote_user [$time_local] '                    '"$request" $status $body_bytes_sent '                    '"$http_referer" "$http_user_agent"';
# 添加了压缩信息的日志log_format compression '$remote_addr - $remote_user [$time_local] '                       '"$request" $status $bytes_sent '                       '"$http_referer" "$http_user_agent" "$gzip_ratio"';
# 添加了响应时间的日志log_format timed  '$remote_addr - $remote_user [$time_local] '                  '"$request" $status $body_bytes_sent '                  '"$http_referer" "$http_user_agent"'                  '"$http_x_forwarded_for" $request_time $upstream_response_time';

https://www.nginx.com/resources/admin-guide/logging-and-monitoring/

$upstream_connect_time – The time spent on establishing a connection with an upstream server$upstream_header_time – The time between establishing a connection and receiving the first byte of the response header from the upstream server $upstream_response_time – The time between establishing a connection and receiving the last byte of the response body from the upstream server$request_time – The total time spent processing a request

常用配置

proxy.nginx

proxy_redirect          off;proxy_set_header        Host                $host;proxy_set_header        X-Real-IP           $remote_addr;proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;proxy_set_header        X-Forwarded-Proto   $scheme;# client_max_body_size    200m;# client_body_buffer_size 128k;proxy_connect_timeout   90;proxy_send_timeout      90;proxy_read_timeout      90;proxy_buffers           32 4k;

location / {    proxy_pass http://mysvr;    include conf/proxy.nginx;}

proxy_ws.nginx

• 反向代理 websocket

proxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection $connection_upgrade;
proxy_set_header        Host                $host;proxy_set_header        X-Real-IP           $remote_addr;proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;proxy_set_header        X-Forwarded-Proto   $scheme;
proxy_buffering off;proxy_redirect  off;chunked_transfer_encoding off;
# 因为是 ws, 所以将超时时间设置的长一点proxy_read_timeout 600s;

location /socket.io/ {    proxy_pass http://mysvr/socket.io/;    include conf/proxy_ws.nginx;}

conf/proxy_ssl.nginx

• 反向代理 SSL
• Securing HTTP Traffic to Upstream Servers
• 还是需要证书信息, 因为 SNI

ssl_session_cache    shared:SSL:1m;ssl_session_timeout  10m;ssl_certificate /etc/nginx/ssl/example.com.crt;ssl_certificate_key /etc/nginx/ssl/example.com.key;ssl_verify_client off;ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers RC4:HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;

proxy_elb.nginx

• https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
• http://scottwb.com/blog/2013/10/28/always-on-https-with-nginx-behind-an-elb/

pagespeed

https://github.com/apache/incubator-pagespeed-ngx

https://github.com/sitespeedio/sitespeed.io

Build ngx_pagespeed From Source https://www.modpagespeed.com/doc/build_ngx_pagespeed_from_source

https://en.wikipedia.org/wiki/Google_PageSpeed_Tools

主要内容

管理

代理和缓存

重写和访问控制

管理出入流

性能调优

listen

http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

listen address[:port] [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];listen unix:path [default_server] [ssl] [http2 | spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];

stream

• ngx_stream_core_module

  • 自 1.9.0

• ngx_stream_proxy_module

  • allows proxying data streams over TCP, UDP and UNIX-domain sockets.

• 参考

  • TCP/UDP Load Balancing with NGINX: Overview, Tips, and Tricks
  • Announcing UDP Load Balancing in NGINX
    • March 15, 2016

# Load balance UDP-based DNS traffic across two serversstream {    upstream dns_upstreams {        server 192.168.136.130:53;        server 192.168.136.131:53;    }
    server {        listen 53 udp;        proxy_pass dns_upstreams;        proxy_timeout 1s;        proxy_responses 1;        error_log logs/dns.log;    }}

ngx_stream_core_modulengx_stream_access_modulengx_stream_geo_modulengx_stream_geoip_modulengx_stream_js_modulengx_stream_limit_conn_modulengx_stream_log_modulengx_stream_map_modulengx_stream_proxy_modulengx_stream_realip_modulengx_stream_return_modulengx_stream_split_clients_modulengx_stream_ssl_modulengx_stream_ssl_preread_modulengx_stream_upstream_modulengx_stream_upstream_hc_module

Choosing an NGINX Plus Load‑Balancing Technique https://www.nginx.com/blog/choosing-nginx-plus-load-balancing-techniques/

proxy_responses 控制 Nginx 应该等待上游返回多少信息

对于单 udp 会话, 不做特殊处理时, nginx 能够从上游接收到多个包, 但只会从下游接收到一个包. 因为下一次从下游接收到的包会认为是另外一个会话. 导致 udp 适用于下载但不适用于上传.

10 Tips for 10x Application Performance https://www.nginx.com/blog/10-tips-for-10x-application-performance/

IP Transparency and Direct Server Return with NGINX and NGINX Plus as Transparent Proxy https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/

https://www.kernel.org/doc/Documentation/networking/tproxy.txt https://github.com/benoitc/tproxy

tproxy 要求 upstream 修改默认路由, 保证所有请求都能被路由回去. 因此在 VPN 的情况下会有点尴尬

PROXY 10.0.1.1, 172.16.0.1

SERVER 10.0.2.1, 192.168.1.2

代理服务器通过 10.0.0.0/16 和后端服务器通讯, SERVER LAN 地址为 192.168.1.0/24, 要求 SERVER 能正确把包导回需修改默认路由为 10.0.1.1, 因此只能有一个前端的反向代理, 还是非常的不方便使用

如果有多个网卡, 还需要开启转发.

# serverroute del default gw 172.16.0.1route add default gw 10.0.1.1route -n
# 或者使用 ip 命令ip ro del default via 172.16.0.1 dev eth0
# proxyip rule add fwmark 1 lookup 100ip route add local 0.0.0.0/0 dev lo table 100# 针对 80 端口iptables -t mangle -A PREROUTING -p tcp -s 10.0.0.0/16 --sport 80 -j MARK --set-xmark 0x1/0xffffffff
iptables -t mangle -L