Nginx安装配置合集

根据使用Apache2和Nginx的感受,我选择Nginx

安装

Ubuntu

1
sudo apt install nginx

Manjaro

1
yaourt -S nginx

安装完毕后查看是否成功

1
systemctl status nginx

模块

查看当前使用的Nginx支持的模块

1
2
3
4
5
ubuntu@VM-8-2-ubuntu:~$ nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

如果没有我们需要的就要自己编译源码了。

SSL

在/etc/nginx/sites-enabled/nginx.conf中添加

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
server {
listen 443;
#listen 443 ssl http2;#使用http2,需要nginx>1.9
server_name feater.top;

#开启SSL功能
ssl on;
root /var/www/html;
index index.html index.htm;
# 修改这里,SSL 证书文件路径,由证书签发机构提供
ssl_certificate cert/fullchain.pem;
# 修改这里,SSL 密钥文件路径,由证书签发机构提供
ssl_certificate_key cert/private.key;
# 修改这里,CA 根证书文件路径,由证书签发机构提供
ssl_trusted_certificate cert/chain.pem;

# 修改这里,Diffie-Hellman 密钥文件路径,建议定期更改
# 生成方法: openssl dhparam -out dhparam.pem 4096
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# 修改这里,加密或解密 session_ticket 密钥文件路径,建议定期更改
# 生成方法: openssl rand 48 > session_ticket.key
ssl_session_ticket_key /etc/nginx/ssl/session_ticket.key;

#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
#如果需要SSL支持TLSv1.3,需要使用OpenSSL draft-18+分支
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
#ssl_ciphers "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_buffer_size 1400;
ssl_stapling on;
ssl_stapling_verify on;

# 修改这里,国内填 119.29.29.29,国外填 8.8.4.4 8.8.8.8
resolver 119.29.29.29 valid=300s;

resolver_timeout 5s;

# 以下是SSL A+配置
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";

location / {
index index.html index.htm;
}
}

http重定向到https

1
2
3
4
5
server {
listen 80;
server_name feater.top;
rewrite ^(.*)$ https://feater.top$1;
}

后面的$1是网址参数,它会将http://feater.top/mybook.html转换为https://feater.top/mybook.html.

最近(2022.06.03)发现谷歌爬虫会自动爬ip网址而不是域名网址,可以使用这种方法强制转换为域名。

PHP-FPM

安装软件包

1
yaourt -S php php-cgi php-fpm

在server{}下添加

1
2
3
4
5
6
7
8
9
#当请求网站下php文件的时候,反向代理到php-fpm
location ~ \.php$ {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000; #nginx fastcgi进程监听的IP地址和端口,要和php-fpm配置文件中的一致
fastcgi_index index.php;
#include /usr/local/etc/nginx/fastcgi.conf; #加载nginx的fastcgi模块,如果没有fastcgi.conf配置文件的话,就需要动态配置了,如果有的话,就只需要include配置文件即可
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

注意:

  • nginx.conf最顶部的user要和/etc/php/php-fpm.conf.d/www.conf中的user一致
  • fastcgi_pass值要和www.conf中listen字段的值一致
  • 网站源文件的用户和权限要和配置文件的一致

数据压缩

在服务器端进行数据压缩,在浏览器端解压减少数据传输带宽和数据量。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
##
# Gzip Settings
##

gzip on;

# 是否在http header中添加Vary: Accept-Encoding,建议开启
gzip_vary on;
# gzip 压缩级别 1-10 数字越大,压缩率越高,cpu使用越强
gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/jpeg image/gif image/png;

#这里设置无论header头是怎么样,都是无条件启用压缩
gzip_proxied any;
# 设置允许压缩的页面最小字节数,页面字节数从header头得content-length中进行获取。默认值是0,不管页面多大都压缩
gzip_min_length 1k;
#IE 6及一下禁用gzip
gzip_disable "MSIE [1-6]\.(?!.*SV1)";

资源缓存

像图片、js/css脚本之类的一般不会更新的很频繁,使用缓存技术减少每次打开网页资源获取的耗时。

1
2
3
4
5
# cache files
location ~ .*\.(?:gif|jpg|jpeg|bmp|png|ico|css|js)$ {
expires 30d;
add_header X-Proxy-Cache $upstream_cache_status;
}

expires表示资源过期时间,每30天会从服务器获取新的数据。

负载均衡

访问量太少,暂时没有用到这个功能

地区屏蔽

先去maxmind官网下载geoip2的数据包。

在http中添加

1
2
3
4
5
6
7
8
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
auto_reload 5m;
$geoip2_data_country_code country iso_code;
}
map $geoip2_data_country_code $allowed_country {
default yes;
CN no;
}

在server中的location下添加

1
2
3
4
5
if ($allowed_country = yes) {
# return https://www.baidu.com;
# return /home/japan;
return 404;
}

就可以将非中国地区的ip屏蔽


Nginx安装配置合集
https://feater.top/web/setup-of-nginx
作者
JackeyLea
发布于
2021年11月22日
许可协议