Nginx服务之完整配置实例
纸上得来终觉浅,绝知此事要躬行。
完整配置实例:生产环境中使用
# 指定运行的用户、启动的进程数、打开的最大文件数
user nobody nobody;
worker_processes auto;
worker_rlimit_nofile 51200;
error_log logs/error.log notice;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
1. 使用的模型、每个进程能够承载的请求数
use epoll;
worker_connections 51200;
}
http {
1. 是否详细显示输出信息
server_tokens off;
include mime.types;
1. 关闭重定向功能
proxy_redirect off;
1. 向后端服务器发送请求的主机名、IP地址、上级代理服务器(用于多级代理中)
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
1. 限制客户端的上传内容大小
client_max_body_size 20m;
1. 设置客户端上传时的缓存内存大小,当大量用户上传时这个数值就不小了
client_body_buffer_size 256k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
default_type application/octet-stream;
charset utf-8;
1. 设置客户端上传时缓存内存不够时,可以存放在物理磁盘上
client_body_temp_path /var/tmp/client_body_temp 1 2;
proxy_temp_path /var/tmp/proxy_temp 1 2;
fastcgi_temp_path /var/tmp/fastcgi_temp 1 2;
uwsgi_temp_path /var/tmp/uwsgi_temp 1 2;
scgi_temp_path /var/tmp/scgi_temp 1 2;
1. 忽略无法理解的首部信息
ignore_invalid_headers on;
1. 对多个后端服务器名称进行哈希,提高查找效率
server_names_hash_max_size 256;
server_names_hash_bucket_size 64;
client_header_buffer_size 8k;
large_client_header_buffers 4 32k;
connection_pool_size 256;
request_pool_size 64k;
output_buffers 2 128k;
postpone_output 1460;
client_header_timeout 1m;
client_body_timeout 3m;
send_timeout 3m;
1. 定义日志记录格式
log_format main '$server_addr $remote_addr [$time_local] $msec+$connection '
'"$request" $status $connection $request_time $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
1. 设置打开日志的缓存
open_log_file_cache max=1000 inactive=20s min_uses=1 valid=1m;
access_log logs/access.log main;
log_not_found on;
sendfile on;
tcp_nodelay on;
tcp_nopush off;
reset_timedout_connection on;
keepalive_timeout 10 5;
keepalive_requests 100;
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_proxied any;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_proxied expired no-cache no-store private auth no_last_modified no_etag;
gzip_types text/plain application/x-javascript text/css application/xml application/json;
gzip_disable "MSIE [1-6].(?!.*SV1)";
upstream tomcat8080 {
ip_hash;
server 172.16.100.103:8080 weight=1 max_fails=2;
server 172.16.100.104:8080 weight=1 max_fails=2;
server 172.16.100.105:8080 weight=1 max_fails=2;
}
server {
listen 80;
server_name www.wsescape.com;
1. config_apps_begin
root /data/webapps/htdocs;
access_log /var/logs/webapp.access.log main;
error_log /var/logs/webapp.error.log notice;
location / {
1. 请求网站图标配置
location ~* ^.*/favicon.ico$ {
root /data/webapps;
expires 180d;
break;
}
1. 如果请求名不是一个文件,将交给后端的tomcat服务器
if ( !-f $request_filename ) {
proxy_pass http://tomcat8080;
break;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 8088;
server_name nginx_status;
location / {
access_log off;
deny all;
return 503;
}
location /status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow 172.16.100.71;
deny all;
}
}
}
- [1] For Best Performance
# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
worker_processes auto; #some last versions calculate it automatically
1. number of file descriptors used for nginx
1. the limit for the maximum FDs on the server is usually set by the OS.
1. if you don't set FD's then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000;
1. only log critical errors
error_log /var/log/nginx/error.log crit;
1. provides the configuration file context in which the directives that affect connection processing are specified.
events {
1. determines how much clients will be served per worker
1. max clients = worker_connections * worker_processes
1. max clients is also limited by the number of socket connections available on the system (~64k)
worker_connections 4000;
1. optimized to serve many clients with each thread, essential for linux -- for testing environment
use epoll;
1. accept as many connections as possible, may flood worker connections if set too low -- for testing environment
multi_accept on;
}
http {
1. cache informations about FDs, frequently accessed files
1. can boost performance, but you need to test those values
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
1. to boost I/O on HDD we can disable access logs
access_log off;
1. copies data between one FD and other from within the kernel
1. faster than read() + write()
sendfile on;
1. send headers in one piece, it is better than sending them one by one
tcp_nopush on;
1. reduce the data that needs to be sent over network -- for testing environment
gzip on;
1. gzip_static on;
gzip_min_length 10240;
gzip_comp_level 1;
gzip_vary on;
gzip_disable msie6;
gzip_proxied expired no-cache no-store private auth;
gzip_types
1. text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
1. allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
1. request timed out -- default 60
client_body_timeout 10;
1. if client stop responding, free up memory -- default 60
send_timeout 2;
1. server will close connection after this time -- default 75
keepalive_timeout 30;
1. number of requests client can make over keep-alive -- for testing environment
keepalive_requests 100000;
}
- [2] For Security Reasons
server_tokens off;
- [3] For Simple DDoS Defense
# limit the number of connections per single IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
1. limit the number of requests for a given session
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
1. zone which we want to limit by upper values, we want limit whole server
server {
limit_conn conn_limit_per_ip 10;
limit_req zone=req_limit_per_ip burst=10 nodelay;
}
1. if the request body size is more than the buffer size, then the entire (or partial)
1. request body is written into a temporary file
client_body_buffer_size 128k;
1. buffer size for reading client request header -- for testing environment
client_header_buffer_size 3m;
1. maximum number and size of buffers for large headers to read from client request
large_client_header_buffers 4 256k;
1. read timeout for the request body from client -- for testing environment
client_body_timeout 3m;
1. how long to wait for the client to send a request header -- for testing environment
client_header_timeout 3m;
- [4] Boost Performance 9x
map $ssl_preread_protocol $upstream {
"" ssh.example.com:22;
"TLSv1.2" new.example.com:443;
default tls.example.com:443;
}
1. ssh and https on the same port
server {
listen 192.168.0.1:443;
proxy_pass $upstream;
ssl_preread on;
}
