Nginx常用指令
设置只允许指定IP访问
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.hbswhsxy.cn hbswhsxy.cn;
charset utf-8;
# 指定crt文件路径
ssl_certificate /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.crt;
# 指定key文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;
ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
#允许特定IP访问
allow 111.111.111.111;
#拒绝所有IP访问
deny all;
root /home/java;
}
location /prod-api-two/ {
proxy_pass http://localhost:3004/;
}
}设置只允许指定IP段访问
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.hbswhsxy.cn hbswhsxy.cn;
charset utf-8;
# 指定crt文件路径
ssl_certificate /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.crt;
# 指定key文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;
ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
#允许特定网段IP访问
allow 111.111.111.0/24;
#拒绝所有IP访问
deny all;
}
location /prod-api-two/ {
proxy_pass http://localhost:3004/;
}
}限制上传文件大小
#user为用户,不用改
#error_log为Nginx错误日志存储路径。路径根据nginx的实际目录填写。如果nginx在/usr/local/nginx/解压安装的,一般都在这里。务必确保与第8步骤创建的nginx日志文件夹一致。
user nginx;
worker_processes auto;
error_log /usr/local/nginx/logs/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#client_max_body_size为允许上传最大文件大小为10g,nginx默认最多允许上传1m
client_max_body_size 10240M;
#access_log路径根据nginx的实际目录填写
access_log /usr/local/nginx/logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /usr/local/nginx/conf/mime.types; #路径根据nginx的实际目录填写
default_type application/octet-stream;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name #用户访问的域名或IP;
include /etc/nginx/default.d/*.conf;
# 凡是通过80端口访问,都跳转至指定网址和端口
location / {
proxy_pass http://xxx.cn:2000;
}
location /xiaobai/ {
root /var/www/html;
}
}
}Nginx问题集
网站css/js间歇性加载失败
#报错如下
Failed to load resource: net::ERR_INCOMPLETE_CHUNKED_ENCODING1.查看nginx日志。
默认nginx日志路径:/nginx/logs/error.log
雷池WAF防火墙nginx日志路径:/safeline/logs/nginx/error.log
2.通过nginx日志定位问题。
#报错如下
多个Permission denied报错,这意味着Nginx尝试打开临时文件时没有足够的权限。
an upstream response is buffered to a temporary file警告,这表明Nginx在处理上游响应时将数据缓冲到了临时文件中,这通常是由于上游服务器响应的数据量较大,超过了Nginx的缓冲区大小限制。3.检查/usr/local/nginx/proxy_temp目录权限,发现该目录只允许root账户读写。
ls -ld /usr/local/nginx/proxy_temp#输出如下
drwx------ 2 root root 6 Nov 10 01:28 /usr/local/nginx/proxy_temp4.查看哪些用户在运行nginx,发现101和203用户在运行nginx。
ps aux | grep nginx#输出如下
root 1746 0.0 0.1 112176 3312 ? Ss Nov02 0:00 nginx: master process nginx -g daemon off;
root 2528 0.0 0.0 9148 408 ? Ss Nov02 0:00 nginx: master process nginx
101 2530 0.0 0.1 10048 3056 ? S Nov02 2:15 nginx: worker process
101 2531 0.0 0.1 10048 3036 ? S Nov02 2:14 nginx: worker process
root 19332 0.0 0.0 42968 736 ? Ss 10:13 0:00 nginx: master process /usr/local/nginx/sbin/nginx
root 19333 0.0 0.2 73872 4000 ? S 10:13 0:00 nginx: worker process
root 19334 0.0 0.2 73872 4404 ? S 10:13 0:00 nginx: worker process
203 23834 0.0 0.4 220720 9168 ? S Nov07 0:16 nginx: worker process
203 23835 0.0 0.7 220720 15140 ? S Nov07 0:14 nginx: worker process
root 25734 0.0 0.0 12112 1092 pts/0 S+ 10:42 0:00 grep --color=auto nginx5.授权101和203用户读写/usr/local/nginx/proxy_temp目录。
sudo chown -R 101:101 /usr/local/nginx/proxy_temp
sudo chown -R 103:103 /usr/local/nginx/proxy_temp
sudo chmod -R 775 /usr/local/nginx/proxy_temp6.验证。
ls -ld /usr/local/nginx/proxy_temp7.如运行了雷池WAF,需进入/safeline/resources/nginx/nginx.conf目录修改nginx.conf配置文件。默认nginx则进入/usr/local/nginx/conf/nginx.conf。修改为如下。
proxy_buffer_size 128k; # 设置代理缓冲区大小
proxy_buffers 4 256k; # 设置缓冲区数量和大小
proxy_busy_buffers_size 256k; # 设置在繁忙情况下使用的缓冲区大小
proxy_temp_path /usr/local/nginx/proxy_temp; # 设置临时文件路径8.重启nginx服务或WAF防火墙。
#重启nginx
sudo systemctl restart nginx
#重启雷池WAF
docker compose down --remove-orphans
docker load -i image.tar.gz
docker compose up -d开启日志调试跟踪
注:开启日志debug模式能记录nginx代理的每个操作,有助于排查问题。
1.编辑/usr/local/nginx/conf/nginx.conf 。
user root;
worker_processes auto;
error_log /usr/local/nginx/logs/error.log debug; #加入debug以开启debug模式
pid /run/nginx.pid;
http {
server {
}
}
}
评论区