nginx 常用配置
常用命令
检测配置文件是否正确
bash
nginx -t重载 nginx 配置
bash
nginx -s reload常用配置
支持 https
nginx
server {
listen 443 ssl http2;
server_name python-abc.xyz;
#证书文件名称
ssl_certificate /etc/nginx/ssl/python-abc.xyz_bundle.crt;
#私钥文件名称
ssl_certificate_key /etc/nginx/ssl/python-abc.xyz.key;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1.2 TLSv1.3;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
# ...
}- 监听 443 端口
- 配置 https 证书
支持 http2
nginx
server {
listen 443 ssl http2;
# ...
}- 在 listen 语句中加上
http2即可
不缓存 index.html
nginx
server {
# ...
location = /index.html {
root /data/app/dist/;
add_header Cache-Control "no-cache, no-store";
}
# ...
}http 转 https
方法1
nginx
proxy_redirect http:// https://;方法2
nginx
return 301 https://$server_name$request_uri;跨域
nginx
server {
# ...
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow_Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';
# ...
}- 配置在 server 层级
- 如果报如下错误:
- Access to XMLHttpRequest at 'http://xxx' from origin 'http://yyy' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
- 则修改前端的
withCredentials: true为 false - https://stackoverflow.com/questions/42803394/cors-credentials-mode-is-include
支持 websocket
nginx
location /ws/ {
proxy_pass http://127.0.0.1:9000;
#proxy_read_timeout 600s;
#proxy_connect_timeout 600;
#proxy_send_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}支持 sse
nginx
location /api/v1/sse/ {
include uwsgi_params;
uwsgi_pass 127.0.0.1:8000;
uwsgi_buffering off;
proxy_set_header Connection '';
proxy_http_version 1.1;
chunked_transfer_encoding off;
#proxy_buffering off;
proxy_cache off;
}uwsgi 转发
nginx
location /api/ {
include uwsgi_params;
uwsgi_pass 127.0.0.1:8000;
uwsgi_read_timeout 300s;
uwsgi_send_timeout 300s;
}代理静态文件
nginx
location /qrcode/ {
alias /popop/qrcode/;
}
location /log/ {
root /var/www/html/;
}示例配置
nginx
upstream prometheus-server {
server 127.0.0.1:9090;
}
server {
listen 80;
listen 443 ssl;
server_name prometheus.baidu.com;
access_log /data/logs/nginx/prometheus-access.log main;
error_log /data/logs/nginx/prometheus-error.log notice;
ssl_certificate /etc/nginx/httpskey/baidu.com.crt;
ssl_certificate_key /etc/nginx/httpskey/baidu.com.key;
ssl_session_timeout 300s;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSV1.1 TLSV1.2 SSLv2 SSLv3;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://prometheus-server;
proxy_connect_timeout 5;
proxy_send_timeout 5;
proxy_read_timeout 5;
}
}