nginx配置

基本概念

路由

Nginx的路由主要体现在其配置文件的http块、server块和location块中。请求的处理流程大致是:请求到达 -> 匹配到合适的server块 -> 在该server块中

docker部署

version: '3'

services:
  nginx:
    container_name: nginx
    image: nginx:latest
    environment:
      - TZ=Asia/Shanghai
    ulimits:
      core: -1
    network_mode: bridge
    ports:
      - 7777:7777
    restart: always
    volumes: # for run
      - ./data/conf:/etc/nginx
      - ./data/html:/usr/share/nginx/html
      - ./data/logs:/var/log/nginx

    # volumes: # for copy data
    #   - ./data:/data

配置示例

指向内部服务

# /etc/nginx/conf.d/some_server.conf
server {
    listen       443 ssl;
    listen  [::]:443 ssl;
    server_name  localhost;

    ssl_certificate /etc/nginx/ssl/selfsigned.crt;
    ssl_certificate_key /etc/nginx/ssl/selfsigned.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    #access_log  /var/log/nginx/host.access.log  main;

    location /hh/ {
	    # 内部的HTTP服务, proxy_pass URI重写,后面这个"/" 可以将/hh重写掉
        proxy_pass http://127.0.0.1:8000/; 
        # 在这里修改header
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect / /hh/; # 重要:重定向 URL 中去掉 /hh/ 的部分加回来
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

静态文件

# /etc/nginx/conf.d/some_server.conf
server {
    listen 80;
    server_name example.com; 

    # 将所有请求通过 301 永久重定向到 https
    return 301 https://$host$request_uri;
}

server {
    # 监听 443 端口,开启 SSL,并启用 HTTP/2 (推荐,速度更快)
    listen 443 ssl http2; 
    server_name example.com;

    # --- 证书配置 (必须修改) ---
    ssl_certificate     /etc/nginx/ssl/cert.pem;  # 你的证书公钥路径
    ssl_certificate_key /etc/nginx/ssl/key.key;   # 你的证书私钥路径

    # --- SSL 优化参数 (推荐配置,增强安全性) ---
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3; # 仅启用安全协议
    # 常见的加密套件配置
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # --- 静态文件配置 ---
    location / {
        root /var/www/my-site;  # 你的静态文件目录
        index index.html index.htm;

        # 如果是 Vue/React 等单页应用(SPA),取消下面这行的注释
        # try_files $uri $uri/ /index.html;
    }

    # 可选:配置日志
    access_log /var/log/nginx/example.com.access.log;
    error_log /var/log/nginx/example.com.error.log;
}

反向代理

主要用于将外部的https流量,利用nginx解码之后,转发到内部的http服务,有些服务不能直接支持https,可以使用这种方式

minio的反向代理配置

关键点

  • websocket升级
  • S3 API的反向代理。
server {
    listen       9000 ssl;
    listen  [::]:9000 ssl;
    server_name  yourhost.com;

    ssl_certificate /etc/nginx/ssl/yourhost.com_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/yourhost.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # access_log  /var/log/nginx/host.access.log  main;

    # S3 reverse proxy
    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      chunked_transfer_encoding off;
      proxy_connect_timeout 300;

      proxy_pass http://172.111.20.10:9000/;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

server {
    listen       9001 ssl;
    listen  [::]:9001 ssl;
    server_name  youhost.com;

    ssl_certificate /etc/nginx/ssl/youhost.com_bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/youhost.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # access_log  /var/log/nginx/host.access.log  main;

    location / {
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-NginX-Proxy true;

      # This is necessary to pass the correct IP to be hashed
      real_ip_header X-Real-IP;
      proxy_connect_timeout 300;

      # To support websockets in MinIO versions released after January 2023
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      # Some environments may encounter CORS errors (Kubernetes + Nginx Ingress)
      # Uncomment the following line to set the Origin request to an empty string
      # proxy_set_header Origin '';
      chunked_transfer_encoding off;
      proxy_pass http://172.111.20.10:9001/;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

UI

试了一下,功能非常丰富,可以用来做nginx的可视化工具:0xJacky/nginx-ui: Yet another WebUI for Nginx 默认用户名/密码:

services:
  nginx-ui:
    stdin_open: true
    tty: true
    restart: always
    container_name: host_nginx_ui
    image: common/nginx-ui:latest
    environment:
      - TZ=Asia/Shanghai
    restart: always
    network_mode: host
    volumes: # for run
      - ./data/conf:/etc/nginx
      - ./data/ui:/etc/nginx-ui
      - ./data/html:/usr/share/nginx/html
      - ./data/logs:/var/log/nginx
      - /volume2/docker/license/tsl:/etc/nginx/ssl