Nginx常用配置详解(一)
本文依照nginx官方站点文档介绍常用的nginx各种常用配置,未经过校对,如有错误还望海涵。
Nginx配置通用语法
Nginx最基本的配置语法
配置项名 配置项值1 [配置项值2 ....]; 配置项名位于行首,配置项值与配置项名之间用空格隔开,多个配置项值之间也用空格隔开,每行配置结尾必须加上分号。 #配置项名 配置项值1 [配置项值2 ....]; #可以注释掉本行
Nginx配置分为各个配置块。主配置块负责全局配置,各个子块都会继承全局配置。各个子块也各有不同的配置项。
main block:主配置(全局配置) event{ ... }事件驱动相关配置块 http{ ... }http/https 协议相关的配置块 mail{ ... }邮件服务器相关的配置块 stream{ ... }流服务器相关的配置块
主配置块配置
主配置按功能分为四类:
- 正常运行必备的配置
- 优化性能相关的配置
- 用于调试及定位问题的相关的配置
- 事件驱动相关的配置
一、正常运行必备的配置
user
Syntax: user user [group]; Default: user nobody nobody; Context: main
Defines user and group credentials used by worker processes. If group is omitted, a group whose name equals that of user is used.
定义worker进程使用的用户或者组的凭证,省略组名表示组名与用户名相同。
pid
Syntax: pid file; Default: pid nginx.pid; Context: main
Defines a file that will store the process ID of the main process.
指定存储nginx matser进程ID的文件路径。
include
Syntax: include file | mask; Default: — Context: any
Includes another file, or files matching the specified mask, into configuration. Included files should consist of syntactically correct directives and blocks.
配置文件可嵌入其他配置文件,include指明嵌入的文件位置可以是明确的文件名,也可以是含有通配符的文件名。(include可以是绝对路径也可以是相对路径,相对路径为相对Nginx配置文件的路径,即Nginx.conf所在目录)
load_module
Syntax: load_module file; Default: — Context: main This directive appeared in version 1.9.11.
Loads a dynamic module.
加载动态模块。此指令只在ngnix 1.9.11 版本后生效
二、性能优化相关的配置
worker_processes
Syntax: worker_processes number | auto; Default: worker_processes 1; Context: main
Defines the number of worker processes.
The optimal value depends on many factors including (but not limited to) the number of CPU cores, the number of hard disk drives that store data, and load pattern. When one is in doubt, setting it to the number of available CPU cores would be a good start (the value “auto” will try to autodetect it).
定义worker进程数量。该设定会直接影响性能,最佳值取决于多种因素包括但不限于CPU核心、存书数据的硬盘数量,加载模式。较好的选择是设定该值值等于可用的CPU数量(auto自动检测CPU核心数量并以此为该项的设定值)。
worker_cpu_affinity
Syntax: worker_cpu_affinity cpumask ...; worker_cpu_affinity auto [cpumask]; Default: — Context: main
Binds worker processes to the sets of CPUs. Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes. By default, worker processes are not bound to any specific CPUs.
将设定的CPU核心与worker进程绑定,每个CPU设定用位掩码分别绑定给每一个worker进程。默认情况下worker进程不绑定在任何一个CPU上。(每一位CPUmask代表一个CPU核心)
例如:
主机有四个核心,建立四个worker进程分别绑定在每个CPU上
worker_processes4; worker_cpu_affinity 0001 0010 0100 1000;
主机有四个核心,建立两个worker进程,第一个进程绑定在CPU0/CPU2上,第二个进程绑定在CPU1/CPU3上
worker_processes2; worker_cpu_affinity 0101 1010;
使用自动自动绑定
worker_processes auto; worker_cpu_affinity auto;
自动绑定并限制CPU使用
worker_cpu_affinity auto 01010101;
worker_priority
Syntax: worker_priority number; Default: worker_priority 0; Context: main
Defines the scheduling priority for worker processes like it is done by the nice command: a negative number means higher priority. Allowed range normally varies from -20 to 20.
定义worker进程的优先级,相当于nice指令:负数的优先级更高,取值范围从-20到20。
worker_rlimit_nofile
Syntax: worker_rlimit_nofile number; Default: — Context: main
Changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes. Used to increase the limit without restarting the main process.
修改worker进程能打开文件的最大值,可以在不重启主进程的情况下增加限制。
三、调试、定位问题
daemon
Syntax: daemon on | off; Default: daemon on; Context: main
Determines whether nginx should become a daemon. Mainly used during development.
决定nginx是否成为守护进程,主要用于开发期间。
master_process
Syntax: master_process on | off; Default: master_process on; Context: main
Determines whether worker processes are started. This directive is intended for nginx developers.
决定是否启用worker进程。此指令打算给nginx开发者使用。
error_log
Syntax: error_log file [level]; Default: error_log logs/error.log error; Context: main, http, mail, stream, server, location
Configures logging. Several logs can be specified on the same level (1.5.2). If on the main configuration level writing a log to a file is not explicitly defined, the default file will be used.
The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. Logging to a cyclic memory buffer can be configured by specifying the “memory:” prefix and buffer size, and is generally used for debugging (1.7.11).
The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. For example, the default level error will cause error, crit, alert, and emerg messages to be logged. If this parameter is omitted then error is used.
配置日志,几个日志可以被指定为同一级别。如果主配置文件级别中配置文件路径没有明确指明,则使用默认配置。
第一个字段定义日志存储文件位置。特殊值stderr选择标准错误文件。针对syslog的文件可以在前面用syslog:指明。针对cyclic memory buffer可以在前面用memory:指明,并且要指明缓冲大小,此项指令通常用于调试。
第二字段判定日志级别,在debug, info, notice, warn, error, crit, alert, emerg之中选择一项。这些日志级别从左到右依次从轻微到严重。确定日志级别后,会记录该级别和该级别以上的级别的所有日志。例如:设定error级别会记录error, crit, alert, emerg四个基本,如果该条目省略,则默认级别为error。
四、事件驱动相关配置
事件驱动相关的配置配置与events配置块中
events { ... }
worker_connections
Syntax: worker_connections number; Default: worker_connections 512; Context: events
Sets the maximum number of simultaneous connections that can be opened by a worker process.
It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients. Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile.
设定worker进程同步连接最大值。
这项设定需要注意,这个数字包括了所有连接(例如:代理连接服务器等),不仅仅是客户端的连接。
另一个值得注意的问题是实际的同步连接数值要小于之前在 worker_rlimit_nofile中设定的open file值。
use
Syntax: use method; Default: — Context: events
Specifies the connection processing method to use. There is normally no need to specify it explicitly, because nginx will by default use the most efficient method.
指明使用的连接进程方法。通常不需要明确的指明,因为NGINX默认会使用最有效的方法。
accept_mutex
Syntax: accept_mutex on | off; Default: accept_mutex off; Context: events
If accept_mutex is enabled, worker processes will accept new connections by turn. Otherwise, all worker processes will be notified about new connections, and if volume of new connections is low, some of the worker processes may just waste system resources.
如果accept_mutex启用,worker进程在接受新连接时采取轮流进行的模式。如果不这么设定,新连接将不会通知给各worker进程。在新连接较少的情况下,部分worker进程资源将被浪费。
accept_mutex_delay
Syntax: accept_mutex_delay time; Default: accept_mutex_delay 500ms; Context: events
If accept_mutex is enabled, specifies the maximum time during which a worker process will try to restart accepting new connections if another worker process is currently accepting new connections.
在accept_mutex启用的情况下,指明在其他worker进程正在接受新连接时,worker进程重新接受新连接的超时时间。
http协议块配置
http协议配置块位于总体配置块中,总体格式如下:
http { ... ... server { ... server_name root location [OPERATOR] /uri/ { ... } } server { ... } }
http配置块按功能分类,大致可以分为以下五类:
- 与套接字相关的配置
- 定义路径相关的配置
- 定义客户端请求的相关配置
- 对客户端进行限制的相关配置
一、与套接字相关的配置
server
Syntax: server { ... } Default: — Context: http
Sets configuration for a virtual server. There is no clear separation between IP-based (based on the IP address) and name-based (based on the “Host” request header field) virtual servers. Instead, the listen directives describe all addresses and ports that should accept connections for the server, and the server_name directive lists all server names.
设定一个虚拟主机。不需要明确区分基于ip和基于host的虚拟主机。相应的,listen指令描述了此虚拟主机接收连接监听的地址和端口,server_name字段描述了所有虚拟主机的名称。
listen
Syntax: listen address[:port] [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]]; listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]]; listen unix:path [default_server] [ssl] [http2 | spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]]; Default: listen *:80 | *:8000; Context: server
Sets the address and port for IP, or the path for a UNIX-domain socket on which the server will accept requests. Both address and port, or only address or only port can be specified. An address may also be a hostname。
设定IP的address和port,或是设定服务器接收响应的UNIX域套接字的path。可以同时设定address和port,或者仅仅设定address,仅仅设定port,address也可以是hostname。
例如
listen 127.0.0.1:8000; listen 127.0.0.1; listen 8000; listen *:8000; listen localhost:8000;
UNIX-domain sockets (0.8.21) are specified with the “unix:” prefix:
UNIX域套接字需要在行首用unix:指明
listen unix:/var/run/nginx.sock;
由于选项过多,且绝大多数目前阶段应用不上,简要解释部分常用的
default_server
The default_server parameter, if present, will cause the server to become the default server for the specified address:port pair. If none of the directives have the default_server parameter then the first server with the address:port pair will be the default server for this pair.
设定当前监听的ip地址和端口为虚拟主机,如果未明确指明默认虚拟主机,第一个虚拟主机成为该部分的默认主机。
ssl
The ssl parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode. This allows for a more compact configuration for the server that handles both HTTP and HTTPS requests.
ssl字段允许指明从该端口接收的所有连接必须以SSL协议模式工作,无论接收的请求是HTTP协议的还是HTTPS协议。
http2
The http2 parameter (1.9.5) configures the port to accept HTTP/2 connections. Normally, for this to work the ssl parameter should be specified as well, but nginx can also be configured to accept HTTP/2 connections without SSL.
http2字段配置该端口可以接受http2协议的连接,通常http2协议需要指明ssl,但是nginx可以被配置成为接收不需要SSL协议的http2协议。
spdy
The spdy parameter (1.3.15-1.9.4) allows accepting SPDY connections on this port. Normally, for this to work the ssl parameter should be specified as well, but nginx can also be configured to accept SPDY connections without SSL.
spdy字段允许该端口接收SPDY连接,通常spdy协议需要指明ssl,但是nginx可以被配置成为接收不需要SSL协议的spdy协议。
proxy_protocol
The proxy_protocol parameter (1.5.12) allows specifying that all connections accepted on this port should use the PROXY protocol.
proxy_protocol字段允许指明该端口所有接收的连接使用PROXY协议。
backlog
sets the backlog parameter in the listen() call that limits the maximum length for the queue of pending connections. By default, backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS, and to 511 on other platforms.
在listen()中设定backlog字段可以限制后援队列长度。默认在FreeBSD, DragonFly BSD, 和 macOS平台该值为-1,其他平台该值为511
rcvbuf
sets the receive buffer size (the SO_RCVBUF option) for the listening socket.
设定监听套接字的接收缓冲大小。
sndbuf
sets the send buffer size (the SO_SNDBUF option) for the listening socket.
设定监听套接字的发送缓冲大小。
server_name
Syntax: server_name name ...; Default: server_name ""; Context: server
Sets names of a virtual server, for example:
设定虚拟主机的名称例如
server { server_name example.com www.example.com; }
The first name becomes the primary server name.
第一个名称成为虚拟主机的主名称。
Server names can include an asterisk (“*”) replacing the first or last part of a name:
虚拟主机名称可以在起始和末尾用通配符
*
替代
server { server_name example.com *.example.com www.example.*; }
The first two of the names mentioned above can be combined in one:
前两个地址可以缩写成为一个
server { server_name .example.com; }
It is also possible to use regular expressions in server names, preceding the name with a tilde (“~”):
还可以使用正则表达式匹配虚拟主机名称,正则表达式前要用~
server { server_name www.example.com ~^www\d+\.example\.com$; }
Regular expressions can contain captures (0.7.40) that can later be used in other directives:
正则表达式的分组可以用于其它字段。
server { server_name ~^(www\.)?(.+)$; location / { root /sites/$2; } } server { server_name _; location / { root /sites/default; } }
Named captures in regular expressions create variables (0.8.25) that can later be used in other directives:
正则表达式匹配的优先级要低于其他字段。
server { server_name ~^(www\.)?(?<domain>.+)$; location / { root /sites/$domain; } } server { server_name _; location / { root /sites/default; } }
If the directive’s parameter is set to “$hostname” (0.9.4), the machine’s hostname is inserted.
如果设定为变量$hostname会插入机器的hostname。(0.9.4之后的版本可用)
It is also possible to specify an empty server name (0.7.11):
也可以插入空的虚拟机主机名称(0.7.11之后的版本可用)
server { server_name www.example.com ""; }
It allows this server to process requests without the “Host” header field — instead of the default server — for the given address:port pair. This is the default setting.
允许虚拟主机响应没有Host头部的,该头部将会替换成默认虚拟主机,给予一个ip地址和端口段。该项为默认设置。
Before 0.8.48, the machine’s hostname was used by default. 0.8.48版本前,机器的hostname为默认的。
During searching for a virtual server by name, if the name matches more than one of the specified variants, (e.g. both a wildcard name and regular expression match), the first matching variant will be chosen, in the following order of priority:
当搜寻一个虚拟的主机的名称时。如果该名称可以匹配多个字段(包括通配符和正则表达式的字段),优先匹配原则如下:
the exact name the longest wildcard name starting with an asterisk, e.g. “*.example.com” the longest wildcard name ending with an asterisk, e.g. “mail.*” the first matching regular expression (in order of appearance in the configuration file) 1.字符串精确匹配 2.左侧*通配符 3.右侧*通配符 4.正则表达式
tcp_nodelay
Syntax: tcp_nodelay on | off; Default: tcp_nodelay on; Context: http, server, location
Enables or disables the use of the TCP_NODELAY option. The option is enabled only when a connection is transitioned into the keep-alive state.
启用或禁用TCP_NODELAY设置,当连接转换为长连接状态,这个选项必须启用。
sendfile
Syntax: sendfile on | off; Default: sendfile off; Context: http, server, location, if in location
Enables or disables the use of sendfile().
In this configuration, sendfile() is called with the SF_NODISKIO flag which causes it not to block on disk I/O, but, instead, report back that the data are not in memory. nginx then initiates an asynchronous data load by reading one byte. On the first read, the FreeBSD kernel loads the first 128K bytes of a file into memory, although next reads will only load data in 16K chunks. This can be changed using the read_ahead directive.
启用或禁用sendfile()功能。
在此项配置中,sentfile()被称为SF_NODISKIO标记,该标记引起不阻塞在磁盘I/O,相应的报告数据不在内存中。nginx然后会启用一个异步加载数据读取一个字节。第一次阅读,FreeBSD内容加载文件的第一个128K字节至内存,尽管接下来的读取只会在16K块中加载数据。可以在read_ahead指令中修改此条目。
tcp_nopush
Syntax: tcp_nopush on | off; Default: tcp_nopush off; Context: http, server, location
Enables or disables the use of the TCP_NOPUSH socket option on FreeBSD or the TCP_CORK socket option on Linux. The options are enabled only when sendfile is used. Enabling the option allows
禁用或启用TCP_NOPUSH套接字的使用,其工作于FreeBSD系统或Linux系统的TCP_CORK套接字选项。这个宣讲只有在sendfile使用时启用,启用这个选项允许
-
sending the response header and the beginning of a file in one packet, on Linux and FreeBSD 4.;
在包起始位置发送响应报文头部(工作于Linux和FreeBSD 4.) -
sending a file in full packets.
在完整的数据包中发送文件
二、定义路径相关的配置
root
Syntax: root path; Default: root html; Context: http, server, location, if in location
Sets the root directory for requests. For example, with the following configuration
设置响应的根目录,例如使用如下配置
location /i/ {
root /data/w3;
}
The /data/w3/i/top.gif file will be sent in response to the “/i/top.gif” request.
/data/w3/i/top.gif文件会发送到/i/top.gif响应报文中
The path value can contain variables, except $document_root and $realpath_root.
这个值可以是变量,$document_root和$realpath_root不可以使用。
root指令取代的根目录在location目录中替代最左端的/
alias
设定网站别名,用法基本与root相同。
alias指令取代的根目录在location目录中替代至最右端的/
location
Syntax: location [ = | ~ | ~* | ^~ ] uri { ... } location @name { ... } Default: — Context: server, location
Sets configuration depending on a request URI.
根据请求的URI设置配置。
The matching is performed against a normalized URI, after decoding the text encoded in the “%XX” form, resolving references to relative path components “.” and “..”, and possible compression of two or more adjacent slashes into a single slash.
匹配时针对规范化的URI执行的,解码了% XX格式的文本,解析相对路径的引用.和..,压缩两个或更多相邻的/至一个/
A location can either be defined by a prefix string, or by a regular expression. Regular expressions are specified with the preceding “~*” modifier (for case-insensitive matching), or the “~” modifier (for case-sensitive matching). To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.
location可以由前缀字符串定义,也可以由正则表达式定义。正在表达式用~×表示不区分大小写匹配,用~表示区分大小写匹配。根据被给予的请求报文寻找location时,nginx优先查询使用前置字符串定义的location。匹配字符串时最长匹配的字符串将会被选择,并且被记住。然后会按照配置文件中出现的次序检查正则表达式。匹配第一次正则表达式后会终止,并使用相应的配置。如果没有发现合适的正则表达式匹配,则会使用之前记住的字符串匹配的信息。
location blocks can be nested, with some exceptions mentioned below.
location配置块可以嵌套。
Regular expressions can contain captures (0.7.40) that can later be used in other directives.
正则表达式可以捕获分组信息(0.7.40),之后用在其他指令
If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.
如果最长匹配字段有^~修饰符,不检查正则匹配。
Also, using the “=” modifier it is possible to define an exact match of URI and location. If an exact match is found, the search terminates. For example, if a “/” request happens frequently, defining “location = /” will speed up the processing of these requests, as search terminates right after the first comparison. Such a location cannot obviously contain nested locations.
同样的,使用=修饰符可以定义一个精确的URI和location匹配,如果发现精确匹配,查询终止。例如:如果“/”请求频繁出现,定义“location = /”可以在第一次比较后终止查询,从而加速这些请求的进程。这种location不能嵌套location。
Let’s illustrate the above by an example:
用下面的例子举例说明
location = / { [ configuration A ] } location / { [ configuration B ] } location /documents/ { [ configuration C ] } location ^~ /images/ { [ configuration D ] } location ~* \.(gif|jpg|jpeg)$ { [ configuration E ] }
The “/” request will match configuration A, the “/index.html” request will match configuration B, the “/documents/document.html” request will match configuration C, the “/images/1.gif” request will match configuration D, and the “/documents/1.jpg” request will match configuration E.
“/”请求会匹配到A,
“/index.html”会匹配到B,
“/documents/document.html”请求会匹配到C,
“/images/1.gif”会匹配到D,
“/documents/1.jpg”会匹配到E。
The “@” prefix defines a named location. Such a location is not used for a regular request processing, but instead used for request redirection. They cannot be nested, and cannot contain nested locations.
“@”定义名称location。这样的location不用于一个普通请求,而用于请求重定向。他们不能被嵌套,也不能嵌套其他location。
If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, or memcached_pass, then the special processing is performed. In response to a request with URI equal to this string, but without the trailing slash, a permanent redirect with the code 301 will be returned to the requested URI with the slash appended. If this is not desired, an exact match of the URI and location could be defined like this:
如果一个location定义字符串匹配时以/结尾,而且请求被proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass中的一个处理,将会执行特殊的处理方式。响应请求URI等于这个字符串时,不需要尾部有/,将会返回一个301状态码的永久重定向,并携带一个/。如果不需要的话可以像如下方法额外添加URI和location的定义。
location /user/ { proxy_pass http://user.example.com; } location = /user { proxy_pass http://login.example.com; }
index
Syntax: index file ...; Default: index index.html; Context: http, server, location
Defines files that will be used as an index. The file name can contain variables. Files are checked in the specified order. The last element of the list can be a file with an absolute path. Example:
定义被用作索引的文件。该文件名可以包含变量。多文件按顺序检查。列表最后元素可以是一个包含绝对路径文件。例如
index index.$geo.html index.0.html /index.html;
It should be noted that using an index file causes an internal redirect, and the request can be processed in a different location. For example, with the following configuration:
值得注意的是,使用索引文件会造成内部重定向,请求会被指向不同的location。如下面例子所示
location = / { index index.html; } location / { ... }
a “/” request will actually be processed in the second location as “/index.html”.
一个“/”请求事实首先被解析成为index.html,而后被解析到第二location中。
error_page
Syntax: error_page code ... [=[response]] uri; Default: — Context: http, server, location, if in location
Defines the URI that will be shown for the specified errors. A uri value can contain variables.
定义显示指定错误的URI。uri值可以使用变量。
Example:
例如
error_page 404 /404.html; error_page 500 502 503 504 /50x.html;
This causes an internal redirect to the specified uri with the client request method changed to “GET” (for all methods other than “GET” and “HEAD”).
这将导致将内部重定向到指定的uri,而客户端请求方法改为“GET”(除“GET”和“HEAD”之外的所有方法)。
Furthermore, it is possible to change the response code to another using the “=response” syntax, for example:
此外,还可以使用“=response”语法将状态响应代码更改为另一个,例如:
error_page 404 =200 /empty.gif;
If an error response is processed by a proxied server or a FastCGI/uwsgi/SCGI server, and the server may return different response codes (e.g., 200, 302, 401 or 404), it is possible to respond with the code it returns:
如果代理服务器或FastCGI / uwsgi / SCGI服务器处理错误响应,服务器可能会返回不同的响应代码,(例如200, 302, 401 或 404),可以响应返回码。
error_page 404 = /404.php;
If there is no need to change URI and method during internal redirection it is possible to pass error processing into a named location:
如果在内部重定向中不需要更改URI和方法,则可以将错误处理传入指定的位置:
location / { error_page 404 = @fallback; } location @fallback { proxy_pass http://backend; }
If uri processing leads to an error, the status code of the last occurred error is returned to the client.
如果uri处理导致错误,那么最后一个发生错误的状态代码将返回给客户端。
It is also possible to use URL redirects for error processing:
也可以使用URL重定向错误处理。
error_page 403 http://example.com/forbidden.html; error_page 404 =301 http://example.com/notfound.html;
In this case, by default, the response code 302 is returned to the client. It can only be changed to one of the redirect status codes (301, 302, 303, 307, and 308).
在这种情况下,默认情况下,响应代码302被返回给客户端。它只能更改为一个重定向状态码(301、302、303、307和308)。
These directives are inherited from the previous level if and only if there are no error_page directives defined on the current level.
只有在当前级别没有定义error_page指令的情况下,将从上一级继承error_page信息。
try_files
Syntax: try_files file ... uri; try_files file ... =code; Default: — Context: server, location
Checks the existence of files in the specified order and uses the first found file for request processing; the processing is performed in the current context. The path to a file is constructed from the file parameter according to the root and alias directives. It is possible to check directory’s existence by specifying a slash at the end of a name, e.g. “$uri/”. If none of the files were found, an internal redirect to the uri specified in the last parameter is made. For example:
检查指定顺序文件是否存在,使用第一个找到的文件进行处理,该处理在当前上下文执行。根据root和alias指令从文件参数构建文件路径。可以检查目录是否存在,需要后置/例如“$uri/”。如果未找到文件,内部重定向到最后一个参数中指定的uri。例如:
location /images/ { try_files $uri /images/default.gif; } location = /images/default.gif { expires 30s; }
三、定义客户端请求的相关配置
keepalive_timeout
Syntax: keepalive_timeout timeout [header_timeout]; Default: keepalive_timeout 75s; Context: http, server, location
The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ.
第一个字段设定了长连接客户端打开服务端的延迟,0值禁用长连接。第二字段设定HEAD字段中“Keep-Alive: timeout=time”time值。两个字段可以不同。
The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds.
Mozilla和Konqueror浏览器认可HEADER头字段中 “Keep-Alive: timeout=time”值。MSIE长连接60秒后自动关闭。
keepalive_requests
Syntax: keepalive_requests number; Default: keepalive_requests 100; Context: http, server, location This directive appeared in version 0.8.0.
Sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed.
设定请求的长连接的最大值,一旦超过最大值,连接关闭。
keepalive_disable
Syntax: keepalive_disable none | browser ...; Default: keepalive_disable msie6; Context: http, server, location
Disables keep-alive connections with misbehaving browsers. The browser parameters specify which browsers will be affected. The value msie6 disables keep-alive connections with old versions of MSIE, once a POST request is received. The value safari disables keep-alive connections with Safari and Safari-like browsers on macOS and macOS-like operating systems. The value none enables keep-alive connections with all browsers.
在不适合的浏览器访问时禁用长连接功能。browser指明那个浏览器收到影响。msie6值表示一旦收到老版本的MSIE浏览器POST请求,禁用长连接功能。safari值表示macOS和macOS类的操作系统上的Safari和类Safari的浏览器禁用长连接功能。none值表示所有浏览器启用长连接功能。
send_timeout
Syntax: send_timeout time; Default: send_timeout 60s; Context: http, server, location
Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed.
设定一个传送响应报文到客户端的超时时间。该超时时间只是两个写操作之间的,不应用于全部响应。如果客户端在这个时间不接受,连接关闭。
client_body_buffer_size
Syntax: client_body_buffer_size size; Default: client_body_buffer_size 8k|16k; Context: http, server, location
Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms.
设定读取客户机请求主体设置缓冲区大小,万一请求主体大于缓冲区,整个主体或主体的某一部分被写到一个临时文件。默认情况下,缓冲区大小等于两个内存页,32位系统为8K,64位系统为16K。
client_body_temp_path
Syntax: client_body_temp_path path [level1 [level2 [level3]]]; Default: client_body_temp_path client_body_temp; Context: http, server, location
Defines a directory for storing temporary files holding client request bodies. Up to three-level subdirectory hierarchy can be used under the specified directory. For example, in the following configuration
定义用于存储客户端请求主体的临时文件的目录。在指定的目录下可以使用至多3级的子目录层次结构。例如,在以下配置中
client_body_temp_path /spool/nginx/client_temp 1 2;
a path to a temporary file might look like this:
一个临时文件文件可能根如下文件类似:
/spool/nginx/client_temp/7/45/00000123457
client_body_temp_path /var/tmp/client_body 2 1 1
1:表示用一位16进制数字表示一级子目录;0-f
2:表示用2位16进程数字表示二级子目录:00-ff
3:表示用2位16进程数字表示三级子目录:00-ff
四、对客户端进行限制的相关配置
limit_rate
Syntax: limit_rate rate; Default: limit_rate 0; Context: http, server, location, if in location
Limits the rate of response transmission to a client. The rate is specified in bytes per second. The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit.
限制传输到客户端的响应速率。速率以每秒bytes指定。0值表示不限制。限制是根据每个请求设置的,如果一个客户端同时打开两个连接,总限制为指明限制的两倍。
Rate limit can also be set in the $limit_rate variable. It may be useful in cases where rate should be limited depending on a certain condition:
速度限制同样可以在$limit_rate变量中设定。当限制需要基于确定的情况时也许有用:
server { if ($slow) { set $limit_rate 4k; } ... }
Rate limit can also be set in the “X-Accel-Limit-Rate” header field of a proxied server response. This capability can be disabled using the proxy_ignore_headers, fastcgi_ignore_headers, uwsgi_ignore_headers, and scgi_ignore_headers directives.
限速也可以在代理服务器响应中“X-Accel-Limit-Rate” HEARER字段中设定。可以使用proxy_ignore_header、fastcgi_ignore_header、uwsgi_ignore_header和scgi_ignore_header指令禁用此功能。
limit_except
Syntax: limit_except method ... { ... } Default: — Context: location
Limits allowed HTTP methods inside a location. The method parameter can be one of the following: GET, HEAD, POST, PUT, DELETE, MKCOL, COPY, MOVE, OPTIONS, PROPFIND, PROPPATCH, LOCK, UNLOCK, or PATCH. Allowing the GET method makes the HEAD method also allowed. Access to other methods can be limited using the ngx_http_access_module and ngx_http_auth_basic_module modules directives:
限制允许的HTTP方法访问一个location。这个方法字段可以是GET, HEAD, POST, PUT, DELETE, MKCOL, COPY, MOVE, OPTIONS, PROPFIND, PROPPATCH, LOCK, UNLOCK, PATCH中的一个.允许GET方法也会使HEAD方法可用。允许其他方法需要用到ngx_http_access_module和ngx_http_auth_basic_module模块中的指令。
limit_except GET { allow 192.168.1.0/32; deny all; }
Please note that this will limit access to all methods except GET and HEAD.
注:这将限制除了GET和HEAD之外的所有方法。
五、 文件操作优化的配置
aio
Syntax: aio on | off | threads[=pool]; Default: aio off; Context: http, server, location This directive appeared in version 0.8.11.
Enables or disables the use of asynchronous file I/O (AIO) on FreeBSD and Linux:
在FreeBSD、Linux系统中启用或禁用异步文件I/O
location /video/ { aio on; output_buffers 1 64k; }
On FreeBSD, AIO can be used starting from FreeBSD 4.3. Prior to FreeBSD 11.0, AIO can either be linked statically into a kernel:
在FreeBSD上,FreeBSD 4.3以后开始支持AIO。FreeBSD 11.0之前,AIO可以静态链接到内核。
options VFS_AIO
或动态加载成为一个内核模块
kldload aio
On Linux, AIO can be used starting from kernel version 2.6.22. Also, it is necessary to enable directio, or otherwise reading will be blocking:
Linux系统上,Linux2.6.22之后支持AIO,同样的必须启用directio,否则读取会被阻塞。
location /video/ { aio on; directio 512; output_buffers 1 128k; }
On Linux, directio can only be used for reading blocks that are aligned on 512-byte boundaries (or 4K for XFS). File’s unaligned end is read in blocking mode. The same holds true for byte range requests and for FLV requests not from the beginning of a file: reading of unaligned data at the beginning and end of a file will be blocking.
Linux系统上,directio只能用于读取512K对齐的块(XFS文件系统为4K)。文件未对齐的结尾在读取时处于阻塞模式。对于字节范围请求和FLV请求,同样适用于文件的开头:在文件开始和结束时读取未对齐的数据将被阻塞。
When both AIO and sendfile are enabled on Linux, AIO is used for files that are larger than or equal to the size specified in the directio directive, while sendfile is used for files of smaller sizes or when directio is disabled.
Linux系统上同时启用AIO和sendfile时,AIO作用域大于或等于directio指令指明的文件大小。sendfile用于小于directio指令指明的文件大小,或者directio禁用的情况。
location /video/ { sendfile on; aio on; directio 8m; }
Finally, files can be read and sent using multi-threading (1.7.11), without blocking a worker process:
最后,文件的读取和发送可以不被一个worker进程阻塞,使用多线程模式
location /video/ { sendfile on; aio threads; }
Read and send file operations are offloaded to threads of the specified pool. If the pool name is omitted, the pool with the name “default” is used. The pool name can also be set with variables:
读取和发送文件操作将卸载到指定池的线程。如果这个池的名称是省略的,这个池将使用“default” 作为名称。池名称可以同样用变量设置
aio threads=pool$disk;
By default, multi-threading is disabled, it should be enabled with the —with-threads configuration parameter. Currently, multi-threading is compatible only with the epoll, kqueue, and eventport methods. Multi-threaded sending of files is only supported on Linux.
默认情况下,多线程被禁用,可以使用–with-threads控制字段启用。一般来说,多线程仅兼容epoll, kqueue, eventport方法。仅Linux系统支持多线程发送文件。
directio
Syntax: directio size | off; Default: directio off; Context: http, server, location This directive appeared in version 0.7.7.
Enables the use of the O_DIRECT flag (FreeBSD, Linux), the F_NOCACHE flag (macOS), or the directio() function (Solaris), when reading files that are larger than or equal to the specified size. The directive automatically disables (0.7.15) the use of sendfile for a given request. It can be useful for serving large files:
当读取的文件大于指定块时,启用O_DIRECT标记(FreeBSD, Linux),F_NOCACHE标记(macOS)或是directio()函数(Solaris)。该指令自动禁用(0.7.15)sendfile对给定请求的使用。发送大文件时使用:
directio 4m;
or when using aio on Linux.
或在Linux系统使用aio。
open_file_cache
Syntax: open_file_cache off; open_file_cache max=N [inactive=time]; Default: open_file_cache off; Context: http, server, location
Configures a cache that can store:
配置一个可以存储如下信息的缓存:
- open file descriptors, their sizes and modification times;
- information on existence of directories;
-
file lookup errors, such as “file not found”, “no read permission”, and so on. (Caching of errors should be enabled separately by the open_file_cache_errors directive. )
– - open file 描述符,他们的大小和修改时间
- 存在的目录信息
- 文件查询错误,如“file not found”,“no read permission”等等(错误缓存需要从open_file_cache_errors单独启用。)
The directive has the following parameters:
该指令有如下字段
max
sets the maximum number of elements in the cache; on cache overflow the least recently used (LRU) elements are removed;
设定缓存中元素数量的最大值,当溢出时使用LRU算法。
inactive
defines a time after which an element is removed from the cache if it has not been accessed during this time; by default, it is 60 seconds;
定义一段时间,如果这段时间某元素未被访问,则从缓存中移除该元素。默认情况下,时长60秒。
off
disables the cache
禁用缓存
Example:
例如
open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on;
open_file_cache_errors
Syntax: open_file_cache_errors on | off; Default: open_file_cache_errors off; Context: http, server, location
Enables or disables caching of file lookup errors by open_file_cache.
启用或禁用open_file_cache中的文件查看错误。
open_file_cache_min_uses
Syntax: open_file_cache_min_uses number; Default: open_file_cache_min_uses 1; Context: http, server, location
Sets the minimum number of file accesses during the period configured by the inactive parameter of the open_file_cache directive, required for a file descriptor to remain open in the cache.
设定在open_file_cache中inactive配置的期间文件的最小访问数值,要求在缓存中保持文件描述符保持打开状态。
open_file_cache_valid
Syntax: open_file_cache_valid time; Default: open_file_cache_valid 60s; Context: http, server, location
Sets a time after which open_file_cache elements should be validated.
设定缓存项有效性的检查时间间隔。
ngx_http_access_module模块
Example Configuration
配置样例
location / { deny 192.168.1.1; allow 192.168.1.0/24; allow 10.1.1.0/16; allow 2001:0db8::/32; deny all; }
allow
Syntax: allow address | CIDR | unix: | all; Default: — Context: http, server, location, limit_except
Allows access for the specified network or address. If the special value unix: is specified (1.5.1), allows access for all UNIX-domain sockets.
允许指明的网络或地址接入,如果值中有unix:,允许所有UNIX-domain套接字接入。
deny
Syntax: deny address | CIDR | unix: | all; Default: — Context: http, server, location, limit_except
Denies access for the specified network or address. If the special value unix: is specified (1.5.1), denies access for all UNIX-domain sockets.
阻止指明的网络和地址,如果值中有unix:,阻止所有UNIX-domain套接字接入。
ngx_http_auth_basic_module
实现基于用户的访问控制,使用basic机制进行用户认证;
Example Configuration
配置样例
location / { auth_basic "closed site"; auth_basic_user_file conf/htpasswd; }
auth_basic
Syntax: auth_basic string | off; Default: auth_basic off; Context: http, server, location, limit_except
Enables validation of user name and password using the “HTTP Basic Authentication” protocol. The specified parameter is used as a realm. Parameter value can contain variables (1.3.10, 1.2.7). The special value off allows cancelling the effect of the auth_basic directive inherited from the previous configuration level.
auth_basic_user_file
Syntax: auth_basic_user_file file; Default: — Context: http, server, location, limit_except
Specifies a file that keeps user names and passwords, in the following format:
指明一个保存了用户名称及密码的文件文件,如下格式:
# comment name1:password1 name2:password2:comment name3:password3
The file name can contain variables.
文件名可以使用变量。
The following password types are supported:
密码类型支持如下种类:
- encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the “openssl passwd” command;
- hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
-
specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).
- 使用crypt()函数加密,可以使用Apache HTTP Server中的htpasswd生成或者使用openssl passwd命令。
- md5的密码算法(apr1)的Apache变量hash,可以使用相同的工具生成;
-
像RFC 2307描述的语法一样指明“{scheme}data”,目前实现的方案包括:PLAIN(一个示例,不应该使用)、SHA(1.3.13)(普通的SHA – 1哈希,不应该使用)和SSHA(在一些软件包中使加盐SHA – 1哈希,特别是OpenLDAP和Dovecot)。
Support for SHA scheme was added only to aid in migration from other web servers. It should not be used for new passwords, since unsalted SHA-1 hashing that it employs is vulnerable to rainbow table attacks.
对SHA方案的支持只增加了从其他web服务器迁移的帮助。它不应该被用于新密码,因为它使用的不加盐的sha – 1哈希很容易受到rainbow table攻击。
ngx_http_stub_status_module
用于输出nginx的基本状态信息
Example Configuration
配置样例
location /basic_status { stub_status; }
This configuration creates a simple web page with basic status data which may look like as follows
该配置创建简单的页面用来显示基本数据状态,效果如下
Active connections: 291 server accepts handled requests 16630948 16630948 31070465 Reading: 6 Writing: 179 Waiting: 106
stub_status
Syntax: stub_status; Default: — Context: server, location
The basic status information will be accessible from the surrounding location.
从附近的location读取基本状态信息。
Data(信息的数据段)
Active connections
The current number of active client connections including Waiting connections.
客户端的实际活动连接数,包括等待连接。
accepts
The total number of accepted client connections.
客户端的总连接数。
handled
The total number of handled connections. Generally, the parameter value is the same as accepts unless some resource limits have been reached (for example, the worker_connections limit).
完成的连接总数。通常的这个字段的值与总连接数相同,除非一些达到资源限制。(例如worker_connections限制)
requests
The total number of client requests.
请求的客户端总数。
Reading
The current number of connections where nginx is reading the request header.
nginx读取请求头部的实际数量。
Writing
The current number of connections where nginx is writing the response back to the client.
nginx返回给客户端响应报文的实际数量
Waiting
The current number of idle client connections waiting for a request.
等待请求连接的客户端的实际数量
ngx_http_log_module
ngx_http_log_module module用指明的格式记录日志
Example Configuration
配置样例
log_format basic '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time'; access_log /spool/logs/nginx-access.log basic buffer=32k;
access_log
Sets the path, format, and configuration for a buffered log write. Several logs can be specified on the same level. Logging to syslog can be configured by specifying the “syslog:” prefix in the first parameter. The special value off cancels all access_log directives on the current level.
设定路径、格式、日志缓冲区配置。多个日志可以配置在一个级别。记录到syslog需要在第一个字段增加“syslog:”。特殊值off取消了当前级别上的所有访问日志指令。
If either the buffer or gzip parameter is used, writes to log will be buffered.
The buffer size must not exceed the size of an atomic write to a disk file. For FreeBSD this size is unlimited.
When buffering is enabled, the data will be written to the file:
if the next log line does not fit into the buffer; if the buffered data is older than specified by the flush parameter; when a worker process is re-opening log files or is shutting down.
If the gzip parameter is used, then the buffered data will be compressed before writing to the file. The compression level can be set between 1 (fastest, less compression) and 9 (slowest, best compression). By default, the buffer size is equal to 64K bytes, and the compression level is set to 1. Since the data is compressed in atomic blocks, the log file can be decompressed or read by “zcat” at any time.
如果gzip字段启用,缓冲的数据在写入文件之前会被压缩。压缩级别可以设置从1(最快、压缩率最低)至9(最慢、压缩率最高)。默认的缓冲大小为64K,压缩级别为1.因为数据被压缩成为atomic block,日志文件可以被解压,或通过zcat读取。
Example:
例如
access_log /path/to/log.gz basic gzip flush=5m;
For gzip compression to work, nginx must be built with the zlib library.
为保证gzip压缩工作,nginx必须同 zlib 库一同安装。
The file path can contain variables, but such logs have some constraints:
文件路径可以是变量,但这样的日志有一定的限制。
- the user whose credentials are used by worker processes should have permissions to create files in a directory with such logs;
- buffered writes do not work;
-
the file is opened and closed for each log write. However, since the descriptors of frequently used files can be stored in a cache, writing to the old file can continue during the time specified by the open_log_file_cache directive’s valid parameter
– - worker进程的用户应该在这样日志的目录中有创建文件的权限。
- 缓冲写入将不能工作
- 每次文件写入都要打开关闭文件。但是,由于经常使用的文件的描述符可以存储在缓存中,可以在open_log_file_cache指定的时间中持续写入就文件。
The if parameter enables conditional logging. A session will not be logged if the condition evaluates to “0” or an empty string.
日志中启用if参数条件式,if中条件之为0或者为空字符串的绘画将不被记录日志。
log_format
Syntax: log_format name [escape=default|json] string ...; Default: — Context: stream
Specifies the log format, for example:
指明文件日志格式,例如
log_format proxy '$remote_addr [$time_local] ' '$protocol $status $bytes_sent $bytes_received ' '$session_time "$upstream_addr" ' '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
The escape parameter (1.11.8) allows setting json or default characters escaping in variables, by default, default escaping is used.
escape字段允许设置json或default字符转换成变量,默认情况下,default字符转换被启用。
open_log_file_cache
Syntax: open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time]; open_log_file_cache off; Default: open_log_file_cache off; Context: stream, server
Defines a cache that stores the file descriptors of frequently used logs whose names contain variables. The directive has the following parameters:
定义一个缓存,用于存储常用日志的文件描述符,这些日志的名称包含变量:
The directive has the following parameters:
包含如下指令:
max
sets the maximum number of descriptors in a cache; if the cache becomes full the least recently used (LRU) descriptors are closed
设定缓存最大值,缓存满后,使用LRU算法关闭描述符。
inactive
sets the time after which the cached descriptor is closed if there were no access during this time; by default, 10 seconds
设置在这段时间内没有访问时缓存的描述符关闭的时间;默认情况下是10秒
min_uses
sets the minimum number of file uses during the time defined by the inactive parameter to let the descriptor stay open in a cache; by default, 1
在inactive参数定义的时间内设置最小的文件使用数量,让描述符在缓存中保持开放;默认情况下是1
valid
sets the time after which it should be checked that the file still exists with the same name; by default, 60 seconds
设置需要检查的时间,该文件仍然以相同的名称存在;默认情况下是60秒
off
disables caching
关闭缓存
ngx_http_gzip_module
The ngx_http_gzip_module module is a filter that compresses responses using the “gzip” method. This often helps to reduce the size of transmitted data by half or even more.
ngx_http_gzip_module模块是一个用“gzip”方法压缩响应的过滤器。这通常有助于将传输数据的大小减少一半甚至更多。
Example Configuration
配置样例
gzip on; gzip_min_length 1000; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain application/xml;
gzip
Syntax: gzip on | off; Default: gzip off; Context: http, server, location, if in location
Enables or disables gzipping of responses.
启用或禁用gzipping响应。
gzip_buffers
Syntax: gzip_buffers number size; Default: gzip_buffers 32 4k|16 8k; Context: http, server, location
Sets the number and size of buffers used to compress a response. By default, the buffer size is equal to one memory page. This is either 4K or 8K, depending on a platform.
设定相应压缩缓冲区数量和大小。默认缓冲大小等于一内存分页。根据平台为4k或8k。
Until version 0.7.28, four 4K or 8K buffers were used by default.
0.7.28之前,数量4 大小4K和8K是默认情况。
gzip_comp_level
Syntax: gzip_comp_level level; Default: gzip_comp_level 1; Context: http, server, location
Sets a gzip compression level of a response. Acceptable values are in the range from 1 to 9.
设定响应报文gzip压缩等级。接收值从1到9。
gzip_disable
Syntax: gzip_disable regex ...; Default: — Context: http, server, location This directive appeared in version 0.6.23.
Disables gzipping of responses for requests with “User-Agent” header fields matching any of the specified regular expressions.
“User-Agent” HEADER字段匹配到指定的正则表达式时禁用gzipping响应。
The special mask “msie6” (0.7.12) corresponds to the regular expression “MSIE [4-6].”, but works faster. Starting from version 0.8.11, “MSIE 6.0; … SV1” is excluded from this mask.
特殊的匹配码“msie6”,相当于“MSIE [4-6].”,但是运行速度更快。0.8.11后,“MSIE 6.0;…SV1“被排除在这个掩码之外。
gzip_min_length
Syntax: gzip_min_length length; Default: gzip_min_length 20; Context: http, server, location
Sets the minimum length of a response that will be gzipped. The length is determined only from the “Content-Length” response header field.
设定压缩响应的最小长度。这个长度只根据 “Content-Length”响应HEARD字段。
gzip_http_version
Syntax: gzip_http_version 1.0 | 1.1; Default: gzip_http_version 1.1; Context: http, server, location
Sets the minimum HTTP version of a request required to compress a response.
设定压缩报文的最低HTTP版本。
gzip_proxied
Syntax: gzip_proxied off | expired | no-cache | no-store | private | no_last_modified | no_etag | auth | any ...; Default: gzip_proxied off; Context: http, server, location
Enables or disables gzipping of responses for proxied requests depending on the request and response. The fact that the request is proxied is determined by the presence of the “Via” request header field. The directive accepts multiple parameters:
根据请求和响应,启用或禁用代理请求的gzipping响应。请求被代理的事实是由“Via”请求头字段的存在决定的。该条目接受多个字段:
off
disables compression for all proxied requests, ignoring other parameters;
所有代理请求禁用压缩,拒绝其他字段。
expired
enables compression if a response header includes the “Expires” field with a value that disables caching;
如果响应头包含“Expires”字段,并具有禁用缓存的值,则启用压缩;
no-cache
enables compression if a response header includes the “Cache-Control” field with the “no-cache” parameter;
如果响应头包含带有“no-cache”参数的“Cache-Control”字段,则启用压缩;
no-store
enables compression if a response header includes the “Cache-Control” field with the “no-store” parameter;
如果响应头包含“no-store”参数的“Cache-Control”字段,则启用压缩;
private
enables compression if a response header includes the “Cache-Control” field with the “private” parameter;
如果响应头包含带有“private”参数的“Cache-Control”字段,则启用压缩;
no_last_modified
enables compression if a response header does not include the “Last-Modified” field;
如果响应标头不包含“Last-Modified”字段,则启用压缩;
no_etag
enables compression if a response header does not include the “ETag” field;
如果响应头不包含“ETag”字段,则启用压缩;
auth
enables compression if a request header includes the “Authorization” field;
如果请求头包含“Authorization”字段,则启用压缩;
any
enables compression for all proxied requests.
为所有的proxied请求提供压缩。
gzip_types
Syntax: gzip_types mime-type ...; Default: gzip_types text/html; Context: http, server, location
Enables gzipping of responses for the specified MIME types in addition to “text/html”. The special value “*” matches any MIME type (0.8.29). Responses with the “text/html” type are always compressed.
除了“文本/ html”之外,还允许对指定的MIME类型进行gzipping。特殊值“×”匹配任何MIME类型(0.8.29)。对“文本/ html”类型的响应总是被压缩。
gzip_vary
Syntax: gzip_vary on | off; Default: gzip_vary off; Context: http, server, location
Enables or disables inserting the “Vary: Accept-Encoding” response header field if the directives gzip, gzip_static, or gunzip are active.
如果指令gzip、gzip_static或gunzip是活动的,则启用或禁用插入“Vary: Accept-Encoding”响应头字段。
ngx_http_ssl_module
ngx_http_ssl_module模块为HTTPS提供了必要的支持。
Example Configuration
配置样例
To reduce the processor load it is recommended to
为了减少处理器负载,建议配置。
- set the number of worker processes equal to the number of processors,
- enable keep-alive connections,
- enable the shared session cache,
- disable the built-in session cache,
-
and possibly increase the session lifetime (by default, 5 minutes):
- 设置与处理器数量相等的工作进程数
- 启用长连接
- 启用共享会话缓存
- 禁用内置会话缓存
- 可能增加会话的生命周期(默认 5分钟)
worker_processes auto; http { ... server { listen 443 ssl; keepalive_timeout 70; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ... }
ssl
Syntax: ssl on | off; Default: ssl off; Context: http, server
Enables the HTTPS protocol for the given virtual server.
虚拟主机中启用HTTPS
It is recommended to use the ssl parameter of the listen directive instead of this directive.
建议使用listen指令的ssl参数而不是这个指令。
ssl_buffer_size
Syntax: ssl_buffer_size size; Default: ssl_buffer_size 16k; Context: http, server This directive appeared in version 1.5.9.
Sets the size of the buffer used for sending data.
设定发送数据的缓冲大小。
By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses. To minimize Time To First Byte it may be beneficial to use smaller values, for example:
默认缓冲大小16K,当发送大的响应时,这相当于最小的开销,为了将最小化Time To First Byte,可以使用较小的值,例如:
ssl_buffer_size 4k;
ssl_certificate
Syntax: ssl_certificate file; Default: — Context: http, server
Specifies a file with the certificate in the PEM format for the given virtual server. If intermediate certificates should be specified in addition to a primary certificate, they should be specified in the same file in the following order: the primary certificate comes first, then the intermediate certificates. A secret key in the PEM format may be placed in the same file.
指定给定虚拟服务器的PEM格式的文件。如果要在主证书之外指定中间证书,则应按照以下顺序在同一文件中指定它们:首先是主证书,然后是中间证书。PEM格式的秘密密钥可以放在同一个文件中。
Since version 1.11.0, this directive can be specified multiple times to load certificates of different types, for example, RSA and ECDSA:
由于版本1.11.0,这个指令可以多次指定,以加载不同类型的证书,例如RSA和ECDSA:
server { listen 443 ssl; server_name example.com; ssl_certificate example.com.rsa.crt; ssl_certificate_key example.com.rsa.key; ssl_certificate example.com.ecdsa.crt; ssl_certificate_key example.com.ecdsa.key; ... }
Only OpenSSL 1.0.2 or higher supports separate certificate chains for different certificates. With older versions, only one certificate chain can be used.
只有OpenSSL 1.0.2或更高版本支持单独的证书链,以获得不同的证书。使用旧版本时,只能使用一个证书链。
It should be kept in mind that due to the HTTPS protocol limitations virtual servers should listen on different IP addresses:
应该记住,由于HTTPS协议限制,虚拟服务器应该监听不同的IP地址:
server { listen 192.168.1.1:443; server_name one.example.com; ssl_certificate one.example.com.crt; ... } server { listen 192.168.1.2:443; server_name two.example.com; ssl_certificate two.example.com.crt; ... }
otherwise the first server’s certificate will be issued for the second site.
否则,第一个服务器的证书将被发布到第二个站点.
ssl_certificate_key
Syntax: ssl_certificate_key file; Default: — Context: http, server
Specifies a file with the secret key in the PEM format for the given virtual server.
指定给定虚拟服务器的PEM格式的私钥文件。
ssl_ciphers ####非常用配置项
Syntax: ssl_ciphers ciphers; Default: ssl_ciphers HIGH:!aNULL:!MD5; Context: http, server
Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example:
指定启用密文。密文被指明为OpenSSL库理解的格式,例如:
ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
The full list can be viewed using the “openssl ciphers” command.
整个列表可以被“openssl ciphers”命令查看。
The previous versions of nginx used different ciphers by default.
之前版本的nginx加密方式默认不懂。
ssl_client_certificate ####非常用配置项
Syntax: ssl_client_certificate file; Default: — Context: http, server
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
如果启用ssl_stapling,定义一个文件使用PEM格式的可信CA证书验证客户端证书和OCSP响应。
The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.
证书列表将被发送给客户。如果不需要,可以使用ssl_trusted_certificate指令。
ssl_protocols
Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]; Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Context: http, server
Enables the specified protocols.
启用指明的协议
The TLSv1.1 and TLSv1.2 parameters (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.
TLSv1.1(1.1.13)和TLSv1.2(1.0.12)只工作在使用的OpenSSL1.0.1级别以上时。
The TLSv1.3 parameter (1.13.0) works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.
TLSv1.3 (1.13.0)只工作在使用的OpenSSL1.1.1级别以上时。
ssl_session_cache
Syntax: ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; Default: ssl_session_cache none; Context: http, server
Sets the types and sizes of caches that store session parameters. A cache can be of any of the following types:
设定存储会话字段缓存文件的类型和大小。缓存可以使用如下配置
off
the use of a session cache is strictly prohibited: nginx explicitly tells a client that sessions may not be reused.
完全禁止会话缓存:nginx明确指明客户端会话不能重用
none
the use of a session cache is gently disallowed: nginx tells a client that sessions may be reused, but does not actually store session parameters in the cache.
不允许使用会话缓存:nginx告诉客户端会话可能重用,但实际上并没有在缓存中存储会话参数。
builtin
a cache built in OpenSSL; used by one worker process only. The cache size is specified in sessions. If size is not given, it is equal to 20480 sessions. Use of the built-in cache can cause memory fragmentation.
OpenSSL内置的缓存。只能用于一个worker进程。缓存大小由会话指明。如果没有给出大小,默认为20480会话。使用内置缓存可以引起内存碎片
shared
a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.
在所有worker进程之间的缓存。缓存大小用bytes指明,一个兆字节可以存储大约4000个会话。每个共享缓存应该具有任意名称。具有相同名称的缓存可以在多个虚拟服务器中使用。
Both cache types can be used simultaneously, for example:
所有缓存可同时使用,例如
ssl_session_cache builtin:1000 shared:SSL:10m;
but using only shared cache without the built-in cache should be more efficient.
但是只使用共享缓存,关闭内置缓存应该更高效。
ssl_session_timeout
Syntax: ssl_session_timeout time; Default: ssl_session_timeout 5m; Context: http, server
Specifies a time during which a client may reuse the session parameters.
指定一个客户端可以重用会话参数的超时时间。
ngx_http_rewrite_module
The ngx_http_rewrite_module module is used to change request URI using PCRE regular expressions, return redirects, and conditionally select configurations.
ngx_http_rewrite_module模块用于使用perl正则表达式改变请求URI,返回重定向,有条件地选择配置。
The ngx_http_rewrite_module module directives are processed in the following order:
ngx_http_rewrite_module模块指令工作于一下原则:
- the directives of this module specified on the server level are executed sequentially;
-
repeatedly:
- a location is searched based on a request URI;
- the directives of this module specified inside the found location are executed sequentially;
-
the loop is repeated if a request URI was rewritten, but not more than 10 times.
–
- 在虚拟主机各层级上的该模块指令按顺序执行。
-
重复性
- 请求URI查询一个location。
- 该模块指令在location中顺序执行。
- 如果URI被重写持续上面的动作,但不超过10次。
rewrite
Syntax: rewrite regex replacement [flag]; Default: — Context: server, location, if
If the specified regular expression matches a request URI, URI is changed as specified in the replacement string. The rewrite directives are executed sequentially in order of their appearance in the configuration file. It is possible to terminate further processing of the directives using flags. If a replacement string starts with “http://”, “https://”, or “$scheme”, the processing stops and the redirect is returned to a client.
如果一个请求URI匹配了指明的正则表达式,URI将会根据指明的replacement做出改变。重写指令按他们在配置文件中出现的次序顺序执行。可以使用flags终止更远的指令运行。如果replacement字段中以 “http://”, “https://”, 或 “$scheme”开头,处理终止,返回重定向给客户端。
An optional flag parameter can be one of:
一个flag选项可以是如下之一
last
stops processing the current set of ngx_http_rewrite_module directives and starts a search for a new location matching the changed URI;
停止处理当前的ngx_http_rewrite_module指令集,并开始搜索匹配更改的URI的新位置;
break
stops processing the current set of ngx_http_rewrite_module directives as with the break directive;
停止处理当前的ngx_http_rewrite_module指令集,类似break指令。
redirect
returns a temporary redirect with the 302 code; used if a replacement string does not start with “http://”, “https://”, or “$scheme”;
返回临时重定向,使用302状态码,replacement不能以“http://”, “https://”, “$scheme”开头。
permanent
returns a permanent redirect with the 301 code.
返回永久重定向,使用状态码301。
The full redirect URL is formed according to the request scheme ($scheme) and the server_name_in_redirect and port_in_redirect directives.
URL全部重定向根据请求报文中的scheme($scheme)和server_name_in_redirect、port_in_redirect中的指令。
Example:
例如:
server { ... rewrite ^(/download/.*)/media/(.*)\..*$ $1/mp3/$2.mp3 last; rewrite ^(/download/.*)/audio/(.*)\..*$ $1/mp3/$2.ra last; return 403; ... }
But if these directives are put inside the “/download/” location, the last flag should be replaced by break, or otherwise nginx will make 10 cycles and return the 500 error:
但是这些字段如果放进“/download/”location中,结尾flag必须替换成为break,否则nginx将会循环10次然后返回500错误状态码。
location /download/ { rewrite ^(/download/.*)/media/(.*)\..*$ $1/mp3/$2.mp3 break; rewrite ^(/download/.*)/audio/(.*)\..*$ $1/mp3/$2.ra break; return 403; }
If a replacement string includes the new request arguments, the previous request arguments are appended after them. If this is undesired, putting a question mark at the end of a replacement string avoids having them appended, for example:
如果replacement字段包括新的请求参数,旧的请求参数将会附在后面。如果不希望这样做,在replacement中后缀?,避免旧请求参数附加。例如
rewrite ^/users/(.*)$ /show?user=$1? last;
If a regular expression includes the “}” or “;” characters, the whole expressions should be enclosed in single or double quotes.
如果一个正则表达式包含“}”或者“;”,整个表达式应该用单引号或双引号括起来。
return
Syntax: return code [text]; return code URL; return URL; Default: — Context: server, location, if
Stops processing and returns the specified code to a client. The non-standard code 444 closes a connection without sending a response header.
停止处理,并给客户端返回状态码。非标准状态码444,不发送响应头部,直接关闭连接。
Starting from version 0.8.42, it is possible to specify either a redirect URL (for codes 301, 302, 303, 307, and 308) or the response body text (for other codes). A response body text and redirect URL can contain variables. As a special case, a redirect URL can be specified as a URI local to this server, in which case the full redirect URL is formed according to the request scheme ($scheme) and the server_name_in_redirect and port_in_redirect directives.
从0.8.42版本开始,可以指定重定向URL(用于状态码301、302、303、307和308)或响应主体text(其他代码)。响应主体text可以使用变量。作为特例,可以将重定向URL指定为该服务器的URI,在这种情况下,完全重定向URL根据请求方案($scheme)和server_name_in_redirect和port_in_redirect指令来生成。
In addition, a URL for temporary redirect with the code 302 can be specified as the sole parameter. Such a parameter should start with the “http://”, “https://”, or “$scheme” string. A URL can contain variables.
此外,302是临时重定向唯一状态码。可以使用http://”, “https://”, “$scheme”作为字段的开头,URL可以使用变量。
-
Only the following codes could be returned before version 0.7.51: 204, 400, 402 — 406, 408, 410, 411, 413, 416, and 500 — 504.
以下代码只可以在0.7.51版本之前返回:204、400、402 – 406、408、410、411、413、416和500 – 504。 -
The code 307 was not treated as a redirect until versions 1.1.16 and 1.0.13.
版本1.1.16和1.0.13之前不支持307状态码 -
The code 308 was not treated as a redirect until version 1.13.0.
1.13.0版本之前不支持308状态码
if
Syntax: if (condition) { ... } Default: — Context: server, location
The specified condition is evaluated. If true, this module directives specified inside the braces are executed, and the request is assigned the configuration inside the if directive. Configurations inside the if directives are inherited from the previous configuration level.
指明的condition将被评估。如果为真,该模块中的大括号中的内容将会被执行,请求被分配到if指令中。if指令中的配置从上一个配置级别继承。
A condition may be any of the following:
条件可以是如下情况:
-
a variable name; false if the value of a variable is an empty string or “0”;
- Before version 1.0.1, any string starting with “0” was considered a false value.
-
comparison of a variable with a string using the “=” and “!=” operators;
matching of a variable against a regular expression using the “~” (for case-sensitive matching) and “~×” (for case-insensitive matching) operators. Regular expressions can contain captures that are made available for later reuse in the $1..$9 variables. Negative operators “!~” and “!~×” are also available. If a regular expression includes the “}” or “;” characters, the whole expressions should be enclosed in single or double quotes. - checking of a file existence with the “-f” and “!-f” operators;
- checking of a directory existence with the “-d” and “!-d” operators;
- checking of a file, directory, or symbolic link existence with the “-e” and “!-e” operators;
-
checking for an executable file with the “-x” and “!-x” operators.
- 1
-
一个变量名,如果变量值是一个空串或0,则为false
- 1.0.1版本前,任何以0开头的的字符串被认为是false
- 比较字符串可以使用“=”和“!=”符号。
- 变量匹配正则表达式使用“~”区分大小写匹配,“~×”不区分大小匹配。正则表达式可以在之后使用$1..$9引用捕获。取反匹配“!~”“!~×”也可以使用。如果正则表达式中间出现“}”“;”整个字符需要用单引号或双引号括起来。
- 检查文件存在性使用“-f”“!-f” 字段
- 检查目录存在性使用“-d” “!-d”字段
- 检查文件、目录、符号链接的存在性使用“-e”“!-e”字段
- 检查文件的可执行使用“-x”“-x”字段
Examples:
例如
if ($http_user_agent ~ MSIE) { rewrite ^(.*)$ /msie/$1 break; } if ($http_cookie ~* "id=([^;]+)(?:;|$)") { set $id $1; } if ($request_method = POST) { return 405; } if ($slow) { limit_rate 10k; } if ($invalid_referer) { return 403; }
A value of the $invalid_referer embedded variable is set by the valid_referers directive.
变量$invalid_referer的值由valid_referers指令设定。
set
Syntax: set $variable value; Default: — Context: server, location, if
Sets a value for the specified variable. The value can contain text, variables, and their combination.
设定指明变量的值。值可以是文本和变量,也可是文本结合变量。
ngx_http_referer_module
The ngx_http_referer_module module is used to block access to a site for requests with invalid values in the “Referer” header field. It should be kept in mind that fabricating a request with an appropriate “Referer” field value is quite easy, and so the intended purpose of this module is not to block such requests thoroughly but to block the mass flow of requests sent by regular browsers. It should also be taken into consideration that regular browsers may not send the “Referer” field even for valid requests.
The ngx_http_referer模块被用于阻止某些请求接入网站,这些情求报文头部“Referer”值无效。应该记住,使用适当的“引用器”字段值来制造一个请求是相当容易的,因此这个模块的目的不是要彻底阻塞这些请求,而是阻止常规浏览器发送的大量请求。还应该考虑到,普通的浏览器可能不会发送“Referer”字段,即使是对有效的请求。
Example Configuration
配置样例
valid_referers none blocked server_names *.example.com example.* www.example.org/galleries/ ~\.google\.; if ($invalid_referer) { return 403; }
valid_referers
Syntax: valid_referers none | blocked | server_names | string ...; Default: — Context: server, location
Specifies the “Referer” request header field values that will cause the embedded $invalid_referer variable to be set to an empty string. Otherwise, the variable will be set to “1”. Search for a match is case-insensitive.
指明请求报文头部的“Referer”值将使内置的变量$invalid_referer值为空字符串。否则,变量会被设置成为1。搜索匹配不区分大小写。
Parameters can be as follows:
参数如下所示:
none
the “Referer” field is missing in the request header;
请求头部中没有“Referer”字段
blocked
the “Referer” field is present in the request header, but its value has been deleted by a firewall or proxy server; such values are strings that do not start with “http://” or “https://”;
请求头部中有“Referer”字段但是被防火墙或者代理删除,这些值和字符串不以“http://”“https://”开头。
server_names
the “Referer” request header field contains one of the server names;
请求头部中有“Referer”字段包含一个虚拟主机的名称
arbitrary string通配符
defines a server name and an optional URI prefix. A server name can have an “×” at the beginning or end. During the checking, the server’s port in the “Referer” field is ignored;
定义一个服务器名称和一个可选的URI前缀。服务器名在开始或结束时可以有“×”。在检查期间,“Referer”字段中的服务器端口被忽略;
regular expression正则表达式
the first symbol should be a “~”. It should be noted that an expression will be matched against the text starting after the “http://” or “https://”.
第一个符号应该是“~”。应该注意,在 “http:// ”或“https:// ”之后,表达式将与文本匹配。
Example:
例如
valid_referers none blocked server_names *.example.com example.* www.example.org/galleries/ ~\.google\.;
原创文章,作者:easyTang,如若转载,请注明出处:http://www.178linux.com/78313