今天咱们聊个让无数后端程序员头疼的话题:Nginx配置实战。
想象一下这个场景:项目要上线了,领导让你配个Nginx,结果502、504满天飞,静态资源加载不出来,HTTPS证书配置失败,负载均衡不生效...你在那里抓耳挠腮,怀疑人生!
别慌,今天我就把这套从入门到精通的Nginx配置宝典全掏出来,手把手教你用最实用的配置技巧,让你的Web服务稳如老狗,性能飞起来!
一、先搞清楚:为什么Nginx这么重要?
Nginx的核心价值
在现代Web架构中,Nginx就像一个超级门卫,承担着多重角色:
- 静态资源服务器:直接提供图片、CSS、JS等静态文件
为什么选择Nginx?
二、Nginx配置实战:7个核心场景全搞定
第1招:基础配置 - 万丈高楼平地起
先来看看最基础的Nginx配置结构:
# 全局配置
user nginx;
worker_processes auto; # 自动检测CPU核数
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
# 事件配置
events {
worker_connections 1024; # 每个worker进程的最大连接数
use epoll; # 使用epoll事件模型(Linux推荐)
multi_accept on; # 允许一次接收多个连接
}
# HTTP配置
http {
# 基础设置
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# 性能优化
sendfile on; # 开启高效文件传输
tcp_nopush on; # 减少网络包数量
tcp_nodelay on; # 减小延迟
keepalive_timeout 65; # 连接保持时间
# Gzip压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript;
# 引入其他配置文件
include /etc/nginx/conf.d/*.conf;
}
第2招:静态资源服务 - 让你的网站飞起来
静态资源配置是Nginx的强项,这样配置性能最佳:
server {
listen 80;
server_name static.example.com;
# 网站根目录
root /var/www/static;
index index.html index.htm;
# 静态资源缓存配置
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y; # 缓存1年
add_header Cache-Control "public, immutable";
add_header X-Cache-Status "HIT";
# 开启gzip压缩
gzip_static on;
# 防盗链
valid_referers none blocked server_names *.example.com;
if ($invalid_referer) {
return 403;
}
}
# HTML文件不缓存
location ~* \.(html|htm)$ {
expires -1;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
# 隐藏敏感文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# 404页面
error_page 404 /404.html;
location = /404.html {
internal;
}
}
第3招:反向代理 - 连接前后端的桥梁
这是最常用的场景,把前端请求转发给后端API:
# 后端服务器组
upstream backend_api {
server 127.0.0.1:8080 weight=3; # 权重3
server 127.0.0.1:8081 weight=2; # 权重2
server 127.0.0.1:8082 weight=1 backup; # 备用服务器
# 健康检查
keepalive 32;
keepalive_requests 100;
keepalive_timeout 60s;
}
server {
listen 80;
server_name api.example.com;
# API请求代理
location /api/ {
proxy_pass http://backend_api;
# 传递真实客户端信息
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 超时配置
proxy_connect_timeout 10s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
# 缓冲配置
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
# 错误处理
proxy_next_upstream error timeout http_500 http_502 http_503;
}
# WebSocket代理
location /ws/ {
proxy_pass http://backend_api;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400; # 24小时
}
}
第4招:负载均衡 - 流量分发的艺术
不同的负载均衡策略适用于不同场景:
# 轮询(默认)
upstream round_robin {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
# 权重轮询
upstream weighted_round_robin {
server 192.168.1.10:8080 weight=3;
server 192.168.1.11:8080 weight=2;
server 192.168.1.12:8080 weight=1;
}
# IP哈希(同一IP总是转发到同一台服务器)
upstream ip_hash {
ip_hash;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
# 最少连接数
upstream least_conn {
least_conn;
server 192.168.1.10:8080;
server 192.168.1.11:8080;
server 192.168.1.12:8080;
}
# 健康检查配置
upstream backend_with_health_check {
server 192.168.1.10:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.11:8080 max_fails=3 fail_timeout=30s;
server 192.168.1.12:8080 max_fails=3 fail_timeout=30s backup;
}
server {
listen 80;
server_name lb.example.com;
location / {
proxy_pass http://backend_with_health_check;
# 负载均衡相关头信息
add_header X-Upstream-Server $upstream_addr;
add_header X-Upstream-Status $upstream_status;
add_header X-Upstream-Response-Time $upstream_response_time;
}
}
第5招:HTTPS配置 - 安全第一
现在HTTPS已经是标配,这样配置最安全:
server {
listen 443 ssl http2;
server_name secure.example.com;
# SSL证书配置
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# SSL优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# HSTS(强制HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 其他安全头
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://backend_api;
# ... 其他代理配置
}
}
# HTTP重定向到HTTPS
server {
listen 80;
server_name secure.example.com;
return 301 https://$server_name$request_uri;
}
第6招:限流防护 - 抵御恶意攻击
在高并发场景下,限流是必不可少的:
# 定义限流规则
http {
# 限制每个IP的请求频率
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
# 限制每个IP的连接数
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
# 限制总连接数
limit_conn_zone $server_name zone=server_conn_limit:10m;
}
server {
listen 80;
server_name api.example.com;
# 应用限流规则
location /api/ {
# 限制请求频率(允许突发20个请求)
limit_req zone=api_limit burst=20 nodelay;
# 限制连接数
limit_conn conn_limit 10; # 每个IP最多10个连接
limit_conn server_conn_limit 100; # 服务器总共100个连接
# 限制请求体大小
client_max_body_size 10m;
proxy_pass http://backend_api;
}
# 特殊路径更严格限流
location /api/login {
limit_req zone=api_limit burst=5 nodelay;
limit_conn conn_limit 1; # 登录接口每个IP只允许1个连接
proxy_pass http://backend_api;
}
# 静态资源相对宽松
location ~* \.(jpg|jpeg|png|gif|css|js)$ {
limit_req zone=api_limit burst=50 nodelay;
# ... 静态资源配置
}
}
第7招:缓存优化 - 性能提升的利器
合理的缓存配置能大幅提升性能:
# 缓存路径配置
http {
proxy_cache_path /var/cache/nginx/proxy
levels=1:2
keys_zone=proxy_cache:10m
max_size=1g
inactive=60m
use_temp_path=off;
# 缓存key定义
proxy_cache_key "$scheme$request_method$host$request_uri";
}
server {
listen 80;
server_name cache.example.com;
# API缓存
location /api/data/ {
proxy_cache proxy_cache;
proxy_cache_valid 200 10m; # 200状态码缓存10分钟
proxy_cache_valid 404 1m; # 404状态码缓存1分钟
proxy_cache_valid any 5m; # 其他状态码缓存5分钟
# 缓存控制
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
proxy_cache_lock on;
# 缓存头信息
add_header X-Cache-Status $upstream_cache_status;
# 忽略某些请求头
proxy_ignore_headers Cache-Control Expires;
proxy_pass http://backend_api;
}
# 绕过缓存的接口
location /api/user/ {
proxy_cache off;
proxy_no_cache 1;
proxy_cache_bypass 1;
proxy_pass http://backend_api;
}
# 缓存清理接口
location /cache/purge {
allow 127.0.0.1;
deny all;
proxy_cache_purge proxy_cache "$scheme$request_method$host$request_uri";
}
}
三、高级配置技巧:让你的Nginx更强大
1. 动态配置重载
使用Nginx Plus或开源模块实现配置热更新:
# 使用include动态加载配置
http {
include /etc/nginx/conf.d/*.conf;
# 动态upstream配置
upstream backend {
zone backend 64k;
include /etc/nginx/upstreams/backend.conf;
}
}
# 信号重载配置(不中断服务)
# nginx -s reload
2. 日志分析和监控
配置详细的日志用于分析:
# 自定义日志格式
log_format detailed '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'$upstream_addr $upstream_status';
# JSON格式日志(便于分析)
log_format json escape=json '{'
'"time": "$time_iso8601",'
'"remote_addr": "$remote_addr",'
'"request": "$request",'
'"status": $status,'
'"body_bytes_sent": $body_bytes_sent,'
'"request_time": $request_time,'
'"upstream_response_time": "$upstream_response_time"'
'}';
server {
access_log /var/log/nginx/detailed.log detailed;
access_log /var/log/nginx/json.log json;
}
3. 安全加固配置
# 隐藏Nginx版本信息
server_tokens off;
# 限制请求方法
location / {
limit_except GET POST HEAD {
deny all;
}
}
# 防止SQL注入和XSS攻击
location / {
# 检查URL中的危险字符
if ($args ~* "(\<|%3C).*script.*(\>|%3E)") {
return 403;
}
if ($args ~* "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
return 403;
}
if ($args ~* "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
return 403;
}
}
# 防止目录遍历
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
四、性能调优:榨干Nginx的每一丝性能
系统级优化
# 系统参数调优 /etc/sysctl.conf
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
# 文件描述符限制 /etc/security/limits.conf
nginx soft nofile 65535
nginx hard nofile 65535
Nginx性能配置
# 工作进程优化
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 65535;
events {
worker_connections 4096;
use epoll;
multi_accept on;
accept_mutex off;
}
http {
# 连接优化
keepalive_timeout 60;
keepalive_requests 1000;
# 缓冲区优化
client_body_buffer_size 128k;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
# 压缩优化
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_proxied any;
# 文件缓存
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
}
五、常见问题排查:踩过的坑都在这里
1. 502 Bad Gateway 错误
# 检查upstream服务器状态
curl -I http://127.0.0.1:8080/health
# 检查Nginx错误日志
tail -f /var/log/nginx/error.log
# 检查防火墙设置
iptables -L
# 检查SELinux
sestatus
setsebool -P httpd_can_network_connect 1
2. 静态资源404错误
# 检查文件路径和权限
location /static/ {
alias /var/www/static/;
try_files $uri $uri/ =404;
# 调试信息
add_header X-Debug-Root $document_root;
add_header X-Debug-Uri $uri;
}
3. HTTPS证书问题
# 检查证书有效性
openssl x509 -in /path/to/cert.crt -text -noout
# 检查证书链
openssl s_client -connect example.com:443 -servername example.com
# 测试SSL配置
nginx -t
六、实战部署:一键搞定Nginx环境
Docker快速部署
FROM nginx:alpine
# 复制配置文件
COPY nginx.conf /etc/nginx/nginx.conf
COPY conf.d/ /etc/nginx/conf.d/
# 复制静态文件
COPY html/ /usr/share/nginx/html/
# 创建日志目录
RUN mkdir -p /var/log/nginx
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
Docker Compose配置
version: '3.8'
services:
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./conf.d:/etc/nginx/conf.d
- ./ssl:/etc/nginx/ssl
- ./logs:/var/log/nginx
depends_on:
- backend
restart: unless-stopped
backend:
image: your-app:latest
ports:
- "8080:8080"
environment:
- SPRING_PROFILES_ACTIVE=prod
自动化脚本
#!/bin/bash
# nginx-deploy.sh
# 检查配置文件语法
nginx -t
if [ $? -ne 0 ]; then
echo "Nginx配置文件语法错误"
exit 1
fi
# 备份当前配置
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup.$(date +%Y%m%d_%H%M%S)
# 重载配置
nginx -s reload
echo "Nginx配置已更新并重载成功"
结语
掌握Nginx配置,核心不是记住所有参数,而是理解每个配置的作用和适用场景:
记住:好的Nginx配置不是一次到位的,而是在实践中不断优化的。从满足基本需求开始,根据实际情况逐步调优,最终你也能配出高性能、高可用的Nginx服务!
阅读原文:原文链接
该文章在 2025/12/10 18:42:28 编辑过
400 186 1886
