Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2548423
  • 博文数量: 2110
  • 博客积分: 18861
  • 博客等级: 上将
  • 技术积分: 24420
  • 用 户 组: 普通用户
  • 注册时间: 2008-04-05 18:23
文章分类

全部博文(2110)

文章存档

2011年(139)

2010年(1971)

我的朋友

分类: LINUX

2010-08-21 18:15:58

 我们的目标是配置一个服务最快且cpu/io利用最有效的服务器,更重要的是一个安全的web服务器,下面的配置文件适用于最新版nginx。

  写道

  #######################################################

  ### Calomel.org /etc/nginx.conf BEGIN

  #######################################################

  #

  pid /var/run/nginx.pid;

  user nginx nginx;

  worker_processes 2;

  events {

  worker_connections 1024;

  }

  http {

  ## MIME types

  include mime.types;

  # types {

  # image/gif gif;

  # image/jpeg jpg;

  # image/png png;

  # image/bmp bmp;

  # image/x-icon ico;

  # text/css css;

  # text/html html;

  # text/plain bob;

  # text/plain txt;

  }

  default_type application/octet-stream;

  ## Size Limits

  client_body_buffer_size 8k;

  client_header_buffer_size 1k;

  client_max_body_size 1k;

  large_client_header_buffers 1 1k;

  ## Timeouts

  client_body_timeout 5;

  client_header_timeout 5;

  keepalive_timeout 5 5;

  send_timeout 5;

  ## General Options

  ignore_invalid_headers on;

  limit_zone gulag $binary_remote_addr 1m;

  recursive_error_pages on;

  sendfile on;

  server_name_in_redirect off;

  server_tokens off;

  ## TCP options

  tcp_nodelay on;

  tcp_nopush on;

  ## Compression

  gzip on;

  gzip_static on;

  gzip_buffers 16 8k;

  gzip_comp_level 9;

  gzip_http_version 1.0;

  gzip_min_length 0;

  gzip_types text/plain text/html text/css image/x-icon image/bmp;

  gzip_vary on;

  ## Log Format

  log_format main '$remote_addr $host $remote_user [$time_local] "$request" '

  '$status $body_bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';

  ## Deny access to any host other than (www.)mydomain.com

  server {

  server_name _; #default

  return 444;

  }

  ## Server (www.)mydomain.com

  server {

  access_log /var/log/nginx/access.log main buffer=32k;

  error_log /var/log/nginx/error.log info;

  expires 31d;

  limit_conn gulag 5;

  listen 127.0.0.1:8080 rcvbuf=64k backlog=128;

  root /disk01/htdocs;

  server_name mydomain.com ;

  ## SSL Options (only enable if you use a SSL certificate)

  # ssl on;

  # ssl_certificate /ssl_keys/mydomain.com_ssl.crt;

  # ssl_certificate_key /ssl_keys/mydomain_ssl.key;

  # ssl_ciphers HIGH:!ADH:!MD5;

  # ssl_prefer_server_ciphers on;

  # ssl_protocols SSLv3;

  # ssl_session_cache shared:SSL:1m;

  # ssl_session_timeout 5m;

  ## Only allow GET and HEAD request methods

  if ($request_method !~ ^(GET|HEAD)$ ) {

  return 444;

  }

 

## Deny illegal Host headers

  if ($host !~* ^(mydomain.com|.com)$ ) {

  return 444;

  }

  ## Deny certain User-Agents (case insensitive)

  ## The ~* makes it case insensitive as opposed to just a ~

  if ($http_user_agent ~* (Baiduspider|Jullo) ) {

  return 444;

  }

  ## Deny certain Referers (case insensitive)

  ## The ~* makes it case insensitive as opposed to just a ~

  if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {

  return 444;

  }

  ## Redirect from www to non-www

  if ($host = '.com' ) {

  rewrite ^/(.*)$ permanent;

  }

  ## Stop Image and Document Hijacking

  location ~* (\.jpg|\.png|\.css)$ {

  if ($http_referer !~ ^() ) {

  return 444;

  }

  }

  ## Restricted Access directory

  location ^~ /secure/ {

  allow 127.0.0.1/32;

  allow 10.10.10.0/24;

  deny all;

  auth_basic "RESTRICTED ACCESS";

  auth_basic_user_file /var/www/htdocs/secure/access_list;

  }

  ## Only allow these file types to document root

  location / {

  if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) {

  break;

  }

  return 444;

  }

  ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico

  location = /favicon.ico {

  #empty_gif;

  return 204;

  }

  ## System Maintenance (Service Unavailable)

  if (-f $document_root/system_maintenance.html ) {

  error_page 503 /system_maintenance.html;

  return 503;

  }

  ## All other errors get the generic error page

  error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417

  500 501 502 503 504 505 /error_page.html;

  location /error_page.html {

  internal;

  }

  }

  }

  #

  #######################################################

  ### Calomel.org /etc/nginx.conf END

  #######################################################

  2. nginx关于对后端服务器的反向代理配置

  有三个后端服务,一个为web内容服务,一个是论坛服务,一个为文件服务。

  当一个请求来时,nginx代理服务器其查看url把请求定向到相应的服务器,这个配置也缓冲文件服务的内容,但是论坛的和数据下载的内容就不缓存了,这个配置也使用了压缩,更好的节省内存

  写道

  #######################################################

  ### Calomel.org /etc/nginx.conf BEGIN

  #######################################################

  pid /var/run/nginx.pid;

  user nginx nginx;

  worker_processes 10;

  events {

  worker_connections 1024;

  }

  http {

  ## MIME types

  #include /etc/nginx_mime.types;

  default_type application/octet-stream;

  ## Size Limits

  client_body_buffer_size 128K;

  client_header_buffer_size 128K;

  client_max_body_size 1M;

  large_client_header_buffers 1 1k;

  ## Timeouts

  client_body_timeout 60;

  client_header_timeout 60;

  expires 24h;

  keepalive_timeout 60 60;

  send_timeout 60;

  ## General Options

  ignore_invalid_headers on;

  keepalive_requests 100;

  limit_zone gulag $binary_remote_addr 5m;

  recursive_error_pages on;

  sendfile on;

  server_name_in_redirect off;

  server_tokens off;

  ## TCP options

  tcp_nodelay on;

  tcp_nopush on;

  ## Compression

  gzip on;

  gzip_buffers 16 8k;

  gzip_comp_level 6;

  gzip_http_version 1.0;

  gzip_min_length 0;

  gzip_types text/plain text/css image/x-icon application/x-perl application/x-httpd-cgi;

 

  gzip_vary on;

  ## Log Format

  log_format main '$remote_addr $host $remote_user [$time_local] "$request" '

  '$status $body_bytes_sent "$http_referer" "$http_user_agent" '

  '"$gzip_ratio"';

  ## Proxy options

  proxy_buffering on;

  proxy_cache_min_uses 3;

  proxy_cache_path /usr/local/nginx/proxy_temp/ levels=1:2 keys_zone=cache:10m inactive=10m max_size=1000M;

  proxy_cache_valid any 10m;

  proxy_ignore_client_abort off;

  proxy_intercept_errors on;

  proxy_next_upstream error timeout invalid_header;

  proxy_redirect off;

  proxy_set_header X-Forwarded-For $remote_addr;

  proxy_connect_timeout 60;

  proxy_send_timeout 60;

  proxy_read_timeout 60;

  ## Backend servers (web1 is the primary and web2 will come up if web1 is down)

  upstream webbackend {

  server web1.domain.lan weight=10 max_fails=3 fail_timeout=30s;

  server web2.domain.lan weight=1 backup;

  }

  server {

  access_log /var/log/nginx/access.log main;

  error_log /var/log/nginx/error.log;

  index index.html;

  limit_conn gulag 50;

  listen 127.0.0.1:80 default;

  root /usr/local/nginx/html;

  server_name _;

  ## Only requests to our Host are allowed

  if ($host !~ ^(mydomain.com|.com)$ ) {

  return 444;

  }

  ## Only allow these request methods

  if ($request_method !~ ^(GET|HEAD|POST)$ ) {

  return 444;

  }

  ## Only allow these file types to document root

  location / {

  if ($request_uri ~* (^\/|\.html|\.jpg|\.pl|\.png|\.css|\.ico|robots\.txt)$ ) {

  break;

  }

  return 444;

  }

  ## PROXY - Forum

  location /forum/ {

  proxy_pass ;

  }

  ## PROXY - Data

  location /files/ {

  proxy_pass ;

  }

  ## PROXY - Web

  location / {

  proxy_pass ;

  proxy_cache cache;

  proxy_cache_valid 200 24h;

  proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

  proxy_ignore_headers Expires Cache-Control;

  }

  ## All other errors get the generic error page

  error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417

  500 501 502 503 504 505 506 507 /error_page.html;

  location /error_page.html {

  internal;

  }

  }

  }

阅读(578) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~