Nginx常用指令
设置只允许指定IP访问
代码语言:javascript
复制
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.hbswhsxy.cn hbswhsxy.cn;
charset utf-8;
# 指定crt文件路径
ssl_certificate /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.crt;
# 指定key文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;
ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
#允许特定IP访问
allow 111.111.111.111;
#拒绝所有IP访问
deny all;
root /home/java;
}
location /prod-api-two/ {
proxy_pass http://localhost:3004/;
}
}
设置只允许指定IP段访问
代码语言:javascript
复制
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.hbswhsxy.cn hbswhsxy.cn;
charset utf-8;
# 指定crt文件路径
ssl_certificate /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.crt;
# 指定key文件路径
ssl_certificate_key /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;
ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
#允许特定网段IP访问
allow 111.111.111.0/24;
#拒绝所有IP访问
deny all;
}
location /prod-api-two/ {
proxy_pass http://localhost:3004/;
}
}
限制上传文件大小
代码语言:javascript
复制
#user为用户,不用改
#error_log为Nginx错误日志存储路径。路径根据nginx的实际目录填写。如果nginx在/usr/local/nginx/解压安装的,一般都在这里。务必确保与第8步骤创建的nginx日志文件夹一致。
user nginx;
worker_processes auto;
error_log /usr/local/nginx/logs/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#client_max_body_size为允许上传最大文件大小为10g,nginx默认最多允许上传1m
client_max_body_size 10240M;
#access_log路径根据nginx的实际目录填写
access_log /usr/local/nginx/logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /usr/local/nginx/conf/mime.types; #路径根据nginx的实际目录填写
default_type application/octet-stream;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name #用户访问的域名或IP;
include /etc/nginx/default.d/*.conf;
# 凡是通过80端口访问,都跳转至指定网址和端口
location / {
proxy_pass http://xxx.cn:2000;
}
location /xiaobai/ {
root /var/www/html;
}
}
}