Nginx常用指令及心得

发布于

Nginx常用指令

设置只允许指定IP访问

代码语言:javascript
复制
server {
        listen       443 ssl;
		listen [::]:443 ssl;
        server_name  www.hbswhsxy.cn hbswhsxy.cn;
		charset utf-8;
        # 指定crt文件路径
        ssl_certificate /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.crt;
        # 指定key文件路径       
        ssl_certificate_key /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.key;
		ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
		# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;
		ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
		ssl_prefer_server_ciphers on;	
        location / {
		    #允许特定IP访问
		    allow 111.111.111.111;
	        #拒绝所有IP访问
		    deny all;
            root   /home/java;
        }
	    location /prod-api-two/ {
        	proxy_pass http://localhost:3004/;
        }
    }

设置只允许指定IP段访问

代码语言:javascript
复制
server {
        listen       443 ssl;
		listen [::]:443 ssl;
        server_name  www.hbswhsxy.cn hbswhsxy.cn;
		charset utf-8;
        # 指定crt文件路径
        ssl_certificate /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.crt;
        # 指定key文件路径       
        ssl_certificate_key /usr/local/nginx/conf/ssl_zhengshu/hbswhsxy.cn.key;
		ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
		# 配置加密套件# ssl_ciphers HIGH: !aNULL: !MD5;
		ssl_ciphers ECC-SM2-SM4-CBC-SM3:ECC-SM2-SM4-GCM-SM3:ECDHE-SM2-SM4-CBC-SM3:ECDHE-SM2-SM4-GCM-SM3:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!RC4:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
		ssl_prefer_server_ciphers on;	
        location / {
            #允许特定网段IP访问
			allow 111.111.111.0/24;
		    #拒绝所有IP访问
			deny all;
        }
	    location /prod-api-two/ {
        	proxy_pass http://localhost:3004/;
        }
    }

限制上传文件大小

代码语言:javascript
复制
#user为用户,不用改
#error_log为Nginx错误日志存储路径。路径根据nginx的实际目录填写。如果nginx在/usr/local/nginx/解压安装的,一般都在这里。务必确保与第8步骤创建的nginx日志文件夹一致。
user nginx;  
worker_processes auto;
error_log /usr/local/nginx/logs/error.log;   
pid /run/nginx.pid;   
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
#client_max_body_size为允许上传最大文件大小为10g,nginx默认最多允许上传1m
    client_max_body_size 10240M;  
#access_log路径根据nginx的实际目录填写
    access_log  /usr/local/nginx/logs/access.log  main;   
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /usr/local/nginx/conf/mime.types;     #路径根据nginx的实际目录填写
    default_type        application/octet-stream;   
    server {
       listen       80 default_server;
        listen       [::]:80 default_server;
        server_name     #用户访问的域名或IP;
       include /etc/nginx/default.d/*.conf;
# 凡是通过80端口访问,都跳转至指定网址和端口
        location / {           
            proxy_pass http://xxx.cn:2000;
        }
        location /xiaobai/ {      
            root /var/www/html;
        }
    }
}
#配置#nginx#rsa#ssl#加密