[系统运维]Nginx配置记录

#user  appuser;
worker_processes  1;
error_log  logs/error.log;
error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
#配置安全审计功能
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
       			      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      '$upstream_addr $upstream_response_time $request_time ';
	access_log off;
    #gzip  on;
    server_tokens off;  #隐藏nginx的版本号

    server {
        listen       8082; #本地前端地址8082
        server_name  localhost;
	if ($host != '10.xxx.170.36'){
	rewrite ^/(.*)$ http://10.xxx.170.36:8082 permanent;
	}
	location ~ .*\.(gif|jpg|jpeg|bmp|swf)$
	{	

	expires 180d; #过期时间为6个月
	access_log off;

	}
#	location ~ .*\.(js|css)$
#	{
#	expires 12h;
#	access_log off;
#	}
	access_log /data/logs/10.xxx.170.36.log main;
     location / {
	autoindex off; #禁止遍历操作系统目录
    root   /data/dist; #前端访问地址
    try_files $uri $uri/ /index.html; #防止刷新404
#敏感字段进行过滤
	if ($query_string ~* "union.*select.*\("){
                rewrite ^/(.*)$ $host
                permanent;
                }
        if ($query_string ~* "concat.*\(") {
                rewrite ^/(.*)$ $host
                permanent;
                }
	}
 #	add_header 'Access-Control-Allow-Origin' '*';
        error_page   500 502 503 504  /50x.html;
   		location = /50x.html {
            root   html;
        }
    }
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
#openssl地址：nginx初始化编译openssl:./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-openssl=/data/openssl-1.1.1l/
    server {
        listen       443 ssl; #前端访问地址 443
        server_name  localhost;
        ssl_certificate     /usr/local/openssl/server.crt;
        ssl_certificate_key  /usr/local/openssl/server.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
#用作前端8082地址代理转发为443
        location / {
            proxy_pass   http://127.0.0.1:8082;
	}
}
#前端请求后端地址也要为https，所以转发为https:9002，前端请求9002.
    server {
        listen       9002 ssl;
        server_name  localhost;
#配置ssl
        ssl_certificate     /usr/local/openssl/server.crt;
        ssl_certificate_key  /usr/local/openssl/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
#			add_header Access-Control-Allow-Origin *;
#			add_header Access-Control-Allow-Methods 'GET, POST';
#			add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Origin' '*';			
#后端中创http转发代理为https9002
            proxy_pass   http://10.xxx.170.37:9001;
	}
#禁止nginx访问 .htxxx文件
	location ~ /\.ht {
	deny all;
	}
}
	client_body_buffer_size 128k;
#自定义缓存以限制缓冲区溢出攻击
	client_header_buffer_size 1k;
	client_max_body_size 1024M;
	large_client_header_buffers 2 1k;
#配置控制台会话超时时间，限制登录终端空闲连接锁定超时时间
	client_body_timeout 10;
	client_header_timeout 10;
	send_timeout 10;
	fastcgi_intercept_errors on;

#限制ip在同一时间段内的访问次数
    limit_req_zone $binary_remote_addr zone=allips:10m rate=20r/s;
    server{
        location / {
            limit_req zone=allips burst=5 nodelay;
        }
    }
    #limit_conn_zone one $binary_remote_addr 10m;
    #server{
    #    location / {
    #       limit_conn one 20;          #连接数限制
    #   }
    #}
}