Nginx的主要配置文件通常位于/etc/nginx/nginx.conf,其基本结构如下:
# 全局块:影响Nginx全局的配置
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
# events块:影响Nginx服务器与用户的网络连接
events {
worker_connections 1024;
use epoll;
}
# http块:代理、缓存、日志等大多数功能配置
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# server块:虚拟主机配置
server {
listen 80;
server_name example.com;
# location块:基于请求URI的配置
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
}
server {
listen 80;
server_name static.example.com;
location / {
root /var/www/static;
expires 30d; # 缓存控制
add_header Cache-Control "public";
}
}
server {
listen 80;
server_name spa.example.com;
root /var/www/spa;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
# 禁止访问.git等隐藏文件
location ~ /\. {
deny all;
}
}
server {
listen 80;
server_name api.example.com;
location /api/ {
proxy_pass http://backend-server:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
HTTPS = HTTP + SSL/TLS,其安全机制基于以下核心原理:
非对称加密:用于密钥交换
对称加密:用于数据传输
数字证书:验证服务器身份
握手过程:
1. ClientHello - 客户端发送支持的加密套件和随机数
2. ServerHello - 服务器选择加密方式并发送证书和随机数
3. 密钥交换 - 客户端验证证书并发送预主密钥
4. 完成握手 - 双方生成会话密钥,开始加密通信
server {
listen 443 ssl;
server_name secure.example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_protocols TLSv1.2 TLSv1.3; # 禁用不安全的协议版本
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
location / {
root /var/www/secure;
index index.html;
}
}
server {
listen 80;
server_name secure.example.com;
return 301 https://$host$request_uri;
}
server {
# ...其他HTTPS配置...
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# 防止点击劫持
add_header X-Frame-Options "DENY";
# XSS保护
add_header X-XSS-Protection "1; mode=block";
# 禁用内容类型推断
add_header X-Content-Type-Options "nosniff";
# CSP内容安全策略
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.example.com";
}
安装Certbot工具:
sudo apt install certbot python3-certbot-nginx
获取证书:
sudo certbot --nginx -d example.com -d www.example.com
自动续期(添加到crontab):
0 12 * * * /usr/bin/certbot renew --quiet
确保证书链完整,可以使用以下命令检查:
openssl s_client -connect example.com:443 -showcerts
如果中间证书缺失,需要将中间证书和服务器证书合并:
cat example.com.crt intermediate.crt > chained.crt
server {
# ...其他配置...
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
add_header Cache-Control "public, no-transform";
access_log off;
}
# 开启Gzip压缩
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1024;
gzip_proxied any;
gzip_vary on;
}
server {
listen 443 ssl http2;
server_name example.com;
# ...SSL配置...
# 启用HTTP/2服务器推送
location = /index.html {
http2_push /style.css;
http2_push /app.js;
}
}
upstream backend {
least_conn; # 最少连接算法
server backend1.example.com:8080;
server backend2.example.com:8080;
server backend3.example.com:8080 backup; # 备用服务器
}
server {
location / {
proxy_pass http://backend;
# ...其他代理设置...
}
}
# 检查配置语法
sudo nginx -t
# 重载配置(不中断服务)
sudo nginx -s reload
# 检查端口监听
netstat -tulnp | grep nginx
# 测试HTTPS握手
openssl s_client -connect example.com:443 -servername example.com
# 实时查看访问日志
tail -f /var/log/nginx/access.log
# 查找错误请求
grep " 50[0-9] " /var/log/nginx/access.log
# 分析流量来源
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr
allow/deny限制敏感路径nginx
server_tokens off; # 隐藏Nginx版本号防范常见攻击:
# 限制请求大小防止缓冲区溢出
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
# 限制请求方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
通过合理配置Nginx和正确实施HTTPS,可以显著提高前端应用的安全性、性能和可靠性。定期审查配置和监控日志是维护长期稳定运行的关键。