前言
Nginx是全球使用最广泛的Web服务器和反向代理。本文介绍Nginx的性能优化和安全加固配置,适合生产环境直接使用。
一、性能优化
1.1 Worker进程配置
# /etc/nginx/nginx.conf
worker_processes auto; # 自动匹配CPU核心数
worker_rlimit_nofile 65535; # 最大文件描述符
events {
worker_connections 10240; # 每个worker的最大连接数
use epoll; # Linux高性能事件模型
multi_accept on; # 一次接受多个连接
}
1.2 Gzip压缩
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript
text/xml application/xml application/xml+rss text/javascript
image/svg+xml;
1.3 Keepalive配置
# 与上游服务器的keepalive
upstream backend {
server 127.0.0.1:8080;
keepalive 32; # 保持32个长连接
}
server {
location /api/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
1.4 缓存配置
# 静态文件缓存
location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff2)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}
# 代理缓存
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=1g;
location /api/ {
proxy_cache my_cache;
proxy_cache_valid 200 10m;
proxy_cache_use_stale error timeout updating;
}
二、SSL安全加固
# SSL配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
三、限流配置
# 定义限流区域
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
# API限流
location /api/ {
limit_req zone=api burst=20 nodelay;
}
# 登录限流(防止暴力破解)
location /api/auth/login {
limit_req zone=login burst=5 nodelay;
}
# 连接数限制
limit_conn_zone $binary_remote_addr zone=conn:10m;
location /download/ {
limit_conn conn 10; # 每IP最多10个并发连接
}
四、防盗链配置
# 防盗链
location ~* \.(jpg|jpeg|png|gif|mp4)$ {
valid_referers none blocked server_names *.example.com;
if ($invalid_referer) {
return 403;
}
}
五、性能监控
# 启用状态页
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
# Prometheus指标(使用nginx-prometheus-exporter)
# 监控指标:connections, requests, response_time
总结
Nginx性能优化和安全加固是运维必备技能。通过合理的Worker配置、Gzip压缩、Keepalive、缓存、SSL加固、限流等配置,可以让Nginx更安全高效。
如果需要Nginx配置优化服务,欢迎联系17老师。
关于17老师:AI应用 · 数字化管理 · 全栈开发 · 网络安全全栈专家。联系邮箱:j.d88888888@qq.com,微信:AFIST17