nginx proxy pass [ best practices ]
1、/etc/nginx/nginx.conf
worker_processes 1; #auto;
events {
worker_connections 3000; #786;
# multi_accept on;
}
http {
server_tokens off; #open this line
resolver 8.8.8.8 8.8.4.4 valid=300s; #resolver dns server
proxy_cache_path /var/cache/proxy-nginx levels=1:2 keys_zone=proxy-cache:10m max_size=3g inactive=1d use_temp_path=off;
add_header X-Cache $upstream_cache_status; #讓Header顯示是否有Cache:HIT命中 MISS失敗 BYPASS略過
proxy_headers_hash_max_size 51200; #add this line
proxy_headers_hash_bucket_size 6400; #add this line
log_format main ‘$remote_addr $status $request $body_bytes_sent [$time_local] $http_user_agent $http_referer $http_x_forwarded_for $upstream_addr $upstream_status $upstream_cache_status $upstream_response_time’;
access_log /var/log/nginx/access.log main buffer=1m; #or maybe note # because disk space
log_format cache_status ‘[$time_local] “$request” $upstream_cache_status’;
access_log /var/log/nginx/cache_access.log cache_status;
gzip_proxied any; #open this line, because CDN
2、/etc/nginx/proxy_params put all or maybe find document for practices
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
client_max_body_size 100M;
client_body_buffer_size 1m;
proxy_intercept_errors on;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 256 16k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_max_temp_file_size 0;
proxy_read_timeout 300;
-—————–
#slice 1m; # for slice_range
proxy_cache_key $scheme$host$proxy_host$request_uri; # $slice_range
#proxy_cache_key “$scheme://$host$request_uri”;
#proxy_cache_key $host:$server_port$uri$is_args$args; #通过key来hash,定义KEY的值
#proxy_cache_valid 15m;
proxy_cache_valid 200 301 302 304 1h; #206 -> slice_range
proxy_cache_valid 404 1m;
proxy_cache_valid any 1m;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Range $slice_range; #for slice_range
proxy_cache_revalidate on;
# Set some good timeouts
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
#proxy_cache_min_uses 3; #只要统一个url,在磁盘文件删除之前,总次数访问到达3次,就开始缓存。
proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment; # 如果任何一个参数值不为空,或者不等于0,nginx就不会查找缓存,直接进行代理转发
-—————–
aio threads;
aio_write on;
-—————–
open_file_cache max=10000;
open_file_cache_min_uses 2;
open_file_cache_errors on;
2.1、SSL
./etc/nginx/snippets/ssl-example.com.conf
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; #crt
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; #key
./etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
#resolver 8.8.8.8 8.8.4.4 valid=300s; #move to nginx.conf http
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
3、/etc/nginx/sites-available/default
# Default server configuration
#server1
server {
set $ds_host_ip ‘xxx.xxx.xxx.xxx’; #destination host ip
set $ds_hostname ‘ooo.ooo.ooo.ooo’; #destination hostname
listen 80 reuseport;
#listen [::]:80 default_server;
#root /var/www/html;
#index index.html index.htm index.nginx-debian.html;
#server_name _;
location / {
proxy_pass http://$ds_host_ip:$server_port;
proxy_pass http://$ds_hostname:$server_port;
include /etc/nginx/proxy_params;
#try_files $uri $uri/ =404;
}
location /nginx_status {
stub_status on;
access_log off;
}
}
server {
set $ds_host_ip ‘xxx.xxx.xxx.xxx’;
set $ds_hostname ‘ooo.ooo.ooo.ooo’;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com www.example.com;
location / {
proxy_pass http://$ds_host_ip:$server_port;
proxy_pass http://$ds_hostname:$server_port;
include /etc/nginx/proxy_params;
}
location /nginx_status {
stub_status on;
access_log off;
}
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
}
#server2
server {
set $ds_host_ip ‘xxx.xxx.xxx.xxx’;
listen 8881 reuseport;
location / {
proxy_pass http://$ds_host_ip:$server_port;
include /etc/nginx/proxy_params;
}
}
#server3
server {
set $ds_host_ip ‘xxx.xxx.xxx.xxx’;
listen 3333 reuseport;
location / {
proxy_pass http://$ds_host_ip:$server_port;
include /etc/nginx/proxy_params;
}
}
server {
set $ds_host_ip ‘xxx.xxx.xxx.xxx’;
listen 81 reuseport;
location / {
proxy_pass http://$ds_host_ip:$server_port;
include /etc/nginx/proxy_params;
}
}
server {
set $ds_host_ip ‘xxx.xxx.xxx.xxx’;
listen 8080 reuseport;
location / {
proxy_pass http://$ds_host_ip:$server_port;
include /etc/nginx/proxy_params;
}
}
===== =====
/etc/security/limits.conf
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
echo “net.core.somaxconn=1024” » /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
echo “net.ipv4.ip_forward=0” » /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
===== =====
iptables限制tcp连接和频率
#单个IP在60秒内只允许新建20个连接
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 20 –name DEFAULT –rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -m state –state NEW -m recent –set –name DEFAULT –rsource
#控制单个IP的最大并发连接数为20
-I INPUT -p tcp –dport 80 -m connlimit –connlimit-above 20 -j REJECT
#每个IP最多20个初始连接
-A INPUT -p tcp –syn -m connlimit –connlimit-above 20 -j DROP
http://seanlook.com/2015/05/17/nginx-location-rewrite/
http://xyz.cinc.biz/2016/06/nginx-if-and-host-get-variable.html
http://siwei.me/blog/posts/nginx-built-in-variables
https://www.52os.net/articles/nginx-anti-ddos-setting.html
https://www.52os.net/articles/nginx-anti-ddos-setting-2.html
https://gagor.pl/2016/01/optimize-nginx-for-performance/
-—————–
https://gryzli.info/2017/05/09/nginx-configuring-reverse-proxy-caching/
https://www.nginx.com/blog/nginx-high-performance-caching/
https://guides.wp-bullet.com/how-to-configure-nginx-reverse-proxy-wordpress-cache-apache/
https://tweaked.io/guide/nginx-proxying/
http://www.jianshu.com/p/625c2b15dad5
http://phl.iteye.com/blog/2256857
https://gist.github.com/regadas/7381125
https://calomel.org/nginx.html
Building the Nginx Reverse Proxy example
make clean; ./configure –with-file-aio –without-http_autoindex_module –without-http_browser_module –without-http_geo_module –without-http_empty_gif_module –without-http_map_module –without-http_memcached_module –without-http_userid_module –without-mail_pop3_module –without-mail_imap_module –without-mail_smtp_module –without-http_split_clients_module –without-http_uwsgi_module –without-http_scgi_module –without-http_referer_module –without-http_upstream_ip_hash_module && make && make install
-———————————————
.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/
Deploying Brotli for static content
cloudflare/ngx_brotli_module https://github.com/cloudflare/ngx_brotli_module
https://www.mobile01.com/topicdetail.php?f=506&t=5147355
--auto nginx mod CENTMIN MOD
https://centminmod.com/
.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/
On ssl_session_tickets dropbox & cipherli.st have different way…………. maybe use cipherli.st
TLS
#ssl_session_tickets on;
#ssl_session_timeout 1h;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_curr;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_prev;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_next;
http://fangpeishi.com/optimizing-tls-record-size.html
http://fangpeishi.com/optimizing-tls-record-size.html
.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/
ssl_ciphers ‘[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES’;
ssl_prefer_server_ciphers on;
AIO
aio threads;
aio_write on;
http://www.infoq.com/cn/articles/thread-pools-boost-performance-9x
.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/
Open file cache
open_file_cache max=10000;
open_file_cache_min_uses 2;
open_file_cache_errors on;
http://blog.justwd.net/snippets/nginx/nginx-open-file-cache/
.auto nginx mod CENTMIN MOD
https://centminmod.com/
======clern cache=======
https://leokongwq.github.io/2016/11/25/nginx-cache.html