nginx proxy pass [ best practices ]

1、/etc/nginx/nginx.conf

worker_processes 1; #auto;

events {
        worker_connections 3000;  #786;
        # multi_accept on;
}

http {

        server_tokens off;  #open this line
        resolver 8.8.8.8 8.8.4.4 valid=300s;  #resolver dns server

        proxy_cache_path          /var/cache/proxy-nginx levels=1:2 keys_zone=proxy-cache:10m max_size=3g inactive=1d use_temp_path=off;

        add_header X-Cache $upstream_cache_status; #讓Header顯示是否有Cache：HIT命中 MISS失敗  BYPASS略過

        proxy_headers_hash_max_size 51200;  #add this line

        proxy_headers_hash_bucket_size 6400;  #add this line

        log_format  main  ‘$remote_addr $status $request $body_bytes_sent [$time_local]  $http_user_agent $http_referer  $http_x_forwarded_for $upstream_addr $upstream_status $upstream_cache_status $upstream_response_time’;
        access_log /var/log/nginx/access.log main buffer=1m;   #or maybe note # because disk space

        log_format cache_status ‘[$time_local] “$request” $upstream_cache_status’;
        access_log /var/log/nginx/cache_access.log  cache_status;

        gzip_proxied any;  #open this line, because CDN

2、/etc/nginx/proxy_params      put all or maybe find document for practices

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection “upgrade”;

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Port $server_port;

client_max_body_size 100M;

client_body_buffer_size 1m;

proxy_intercept_errors on;

proxy_buffering on;

proxy_buffer_size 128k;

proxy_buffers 256 16k;

proxy_busy_buffers_size 256k;

proxy_temp_file_write_size 256k;

proxy_max_temp_file_size 0;

proxy_read_timeout 300;

-—————–
#slice 1m; # for slice_range

proxy_cache_key $scheme$host$proxy_host$request_uri;  # $slice_range
#proxy_cache_key “$scheme://$host$request_uri”;
#proxy_cache_key $host:$server_port$uri$is_args$args; #通过key来hash，定义KEY的值

#proxy_cache_valid 15m;
proxy_cache_valid 200 301 302 304 1h; #206 -> slice_range
proxy_cache_valid 404 1m;
proxy_cache_valid any 1m;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Range $slice_range; #for slice_range
proxy_cache_revalidate on;

# Set some good timeouts
proxy_connect_timeout       300;
proxy_send_timeout          300;
proxy_read_timeout          300;
send_timeout                300;

#proxy_cache_min_uses 3; #只要统一个url,在磁盘文件删除之前，总次数访问到达3次，就开始缓存。
proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment; # 如果任何一个参数值不为空，或者不等于0，nginx就不会查找缓存，直接进行代理转发

-—————–
aio threads;
aio_write on;
-—————–

open_file_cache max=10000;

open_file_cache_min_uses 2;
open_file_cache_errors on;

2.1、SSL
．/etc/nginx/snippets/ssl-example.com.conf

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; #crt
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; #key

．/etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
#resolver 8.8.8.8 8.8.4.4 valid=300s;  #move to nginx.conf http
resolver_timeout 5s;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

3、/etc/nginx/sites-available/default

# Default server configuration

#server1

server {

        set $ds_host_ip  ‘xxx.xxx.xxx.xxx’;  #destination host ip
        set $ds_hostname ‘ooo.ooo.ooo.ooo’; #destination hostname

        listen 80 reuseport;

        #listen [::]:80 default_server;

        #root /var/www/html;

        #index index.html index.htm index.nginx-debian.html;

        #server_name _;

        location / {

                proxy_pass http://$ds_host_ip:$server_port;
                proxy_pass http://$ds_hostname:$server_port;

include /etc/nginx/proxy_params;

#try_files $uri $uri/ =404;

}

        location /nginx_status { 

                stub_status on; 

                access_log off; 

        }

}

server {
        set $ds_host_ip  ‘xxx.xxx.xxx.xxx’;
        set $ds_hostname ‘ooo.ooo.ooo.ooo’;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com www.example.com;

        location / {

                proxy_pass http://$ds_host_ip:$server_port;
                proxy_pass http://$ds_hostname:$server_port;

include /etc/nginx/proxy_params;

}

location /nginx_status {
stub_status on;
access_log off;
}

    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

}

#server2

server {

        set $ds_host_ip  ‘xxx.xxx.xxx.xxx’;

        listen 8881 reuseport;

        location / {

                proxy_pass http://$ds_host_ip:$server_port;

include /etc/nginx/proxy_params;

        }

}

#server3

server {

        set $ds_host_ip  ‘xxx.xxx.xxx.xxx’;

        listen 3333 reuseport;

        location / {

                proxy_pass http://$ds_host_ip:$server_port;

include /etc/nginx/proxy_params;

        }

}

server {

        set $ds_host_ip  ‘xxx.xxx.xxx.xxx’;

        listen 81 reuseport;

        location / {

                proxy_pass http://$ds_host_ip:$server_port;

                include /etc/nginx/proxy_params;

        }

}                      

server {

        set $ds_host_ip  ‘xxx.xxx.xxx.xxx’;

        listen 8080 reuseport;

        location / {

                proxy_pass http://$ds_host_ip:$server_port;

                include /etc/nginx/proxy_params;

        }

}

=====  =====
/etc/security/limits.conf
* soft nproc 65535 

* hard nproc 65535 

* soft nofile 65535 

* hard nofile 65535

echo “net.core.somaxconn=1024” » /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

echo “net.ipv4.ip_forward=0” » /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

===== =====

iptables限制tcp连接和频率

#单个IP在60秒内只允许新建20个连接
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -m state –state NEW -m recent –update –seconds 60 –hitcount 20 –name DEFAULT –rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -m state –state NEW -m recent –set –name DEFAULT –rsource

#控制单个IP的最大并发连接数为20
-I INPUT -p tcp –dport 80 -m connlimit  –connlimit-above 20 -j REJECT

#每个IP最多20个初始连接
-A INPUT -p tcp –syn -m connlimit –connlimit-above 20 -j DROP

http://seanlook.com/2015/05/17/nginx-location-rewrite/
http://xyz.cinc.biz/2016/06/nginx-if-and-host-get-variable.html
http://siwei.me/blog/posts/nginx-built-in-variables

https://www.52os.net/articles/nginx-anti-ddos-setting.html
https://www.52os.net/articles/nginx-anti-ddos-setting-2.html

https://gagor.pl/2016/01/optimize-nginx-for-performance/

-—————–
https://gryzli.info/2017/05/09/nginx-configuring-reverse-proxy-caching/
https://www.nginx.com/blog/nginx-high-performance-caching/
https://guides.wp-bullet.com/how-to-configure-nginx-reverse-proxy-wordpress-cache-apache/
https://tweaked.io/guide/nginx-proxying/
http://www.jianshu.com/p/625c2b15dad5
http://phl.iteye.com/blog/2256857
https://gist.github.com/regadas/7381125

https://calomel.org/nginx.html

Building the Nginx Reverse Proxy example

make clean; ./configure –with-file-aio –without-http_autoindex_module –without-http_browser_module –without-http_geo_module –without-http_empty_gif_module –without-http_map_module –without-http_memcached_module –without-http_userid_module –without-mail_pop3_module –without-mail_imap_module –without-mail_smtp_module –without-http_split_clients_module –without-http_uwsgi_module –without-http_scgi_module –without-http_referer_module –without-http_upstream_ip_hash_module && make && make install

-———————————————
．https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

Deploying Brotli for static content

cloudflare/ngx_brotli_module  https://github.com/cloudflare/ngx_brotli_module

https://www.mobile01.com/topicdetail.php?f=506&t=5147355

--auto nginx mod CENTMIN MOD
https://centminmod.com/

．https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

https://cipherli.st/

On ssl_session_tickets dropbox & cipherli.st have different way…………. maybe use cipherli.st

TLS

#ssl_session_tickets on;
#ssl_session_timeout 1h;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_curr;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_prev;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_next;
http://fangpeishi.com/optimizing-tls-record-size.html
http://fangpeishi.com/optimizing-tls-record-size.html

．https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

ssl_ciphers ‘[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES’;

ssl_prefer_server_ciphers on;

AIO

aio threads;
aio_write on;
http://www.infoq.com/cn/articles/thread-pools-boost-performance-9x

．https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

Open file cache

open_file_cache max=10000;
open_file_cache_min_uses 2;
open_file_cache_errors on;
http://blog.justwd.net/snippets/nginx/nginx-open-file-cache/

．auto nginx mod CENTMIN MOD
https://centminmod.com/

======clern cache=======
https://leokongwq.github.io/2016/11/25/nginx-cache.html