#跟cpu内核数有关(据实践表明,nginx的这个参数在一般情况下开4个或8个就可以了,再往上开的话优化不太大) worker_processes 32; error_log /opt/tsg-2207/cm/nginx/log/error.log; #error_log /opt/tsg-2207/cm/nginx/log/error.log notice; #error_log /opt/tsg-2207/cm/nginx/log/error.log info; #工作模式及连接数上限 events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; proxy_intercept_errors on; fastcgi_intercept_errors on; server_names_hash_bucket_size 128; client_header_buffer_size 128k; large_client_header_buffers 8 128k; client_max_body_size 1200m; client_body_buffer_size 128k; proxy_connect_timeout 600; proxy_read_timeout 1800; proxy_send_timeout 1800; proxy_buffer_size 16k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' '"$upstream_addr"' '"$upstream_response_time"'; access_log /opt/tsg-2207/cm/nginx/log/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; #keepalive_timeout 0; keepalive_timeout 65; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 8; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png application/x-font-opentype application/x-font-ttf application/javascript application/octet-stream; gzip_vary on; proxy_temp_path /usr/local/nginx/nginx_cache/proxy_temp_path; proxy_cache_path /usr/local/nginx/nginx_cache/proxy_cache_path levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=30g; vhost_traffic_status_zone; map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream bifang { ip_hash; server 10.224.11.249:8080 weight=5; } server { listen 80; server_name 10.224.11.1; #将请求转成https rewrite ^(.*)$ https://$host:443$1 permanent; } server { listen 443 ssl; server_name 10.224.11.1; #ssl on; #配置共享会话缓存大小,视站点访问情况设定 ssl_session_cache shared:SSL:10m; #配置会话超时时间 ssl_session_timeout 10m; #设置长连接 keepalive_timeout 70; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 8; gzip_http_version 1.1; gzip_types text/plain application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png application/x-font-opentype application/x-font-ttf application/javascript application/octet-stream; gzip_vary on; #HSTS策略 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #证书文件 ssl_certificate /opt/tsg-2207/cm/nginx/ssl/tsg-entity-for-e21.crt; #私钥文件 ssl_certificate_key /opt/tsg-2207/cm/nginx/ssl/tsg-entity-for-e21.key; #优先采取服务器算法 ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #定义算法 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; #减少点击劫持 add_header X-Frame-Options DENY; #禁止服务器自动解析资源类型 add_header X-Content-Type-Options nosniff; #防XSS攻擊 add_header X-Xss-Protection 1; #if ( $request_uri ~* /filedownload/ ){ # return 302 http://$host$request_uri; #} location / { root /opt/tsg-2207/cm/nginx/html; try_files $uri $uri/ /index.html last; index index.html index.htm; #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP client_max_body_size 1200m; #允许客户端请求的最大单文件字节数 client_body_buffer_size 128k; #缓冲区代理缓冲用户端请求的最大字节数, proxy_connect_timeout 600; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_send_timeout 1800; #后端服务器数据回传时间(代理发送超时) proxy_read_timeout 1800; #连接成功后,后端服务器响应时间(代理接收超时) proxy_buffer_size 16k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2) proxy_temp_file_write_size 64k; #设定缓存文件夹大小,大于这个值,nginx会先将文件写入“proxy_temp_path ”缓存目录 #nginx 加密配置 #auth_basic "Restricted Content"; #auth_basic_user_file /opt/tsg/cm/nginx/htpasswd; } location /v1/stat/asset/healthy { proxy_pass https://10.224.11.248; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Authorization bca6b0a7-405b-4201-8a0c-675afa09e1d9; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; rewrite "^(.*)v1(.*)$" /$1$2?modelId=5&children=1 break; } location /v1/ { proxy_pass http://bifang/v1/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_cookie_path /v1 /; } location /status { stub_status on; vhost_traffic_status_display; vhost_traffic_status_display_format html; allow 127.0.0.1; } location /v2/ { proxy_pass http://bifang/v2/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_cookie_path /v2 /; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }