geedge-jira/attachment/37057/22-07-nginx+.conf

#跟cpu内核数有关(据实践表明，nginx的这个参数在一般情况下开4个或8个就可以了，再往上开的话优化不太大)
worker_processes  32;

error_log  /opt/tsg-2207/cm/nginx/log/error.log;
#error_log  /opt/tsg-2207/cm/nginx/log/error.log  notice;
#error_log  /opt/tsg-2207/cm/nginx/log/error.log  info;

#工作模式及连接数上限
events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    proxy_intercept_errors on;
    fastcgi_intercept_errors on;



    server_names_hash_bucket_size   128;
    client_header_buffer_size       128k;
    large_client_header_buffers 8   128k;
    client_max_body_size    1200m;
    client_body_buffer_size 128k;
    proxy_connect_timeout   600;
    proxy_read_timeout  1800;
    proxy_send_timeout  1800;
    proxy_buffer_size   16k;
    proxy_buffers   4   32k;
    proxy_busy_buffers_size 64k;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"' '"$upstream_addr"' '"$upstream_response_time"';

    access_log  /opt/tsg-2207/cm/nginx/log/access.log  main;

    sendfile        on;
    tcp_nopush     on;
    tcp_nodelay    on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;

    gzip  on;
    gzip_min_length     1k;
    gzip_buffers        4 16k;
    gzip_comp_level     8;
    gzip_http_version   1.1;
    gzip_types      text/plain application/x-javascript text/css application/xml text/javascript  image/jpeg image/gif image/png application/x-font-opentype  application/x-font-ttf application/javascript application/octet-stream;
    gzip_vary       on;

    proxy_temp_path /usr/local/nginx/nginx_cache/proxy_temp_path;
    proxy_cache_path  /usr/local/nginx/nginx_cache/proxy_cache_path levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=30g;

    vhost_traffic_status_zone;

    map $http_upgrade $connection_upgrade {
             default upgrade;
             '' close;
           }


    upstream bifang {
     ip_hash;
          server 10.224.11.249:8080 weight=5;
        }


    server {
        listen  80;
        server_name         10.224.11.1;
        #将请求转成https
        rewrite ^(.*)$ https://$host:443$1 permanent;
    }
    server {
        listen              443 ssl;
        server_name         10.224.11.1;

        #ssl on;
	#配置共享会话缓存大小，视站点访问情况设定
        ssl_session_cache   shared:SSL:10m;
        #配置会话超时时间
        ssl_session_timeout 10m;
        #设置长连接
        keepalive_timeout   70;

       gzip  on;
       gzip_min_length     1k;
       gzip_buffers        4 16k;
       gzip_comp_level     8;
       gzip_http_version   1.1;
       gzip_types      text/plain application/x-javascript text/css application/xml text/javascript  image/jpeg image/gif image/png application/x-font-opentype  application/x-font-ttf application/javascript application/octet-stream;
       gzip_vary       on;

        #HSTS策略
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

        #证书文件
        ssl_certificate     /opt/tsg-2207/cm/nginx/ssl/tsg-entity-for-e21.crt;
        #私钥文件
        ssl_certificate_key /opt/tsg-2207/cm/nginx/ssl/tsg-entity-for-e21.key;

        #优先采取服务器算法
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        #定义算法
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
        #减少点击劫持
        add_header X-Frame-Options DENY;
        #禁止服务器自动解析资源类型
        add_header X-Content-Type-Options nosniff;
        #防XSS攻擊
        add_header X-Xss-Protection 1;

       #if ( $request_uri ~* /filedownload/ ){
        #   return 302 http://$host$request_uri;
       #}

        location / {
		root   /opt/tsg-2207/cm/nginx/html;
		try_files $uri $uri/ /index.html last;
		index  index.html index.htm;
		#后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
		client_max_body_size 1200m;    #允许客户端请求的最大单文件字节数
		client_body_buffer_size 128k;  #缓冲区代理缓冲用户端请求的最大字节数，
		proxy_connect_timeout 600;  #nginx跟后端服务器连接超时时间(代理连接超时)
		proxy_send_timeout 1800;        #后端服务器数据回传时间(代理发送超时)
		proxy_read_timeout 1800;         #连接成功后，后端服务器响应时间(代理接收超时)
		proxy_buffer_size 16k;             #设置代理服务器（nginx）保存用户头信息的缓冲区大小
		proxy_buffers 4 32k;               #proxy_buffers缓冲区，网页平均在32k以下的话，这样设置
		proxy_busy_buffers_size 64k;    #高负荷下缓冲大小（proxy_buffers*2）
		proxy_temp_file_write_size 64k;  #设定缓存文件夹大小，大于这个值，nginx会先将文件写入“proxy_temp_path ”缓存目录
        #nginx 加密配置
        #auth_basic "Restricted Content";
        #auth_basic_user_file /opt/tsg/cm/nginx/htpasswd;
    }

location /v1/stat/asset/healthy {
        proxy_pass https://10.224.11.248;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Authorization bca6b0a7-405b-4201-8a0c-675afa09e1d9;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        rewrite "^(.*)v1(.*)$" /$1$2?modelId=5&children=1 break;
}


location /v1/ {
	proxy_pass http://bifang/v1/;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
	proxy_cookie_path /v1 /;
}


location /status {
       stub_status on;
       vhost_traffic_status_display;
       vhost_traffic_status_display_format html;
       allow 127.0.0.1;
 }

location /v2/ {
        		proxy_pass http://bifang/v2/;
        		proxy_redirect off;
        		proxy_set_header Host $host;
        		proxy_set_header X-Real-IP $remote_addr;
        		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        		proxy_cookie_path /v2 /;
        }


        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }

}