WebServer 基本配置文件

Apache 简单静态网页托管

<VirtualHost *:80>
        ServerName iitii.me
        ServerName mail.iitii.me
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/v
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Apache SSL

需要先激活对应 mod，如 ssl，rewrite。

<VirtualHost *:443>
        ServerAdmin webmaster@localhost
        ServerName chat.ccatk.tw
        DocumentRoot /var/www/FileList
        SSLEngine On
        SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/chat.ccatk.tw/pub.crt
        SSLCertificateKeyFile /etc/ssl/chat.ccatk.tw/private.key
#       SSLCertificateChainFile
        Options +FollowSymLinks
        RewriteEngine on
        RewriteCond   %{HTTPS} !=on
        RewriteRule   ^(.*)  https://%{SERVER_NAME}$1 [L,R=301]
        DirectoryIndex index.php
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

简单静态网页托管

server { 
    listen 80 default_server;  
    server_name www.example.com;  
    location / { 
    root /usr/share/nginx/html; 
    # alias /usr/share/nginx/html; 
    index index.html index.htm;
    }
}

简单文件目录浏览

• 中文乱码 -> charset utf-8;

1. autoindex on; //开启目录浏览功能；
2. autoindex_exact_size off; //关闭详细文件大小统计，让文件大小显示MB，GB单位，默认为b；
3. autoindex_localtime on; //开启以服务器本地时区显示文件修改日期！

   server {
       listen 80 default_server;
       server_name _;
       charset utf-8;
       location / {
       root /movie;
       # alias /usr/share/nginx/html;
       index index.html index.htm;
       autoindex on;
       autoindex_exact_size off;
       autoindex_localtime on;
       }
   }

https静态页面托管

server {
    listen 443;
    server_name blog.nchu-cn.tw;
    ssl on;
    root /www/hexo/;
    index index.html index.htm;
    ssl_certificate  /etc/nginx/ssl/_.nchu-cn.tw.pem;
    ssl_certificate_key /etc/nginx/ssl/_.nchu-cn.tw.key;
    ssl_session_timeout 1h;
    ssl_session_cache shared:MozSSL:10m; 
    ssl_session_tickets off;
    ssl_ciphers "AES128+EECDH:AES128+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/root_CA_cert_plus_intermediates;
    location / {
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }
}
server {
    listen 80;
    server_name blog.nchu-cn.tw;
    rewrite ^(.*)$ https://$host$1 permanent;
}

密码访问

yum install httpd-tools #适用centos
sudo apt-get install apache2-utils #适用ubuntu

• 重点在于：auth_basic "movie:movie";auth_basic_user_file /movie/.htpasswd;

用户&密码

$ htpasswd -c /var/www/html/.htpasswd user1  #回车会要求输入两遍密码，会清除所有用户！
$ htpasswd -bc /var/www/html/.htpasswd user1 password  #不用回车，直接指定user1的密码为password
$ htpasswd -b /var/www/html/.htpasswd user2 password   #添加一个用户，如果用户已存在，则是修改密码
$ htpasswd -D /var/www/html/.htpasswd user2  #删除用户

conf

server {
    listen 443 ssl;
    server_name movie.iitii.me;
    root /movie/;
    index index.php index.html index.htm index.nginx-debian.html movie.php;

    ssl_certificate  /etc/nginx/ssl/movie.iitii.me/pem.pem;
    ssl_certificate_key /etc/nginx/ssl/movie.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    error_log    /var/log/nginx/movie_error.log debug;
    access_log    /var/log/nginx/movie_accss.log;

    location / {
        auth_basic "movie:movie";
        auth_basic_user_file /movie/.htpasswd;
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}
server {
    listen 80;
    server_name movie.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
}

PHP 动态网页托管（无 SSL）

sudo apt-get install php-fpm php-mysql
vim /etc/php/7.0/fpm/php.ini
设置 cgi.fix_pathinfo=0
sudo systemctl restart php7.2-fpm

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/FileList;
    index index.php index.html index.htm index.nginx-debian.html;

    server_name mail.iitii.me;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}

PHP + SSL

server {
    listen 443;
    server_name mail.iitii.me;
    ssl on;
    root /var/www/FileList;
    index index.php index.html index.htm index.nginx-debian.html;

    ssl_certificate  /etc/ssl/mail.iitii.me/pem.pem;
    ssl_certificate_key /etc/ssl/mail.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}
server {
    listen 80;
    server_name mail.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
}

• Another way

server {
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/www.realyoung.cc/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.realyoung.cc/privkey.pem;
  server_name www.realyoung.cc;
  access_log /data/wwwlogs/www.realyoung.cc_nginx.log combined;
  index index.html index.htm index.php;
  
  root /data/wwwroot/www.realyoung.cc;

  include /usr/local/nginx/conf/rewrite/wordpress.conf;
  #error_page 404 /404.html;
  #error_page 502 /502.html;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
if ($host != "www.realyoung.cc") {

    rewrite ^/(.*)$ https://www.realyoung.cc/$1 permanent;
    break;
}
 
  location ~ [^/]\.php(/|$) {
    #fastcgi_pass remote_php_ip:9000;
    fastcgi_pass unix:/dev/shm/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /\.ht {
    deny all;
  }
}

nginx 反代 node.js (负载均衡)

upstream node {
    server 127.0.0.1:3000; 
}
server {
    listen 80 default_server;
    server_name  _;
    #root   /xxx/xxx/hxxydexx/;
    
    #set $my_server_name $scheme://$server_name; 

    #if ( $my_server_name != https://$server_name ) {
    #   rewrite ^ https://$server_name$request_uri? permanent;
    #}
    
    error_log    /var/log/nginx/hyde_error.log    error;
    #access_log    /var/log/nginx/hyde_accss.log    main;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host  $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        
        # 配置upstream节点
        proxy_pass    http://node;
    }
 
    error_page 404 /404.html;
        location =  /xxx/xxx/40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location =  /xxx/xxx/50x.html {
    }
}

nginx 反代 node.js (反代 HTTP 类型网站 + 负载均衡 + ssl)

upstream node {
    server 127.0.0.1:3000;
}
server {
    listen 443 ssl default_server;
    server_name dl.iitii.me;


    #set $my_server_name $scheme://$server_name;

    #if ( $my_server_name != https://$server_name ) {
    #   rewrite ^ https://$server_name$request_uri? permanent;
    #}
    ssl_certificate  /etc/nginx/ssl/dl.iitii.me/dl.pem;
    ssl_certificate_key /etc/nginx/ssl/dl.iitii.me/dl.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    error_log    /var/log/nginx/RemoteDl_error.log    error;
    access_log    /var/log/nginx/RemoteDl_accss.log;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host  $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        # 配置upstream节点
        proxy_pass    http://node;
    }

   # error_page 404 /404.html;
   #     location =  /xxx/xxx/40x.html {
   # }

  #  error_page 500 502 503 504 /50x.html;
  #      location =  /xxx/xxx/50x.html {
 #   }

}
server {
    listen 80;
    server_name dl.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
}

HTTPS 反代 （反代 HTTPS 类型网站 + 负载均衡 + ssl）

upstream iitii {
    server openwrt.iitii.me:443;
}
server {
    listen 80 default_server;  
    rewrite ^(.*) https://$host$1 permanent;
}
server {
    listen 443 ssl;
    server_name china.iitii.me;
    ssl on;
    ssl_certificate /etc/nginx/ssl/china.iitii.me/pem.pem;
    ssl_certificate_key /etc/nginx/ssl/china.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #error_log    /var/log/nginx/RemoteDl_error.log    error;
    #access_log    /var/log/nginx/RemoteDl_accss.log;
    location / {
        proxy_pass https://iitii;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header Accept-Encoding ''; 
        proxy_buffering off;
    }
}

HTTP 负载均衡

upstream backend { 
 server 10.10.12.45:80 weight=1; 
 server app.example.com:80 weight=2; 
} 
server {
       location / { 
             proxy_pass http://backend; 
 } 
}

TCP负载平衡，如MySQL查询

stream { 
 upstream mysql_read { 
 server read1.example.com:3306 weight=5;
server read2.example.com:3306; 
 server 10.10.12.34:3306 backup; 
 } 
 server { 
 listen 3306; 
 proxy_pass mysql_read; 
 } 
}

UDP负载平衡,如DNS查询

stream { 
 upstream ntp { 
 server ntp1.example.com:123 weight=2; 
 server ntp2.example.com:123; 
 } 
 server { 
       listen 123 udp; 
       proxy_pass ntp; 
 } 
}

通过geoIP来获取客户端的粗略地理位置

apt install nginx-module-geoip

load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so"; 
http { 
 geoip_country /etc/nginx/geoip/GeoIP.dat;  
 geoip_city /etc/nginx/geoip/GeoLiteCity.dat; 
... 
}

简单静态网页托管

server { 
    listen 80 default_server;  
    server_name www.example.com;  
    location / { 
    root /usr/share/nginx/html; 
    # alias /usr/share/nginx/html; 
    index index.html index.htm;
    }
}

简单文件目录浏览

• 中文乱码 -> charset utf-8;

1. autoindex on; //开启目录浏览功能；
2. autoindex_exact_size off; //关闭详细文件大小统计，让文件大小显示MB，GB单位，默认为b；
3. autoindex_localtime on; //开启以服务器本地时区显示文件修改日期！

   server {
       listen 80 default_server;
       server_name _;
       charset utf-8;
       location / {
       root /movie;
       # alias /usr/share/nginx/html;
       index index.html index.htm;
       autoindex on;
       autoindex_exact_size off;
       autoindex_localtime on;
       }
   }

https静态页面托管

server {
    listen 443;
    server_name blog.nchu-cn.tw;
    ssl on;
    root /www/hexo/;
    index index.html index.htm;
    ssl_certificate  /etc/nginx/ssl/_.nchu-cn.tw.pem;
    ssl_certificate_key /etc/nginx/ssl/_.nchu-cn.tw.key;
    ssl_session_timeout 1h;
    ssl_session_cache shared:MozSSL:10m; 
    ssl_session_tickets off;
    ssl_ciphers "AES128+EECDH:AES128+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/root_CA_cert_plus_intermediates;
    location / {
        index index.html index.htm;
        try_files $uri $uri/ =404;
    }
}
server {
    listen 80;
    server_name blog.nchu-cn.tw;
    rewrite ^(.*)$ https://$host$1 permanent;
}

密码访问

yum install httpd-tools #适用centos
sudo apt-get install apache2-utils #适用ubuntu

• 重点在于：auth_basic "movie:movie";auth_basic_user_file /movie/.htpasswd;

用户&密码

$ htpasswd -c /var/www/html/.htpasswd user1  #回车会要求输入两遍密码，会清除所有用户！
$ htpasswd -bc /var/www/html/.htpasswd user1 password  #不用回车，直接指定user1的密码为password
$ htpasswd -b /var/www/html/.htpasswd user2 password   #添加一个用户，如果用户已存在，则是修改密码
$ htpasswd -D /var/www/html/.htpasswd user2  #删除用户

conf

server {
    listen 443 ssl;
    server_name movie.iitii.me;
    root /movie/;
    index index.php index.html index.htm index.nginx-debian.html movie.php;

    ssl_certificate  /etc/nginx/ssl/movie.iitii.me/pem.pem;
    ssl_certificate_key /etc/nginx/ssl/movie.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    error_log    /var/log/nginx/movie_error.log debug;
    access_log    /var/log/nginx/movie_accss.log;

    location / {
        auth_basic "movie:movie";
        auth_basic_user_file /movie/.htpasswd;
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}
server {
    listen 80;
    server_name movie.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
}

PHP 动态网页托管（无 SSL）

sudo apt-get install php-fpm php-mysql
vim /etc/php/7.0/fpm/php.ini
设置 cgi.fix_pathinfo=0
sudo systemctl restart php7.2-fpm

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/FileList;
    index index.php index.html index.htm index.nginx-debian.html;

    server_name mail.iitii.me;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}

PHP + SSL

server {
    listen 443;
    server_name mail.iitii.me;
    ssl on;
    root /var/www/FileList;
    index index.php index.html index.htm index.nginx-debian.html;

    ssl_certificate  /etc/ssl/mail.iitii.me/pem.pem;
    ssl_certificate_key /etc/ssl/mail.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }

    location ~ /\.ht {
        deny all;
    }
}
server {
    listen 80;
    server_name mail.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
}

• Another way

server {
  listen 80;
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/www.realyoung.cc/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.realyoung.cc/privkey.pem;
  server_name www.realyoung.cc;
  access_log /data/wwwlogs/www.realyoung.cc_nginx.log combined;
  index index.html index.htm index.php;
  
  root /data/wwwroot/www.realyoung.cc;

  include /usr/local/nginx/conf/rewrite/wordpress.conf;
  #error_page 404 /404.html;
  #error_page 502 /502.html;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
if ($host != "www.realyoung.cc") {

    rewrite ^/(.*)$ https://www.realyoung.cc/$1 permanent;
    break;
}
 
  location ~ [^/]\.php(/|$) {
    #fastcgi_pass remote_php_ip:9000;
    fastcgi_pass unix:/dev/shm/php-cgi.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
  }

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /\.ht {
    deny all;
  }
}

nginx 反代 node.js (负载均衡)

upstream node {
    server 127.0.0.1:3000; 
}
server {
    listen 80 default_server;
    server_name  _;
    #root   /xxx/xxx/hxxydexx/;
    
    #set $my_server_name $scheme://$server_name; 

    #if ( $my_server_name != https://$server_name ) {
    #   rewrite ^ https://$server_name$request_uri? permanent;
    #}
    
    error_log    /var/log/nginx/hyde_error.log    error;
    #access_log    /var/log/nginx/hyde_accss.log    main;
    
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host  $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        
        # 配置upstream节点
        proxy_pass    http://node;
    }
 
    error_page 404 /404.html;
        location =  /xxx/xxx/40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location =  /xxx/xxx/50x.html {
    }
}

nginx 反代 node.js (反代 HTTP 类型网站 + 负载均衡 + ssl)

upstream node {
    server 127.0.0.1:3000;
}
server {
    listen 443 ssl default_server;
    server_name dl.iitii.me;


    #set $my_server_name $scheme://$server_name;

    #if ( $my_server_name != https://$server_name ) {
    #   rewrite ^ https://$server_name$request_uri? permanent;
    #}
    ssl_certificate  /etc/nginx/ssl/dl.iitii.me/dl.pem;
    ssl_certificate_key /etc/nginx/ssl/dl.iitii.me/dl.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    error_log    /var/log/nginx/RemoteDl_error.log    error;
    access_log    /var/log/nginx/RemoteDl_accss.log;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host  $http_host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        # 配置upstream节点
        proxy_pass    http://node;
    }

   # error_page 404 /404.html;
   #     location =  /xxx/xxx/40x.html {
   # }

  #  error_page 500 502 503 504 /50x.html;
  #      location =  /xxx/xxx/50x.html {
 #   }

}
server {
    listen 80;
    server_name dl.iitii.me;
    rewrite ^(.*)$ https://$host$1 permanent;
}

HTTPS 反代 （反代 HTTPS 类型网站 + 负载均衡 + ssl）

upstream iitii {
    server openwrt.iitii.me:443;
}
server {
    listen 80 default_server;  
    rewrite ^(.*) https://$host$1 permanent;
}
server {
    listen 443 ssl;
    server_name china.iitii.me;
    ssl on;
    ssl_certificate /etc/nginx/ssl/china.iitii.me/pem.pem;
    ssl_certificate_key /etc/nginx/ssl/china.iitii.me/key.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #error_log    /var/log/nginx/RemoteDl_error.log    error;
    #access_log    /var/log/nginx/RemoteDl_accss.log;
    location / {
        proxy_pass https://iitii;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real_IP $remote_addr;
        proxy_set_header User-Agent $http_user_agent;
        proxy_set_header Accept-Encoding ''; 
        proxy_buffering off;
    }
}

HTTP 负载均衡

upstream backend { 
 server 10.10.12.45:80 weight=1; 
 server app.example.com:80 weight=2; 
} 
server {
       location / { 
             proxy_pass http://backend; 
 } 
}

TCP负载平衡，如MySQL查询

stream { 
 upstream mysql_read { 
 server read1.example.com:3306 weight=5;
server read2.example.com:3306; 
 server 10.10.12.34:3306 backup; 
 } 
 server { 
 listen 3306; 
 proxy_pass mysql_read; 
 } 
}

UDP负载平衡,如DNS查询

stream { 
 upstream ntp { 
 server ntp1.example.com:123 weight=2; 
 server ntp2.example.com:123; 
 } 
 server { 
       listen 123 udp; 
       proxy_pass ntp; 
 } 
}

通过geoIP来获取客户端的粗略地理位置

apt install nginx-module-geoip

load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so"; 
http { 
 geoip_country /etc/nginx/geoip/GeoIP.dat;  
 geoip_city /etc/nginx/geoip/GeoLiteCity.dat; 
... 
}