Nginx配置靜態WEB服務
阿新 • • 發佈:2020-07-09
1.靜態引數配置
1)檔案讀取高效sendfile
Syntax: sendfile on | off; Default: sendfile off; Context: http, server, location, if in location
2)提高網路傳輸效率nopush
Syntax: tcp_nopush on | off; Default: tcp_nopush off; Context: http, server, location
3)提高網路傳輸實時性tcp_nodelay
Syntax: tcp_nodelay on | off; Default: tcp_nodelay on; Context: http, server, location
2.靜態資原始檔壓縮
Nginx將響應報文傳送至客戶端之前可以啟用壓縮功能,這能夠有效地節約頻寬,並提高響應至客戶端的速度。
1)gzip壓縮配置語法
Syntax: gzip on | off; Default: gzip off; Context: http, server, location, if in location
2)gzip壓縮比率配置語法
Syntax: gzip_comp_level level; Default: gzip_comp_level 1; Context: http, server, location
3)gzip壓縮協議版本
Syntax: gzip_http_version 1.0 | 1.1; Default: gzip_http_version 1.1; Context: http, server, location
4)擴充套件壓縮模組
Syntax: gzip_static on | off | always; Default: gzip_static off; Context: http, server, location
5)圖片壓縮案例
[root@localhost conf.d]# mkdir -p /usr/share/nginx/html/images [root@localhost conf.d]# vim server.conf server { listen 80; server_name 127.0.0.1; sendfile on; access_log /var/log/nginx/access.log main; location ~ .*\.(jpg|gif|png)$ { gzip on; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg image/gif image/png; root /usr/share/nginx/html/images; } }
6)檔案壓縮案例
[root@localhost conf.d]# mkdir -p /usr/share/nginx/html/doc [root@localhost conf.d]# vim server.conf server { listen 80; server_name 127.0.0.1; sendfile on; access_log /var/log/nginx/access.log main; location ~ .*\.(txt|xml)$ { gzip on; gzip_http_version 1.1; gzip_comp_level 1; gzip_types text/plain application/json application/x-javascript application/css application/xml application/xml+rss text/javascript application/x-httpd-php image/jpeg image/gif image/png; root /usr/share/nginx/html/doc; } }
3.靜態資源瀏覽器快取
HTTP協議定義的快取機制(如: Expires; Cache-control 等)
1)快取配置語法expires
Syntax: expires [modified] time; expires epoch | max | off; Default: expires off; Context: http, server, location, if in location
2)配置靜態資源快取
location ~ .*\.(js|css|html)$ { root /usr/share/nginx/html/js; expires 1h; } location ~ .*\.(jpg|gif|png)$ { root /usr/share/nginx/html/images; expires 7d; }
3)開發程式碼沒有正式上線時, 希望靜態檔案不被快取
#取消js css html等靜態檔案快取 location ~ .*\.(css|js|swf|json|mp4|htm|html)$ { add_header Cache-Control no-store; add_header Pragma no-cache; }
4.靜態資源跨域訪問
Syntax: add_header name value [always]; Default: — Context: http, server, location, if in location Access-Control-Allow-Origin
1)配置Nginx跨域訪問
[root@localhost conf.d]# vim origin.conf server { listen 80; server_name www.example.com; root html; index index.html index.htm; location ~ .*\.(html|htm)$ { add_header 'Access-Control-Allow-Origin' $http_origin; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,Authorization,Accept,Origin,Keep-Alive,User-Agent,X-Mx-ReqToken,X-Data-Type,X-Auth-Token,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; if ($request_method = 'OPTIONS') { add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } } }
2)引數解釋
1、Access-Control-Allow-Origin,這裡使用變數 $http_origin取得當前來源域,“*”代表允許所有; 2、Access-Control-Allow-Credentials,為 true 的時候指請求時可帶上Cookie; 3、Access-Control-Allow-Methods,OPTIONS一定要有的,另外一般也就GET和POST,如果你有其它的也可加進去; 4、Access-Control-Allow-Headers,這個要注意,裡面一定要包含自定義的http頭欄位; 5、Access-Control-Expose-Headers,可不設定,大致意思是預設只能獲返回頭的6個基本欄位,要獲取其它額外的,先在這設定才能獲取它; 6、語句“ if ($request_method = 'OPTIONS') { ”,因為瀏覽器判斷是否允許跨域時會先往後端發一個 options 請求,然後根據返回的結果判斷是否允許跨域請求,所以這裡單獨判斷這個請求,然後直接返回;
5.靜態資源防盜鏈
盜鏈指的是在自己的介面展示不在自己伺服器上的內容,通過技術手段獲得他人伺服器的資源地址,繞過別人資源展示頁面,在自己頁面向用戶提供此內容,從而減輕自己伺服器的負擔,因為真實的空間和流量來自別人伺服器。
防盜鏈設定思路: 區別哪些請求是非正常使用者請求
基於http_refer防盜鏈配置模組
Syntax: valid_referers none | blocked | server_names | string ...; Default: — Context: server, location
1)配置靜態資源防盜鏈
#支援IP、域名、正則方式 location ~ .*\.(jpg|gif|png)$ { valid_referers none blocked www.example.com; if ($invalid_referer) { return 403; } root /usr/share/nginx/html/images; } location ~ .*\.(jpg|gif|png)$ { root html; valid_referers none blocked www.example.com; if ($invalid_referer){ return 403; rewrite ^/ http://127.0.0.1/images/loading.jpg; } }
2)引數解釋
1、valid_referers這個關鍵字定義了白名單; 2、invalid_referer是內建變數,通過判斷上一行中的valid_referers值會返回0或者1; 3、none代表請求頭中沒有referer資訊,這一般是直接在瀏覽器輸入圖片網址; 4、blocked代表被防火牆過濾標記過的請求; 5、如果訪問來源不在白名單內,則返回403錯誤; 6、可以通過設定指定的圖片來代替目標圖片;
3)驗證
這種實現可以限制大多數普通的非法請求,但不能限制有目的的請求,因為這種方式可以通過偽造referer資訊來繞過
#偽造協議頭訪問 [root@localhost ~]# curl -e "http://www.baidu.com" -I http://127.0.0.1/test.jpg HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Thu, 09 Jul 2020 07:41:38 GMT Content-Type: text/html Content-Length: 153 Connection: keep-alive #偽造協議頭訪問 [root@localhost ~]# curl -e "http://www.example.com" -I http://127.0.0.1/test.jpg HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jul 2020 07:41:01 GMT Content-Type: image/jpeg Content-Length: 5 Last-Modified: Thu, 09 Jul 2020 07:32:36 GMT Connection: keep-alive ETag: "5f06c814-5" Accept-Ranges: bytes