查看完整版本: Nginx配置样例

Nginx配置样例

About

nginx [engine x] is an HTTP-server and POP3/IMAP proxy. Under active development from year 2002 by Igor Sysoev. Working under Free BSD?, Linux, Solaris and OS X ppc.
Compile

# replace .x with your version like .11 or .12
curl -O [url]http://sysoev.ru/nginx/nginx-0.5.x.tar.gz[/url]
tar -xvzf nginx-0.5.x.tar.gz
cd nginx-0.5.x
./configure --sbin-path=/usr/local/sbin --with-http_ssl_module
make
sudo make install

Administration

By default the PID of the master process is written in: /usr/local/nginx/logs/nginx.pid The management of the nginx is done by sending unix signals to that process. The similar signals are used for Apache processes management.
Signal         Action
TERM, INT         Terminate the server immediately
QUIT         Stop the server
HUP         Configuration changes, start new workers, graceful stop of old workers
USR1         Reopen log files
USR2         Upgrade the server executable
WINCH         Graceful Stop (parent process advise the children to exit)
Tips and tricks

There are a lot of example config files (virtual hosts, load balancing etc.) on the nginx home page .
Virtual hosts

http {
    server {
        listen  192.168.10.1;
        listen  192.168.10.1:8000;
        server_name   one.example.com  [url]www.one.example.com[/url];
        ...
    }

    server {
        listen  192.168.10.1;
        listen  192.168.10.2:8000;
        listen  9000;
        server_name   two.example.com  [url]www.two.example.com[/url];
        ...
    }

    server {
        listen  9000;
        server_name   three.example.com  [url]www.three.example.com[/url];
        ...
    }
}

301 redirect for [url]www.example.com[/url] → example.com

server {
  listen 80;
  server_name example.com [url]www.example.com[/url];

  if ($host != 'example.com' ) {
      rewrite  ^/(.*)$  [url]http://example.com/[/url]$1  permanent;
      proxy_set_header Host "example.com";
  }
}

Accelerated proxing

location / {
    proxy_pass        http://localhost:8000/;
    proxy_redirect    off;
    proxy_set_header  X-Real-IP  $remote_addr;
    # needed for HTTPS
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
}

# serve static files directly
location ~* ^.+.(jpg|jpeg|gif)$ {
    root              /spool/www;
    access_log        off;
    expires           30d;
}

Simple load balancing

Servers can listen on different ports. Have support for TCP and Unix sockets.

upstream  backend  {
    server   backend1.example.com       weight=5;
    server   backend2.example.com:8080;
    server   unix:/tmp/backend3;
}

server {
    location / {
        proxy_pass  http://backend;
    }
}

Mongrel cluster
FastCGI ruby listeners
SSL support

To not put too much load on the CPU, only one worker and using keep-alive is recommended.

worker_processes  1;

http {
    ...
    server {
        listen               443;
        ssl                  on;
        ssl_certificate      /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key  /usr/local/nginx/conf/cert.key;
        keepalive_timeout    70;
        ...
    }

URL rewrite

location /old_stuff/ {
    rewrite   ^/old_stuff/(.*)$  /new_stuff/$1  permanent;
}

Regexp in the config

if ($http_user_agent ~ MSIE) {
    rewrite  ^(.*)$  /msie/$1  break;
}

if ($http_cookie ~* "id=([^;]+)(?:;|$)" ) {
    set  $id  $1;
}

if ($request_method = POST ) {
    return 405;
}

if (!-f $request_filename) {
    break;
    proxy_pass  [url]http://127.0.0.1[/url];
}

if ($slow) {
    limit_rate  10k;
}

if ($invalid_referer) {
    return   403;
}

Basic authentication

Allow access from intranet OR to authenticated clients. satisfy_any directive allow access if at least one of the checks is true

location  /  {
    satisfy_any  on;

    allow  192.168.1.0/24;
    deny   all;

    auth_basic            "closed site";
    auth_basic_user_file  conf/htpasswd;
}

The file conf/htpasswd is with format:

login1:password1
login2:password2:comment
.....

The Apache utility htpasswd can be used for creating that file. The passwords are encrypted with crypt(3) system function.
gzip compressed responses

.....
gzip             on;
gzip_min_length  1000;
gzip_proxied     expired no-cache no-store private auth;
gzip_types       text/plain application/xml;
.....

Web DAV?

The webdav module is not included by default. Must be enabled during compilation with adding -–with-http_dav_module to the configure parameters.

location / {
    root                   /data/www;

    client_body_temp_path  /data/client_temp;

    dav_methods  PUT DELETE MKCOL;

    create_full_put_path   on;
    dav_access             group:rw  all:r;

    # Can change only from the intranet
    limit_except  GET {
        allow  192.168.1.0/24;
        deny   all;
    }
}

dav_access directive define the rights for files and directories creation.
Proxing POP3/IMAP

imap {
    #auth_http  unix:/path/socket:/cgi-bin/auth;
    auth_http  localhost:9000/cgi-bin/auth;

    pop3_capabilities  "TOP"  "USER";
    imap_capabilities  "IMAP4rev1"  "UIDPLUS";

    server {
        listen     110;
        protocol   pop3;
        proxy      on;
    }

    server {
        listen     143;
        protocol   imap;
        proxy      on;
    }
}