nginx 配置文件

nginx.conf通用配置：

#user  nobody;
worker_processes  auto;

# load_module /etc/nginx/modules/ngx_http_zstd_filter_module.so;
# load_module /etc/nginx/modules/ngx_http_zstd_static_module.so;
# load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
# load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
# load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#error_log  logs/error.log warn;
#pid        logs/nginx.pid;

worker_rlimit_nofile 65535;
thread_pool default threads=32 max_queue=65536;

events {
    multi_accept on;
    worker_connections  8192;  # 增加工作连接数
    use epoll;  # 添加事件模型（Linux系统）
    accept_mutex on;  # 启用互斥锁
    accept_mutex_delay 100ms;  # 设置互斥锁延迟
}


http {
    server_tokens off;

    # modsecurity on;
    # modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;

    include       mime.types;
    include	  /etc/nginx/conf.d/*;

    default_type  application/octet-stream;

    etag on;  
    http3 on;
    quic_gso on;
    # quic_bpf on;
    http3_max_concurrent_streams 512;
    http3_stream_buffer_size 256k;
    quic_active_connection_id_limit 8;

    http2 on;
    http2_max_concurrent_streams 512;
    http2_recv_buffer_size 512k;
    http2_chunk_size 16k;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_cache shared:SSL:50m;   # 增加缓存大小
    ssl_session_timeout 4h;     # 延长超时时间
    ssl_buffer_size 4k;  # 减小缓冲区大小以优化TLS记录
    ssl_certificate_cache max=2000 inactive=5m valid=20m;
    ssl_early_data on;
    ssl_session_tickets on;
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;

    # ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE";
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;

    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options nosniff always;
    add_header Referrer-Policy "no-referrer";
    add_header Permissions-Policy "geolocation=(), microphone=()";
    add_header Vary "Accept-Encoding" always;

    server_names_hash_max_size 1024;
    server_names_hash_bucket_size 128;
    types_hash_max_size 2048;
    types_hash_bucket_size 128;
    variables_hash_max_size 1024;
    variables_hash_bucket_size 128;
    proxy_headers_hash_max_size 1024;
    proxy_headers_hash_bucket_size 128;

    open_file_cache max=5000 inactive=60s;  # 增加缓存文件数
    open_file_cache_valid 120s;  # 延长验证时间
    open_file_cache_min_uses 3;  # 增加最小使用次数
    open_file_cache_errors on;

    limit_req_zone $binary_remote_addr zone=example_zone:50m rate=50r/s;
    limit_req zone=example_zone burst=100 nodelay;
    limit_req_status 429;

    limit_conn_zone $binary_remote_addr zone=addr:20m;
    limit_conn addr 100;
    limit_conn_status 429;
    
    limit_rate_after 50m;
    limit_rate 20m;

    # fastcgi
    fastcgi_cache_path /var/cache/nginx/fastcgi levels=1:2 keys_zone=my_cache:20m max_size=1g inactive=30m;
    fastcgi_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";

    fastcgi_cache_methods GET HEAD;
    fastcgi_cache_bypass $http_cookie;
    fastcgi_no_cache $http_cookie;
    
    fastcgi_cache_valid 200 301 302 120m;
    fastcgi_cache_valid 404 10m;
    fastcgi_cache_valid 500 502 503 504 400 403 429 0;

    fastcgi_cache_lock on;
    fastcgi_cache_lock_timeout 5s;

    fastcgi_cache_background_update on;
    
    fastcgi_buffering on;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 16 4m;
    fastcgi_busy_buffers_size 8m;
    fastcgi_keep_conn on;
    
    fastcgi_intercept_errors on; 
    fastcgi_hide_header X-Powered-By;

    # proxy
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Connection "";
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Forwarded-Host $host:$server_port;

    proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=my_proxy_cache:20m max_size=1g inactive=30m ;
    proxy_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";

    proxy_cache_methods GET HEAD;
    proxy_cache_bypass $http_cookie;
    proxy_no_cache $http_cookie;

    proxy_cache_valid 200 301 302 120m;
    proxy_cache_valid 404 10m;
    proxy_cache_valid 500 502 503 504 400 403 429 0;

    proxy_cache_lock on;
    proxy_cache_lock_timeout 5s;

    proxy_cache_background_update on;

    proxy_buffering on;
    proxy_buffer_size 128k;
    proxy_buffers 16 4m;
    proxy_busy_buffers_size 8m;
    proxy_socket_keepalive on;
    
    
    proxy_intercept_errors on;
    proxy_hide_header X-Powered-By;
    
    # include       /etc/nginx/mime.types;
    # default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /usr/local/nginx/logs/access.log main buffer=128k flush=5s;
    
    sendfile        on;

    tcp_nopush     on;
    tcp_nodelay    on;

    # zstd on;
    # zstd_static on;

    # zstd_comp_level 4;
    # zstd_buffers 8 256k;
    # zstd_min_length 50;
    # zstd_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
    #             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
    #             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
    #             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
    #             image/x-icon image/x-win-bitmap text/css text/richtext text/plain text/x-script
    #             text/x-component text/x-java-source text/x-markdown text/javascript text/xml
    #             application/x-perl application/x-httpd-cgi multipart/bag multipart/mixed application/wasm;


    # brotli on;
    # brotli_static on;
    # brotli_comp_level 6;
    # brotli_types *;

    # brotli_comp_level 4;
    # brotli_buffers 8 256k;
    # brotli_min_length 50;
    # brotli_window 1024k;
    # brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
    #             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
    #             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
    #             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
    #             image/x-icon image/x-win-bitmap text/css text/richtext text/plain text/x-script
    #             text/x-component text/x-java-source text/x-markdown text/javascript text/xml
    #             application/x-perl application/x-httpd-cgi multipart/bag multipart/mixed application/wasm;




    gzip on;
    gzip_static on;

    gzip_comp_level 4;
    gzip_buffers 8 256k;
    gzip_min_length 50;
    gzip_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
                application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
                application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
                font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
                image/x-icon image/x-win-bitmap text/css text/richtext text/plain text/x-script
                text/x-component text/x-java-source text/x-markdown text/javascript text/xml
                application/x-perl application/x-httpd-cgi multipart/bag multipart/mixed application/wasm;


    client_header_buffer_size 16k;
    client_body_buffer_size 512k;
    large_client_header_buffers 4 64k;
    output_buffers 8 1024k;


    client_body_timeout 60s;
    client_header_timeout 60s;
    send_timeout 60s;
    keepalive_timeout 120s;
    keepalive_requests 8000;

    fastcgi_connect_timeout 300s;
    fastcgi_send_timeout 300s;
    fastcgi_read_timeout 300s;

    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;

}

反向代理配置

# 在文件顶部添加公共配置
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

client_max_body_size 2048m;
# 配置 HTTP 到 HTTPS 的全局重定向（可选）
server {
    listen 80;
    server_name *.example.com;

    # 强制所有HTTP请求跳转到HTTPS
    return 301 https://$host$request_uri;
}

# www.example.com 的配置
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    http3 on;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # 反向代理到后端服务
    location / {
        proxy_pass http://127.0.0.1:18080;
        # 为 WebSocket 连接添加支持
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # 传递原始 Host 头
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # 增加缓冲区大小，处理大型响应
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;

        # 增加超时时间
        proxy_read_timeout 300s;
        proxy_connect_timeout 300s;
    }
}