该配置可以轻松支撑每分钟上千的请求,并用一些安全方面的设置,这里作一些记录。
配置文件 nginx.conf
#worker进程的数量
worker_processes 3;
#worker进程可以打开的最大文件句柄数
#worker_rlimit_nofile 1024;
events {
worker_connections 64;
}
http {
## Size Limits
#
#client_body_buffer_size 8k;
#client_header_buffer_size 1k;
#client_max_body_size 1m;
#large_client_header_buffers 4 4k/8k;
## Timeouts
#client_body_timeout 60;
#client_header_timeout 60;
keepalive_timeout 300 300;
#send_timeout 60;
## General Options
charset utf-8;
default_type application/octet-stream;
ignore_invalid_headers on;
include /etc/mime.types;
keepalive_requests 20;
#keepalive_disable msie6;
max_ranges 0;
#open_file_cache max=1000 inactive=1h;
#open_file_cache_errors on;
#open_file_cache_min_uses 3;
#open_file_cache_valid 1m;
recursive_error_pages on;
sendfile on;
server_tokens off;
#server_name_in_redirect on;
source_charset utf-8;
#tcp_nodelay on;
#tcp_nopush off;
## Request limits
limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m;
## Compression
gzip on;
gzip_static on;
#gzip_buffers 16 8k;
#gzip_comp_level 1;
#gzip_http_version 1.0;
#gzip_min_length 0;
#gzip_types text/plain text/html text/css image/x-icon image/bmp;
gzip_vary on;
## Log Format
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
## Deny access to any host other than (www.)mydomain.com. Only use this
## option is you want to lock down the name in the Host header the client sends.
# server {
# server_name _; #default
# return 444;
# }
## Server (www.)mydomain.com
server {
add_header Cache-Control public;
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires max;
limit_req zone=gulag burst=200 nodelay;
listen 127.0.0.1:80;
root /htdocs;
server_name mydomain.com www.mydomain.com;
## Note: if{} sections are expensive to process. Please only use them if you need them
## and take a look lower down on the page for our discussion of if{} statements.
## Only allow GET and HEAD request methods. By default Nginx blocks
## all requests type other then GET and HEAD for static content.
# if ($request_method !~ ^(GET|HEAD)$ ) {
# return 405;
# }
## Deny illegal Host headers.
# if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
# return 405;
# }
## Deny certain User-Agents (case insensitive)
## The ~* makes it case insensitive as opposed to just a ~
# if ($http_user_agent ~* (Baiduspider|Jullo) ) {
# return 405;
# }
## Deny certain Referers (case insensitive)
## The ~* makes it case insensitive as opposed to just a ~
# if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {
# return 405;
# }
## Redirect from www to non-www
# if ($host = 'www.mydomain.com' ) {
# rewrite ^/(.*)$ http://mydomain.com/$1 permanent;
# }
## Stop Image and Document Hijacking
#location ~* (\.jpg|\.png|\.css)$ {
# if ($http_referer !~ ^(http://mydomain.com) ) {
# return 405;
# }
# }
## Restricted Access directory by password in the access_list file.
location ^~ /secure/ {
allow 127.0.0.1/32;
deny all;
auth_basic "RESTRICTED ACCESS";
auth_basic_user_file /var/www/htdocs/secure/access_list;
}
## Only allow these full URI paths relative to document root. If you only want
## to reference the file name use $request_filename instead of $request_uri. By default
## nginx will only serve out files in "root /htdocs;" defined above so this block is not needed, just an example.
# if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) {
# break;
# }
# return 405;
## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
location = /favicon.ico {
#empty_gif;
return 204;
}
## System Maintenance (Service Unavailable)
if (-f $document_root/system_maintenance.html ) {
error_page 503 /system_maintenance.html;
return 503;
}
## All other errors get the generic error page
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
500 501 502 503 504 505 506 507 /error_page.html;
location /error_page.html {
internal;
}
}
}