Press "Enter" to skip to content

Nginx安装

nginx安装

在./docker-compose中,增加service,实例如下

version: "3.7"
services:
  # nginx web服务器
  nginx:
    image: nginx:1.21
    container_name: "nginx"
    # 运行依赖,保证其它程序先启动
    # 如果还有其它程序,则依次添加在这里
    depends_on:
      - php
    # 指定时区
    environment:
      - TZ=Asia/Shanghai
    # 数据卷挂载
    volumes:
      # 配置挂载到容器,在第一次启动容器后,复制出来,然后重建容器
      # - ./nginx/nginx.conf:/etc/nginx/nginx.conf
      # - ./nginx/conf.d:/etc/nginx/conf.d
      # 证书目录
      # ./nginx/ssl:/ssl
      # 数据卷挂载到容器
      - ./front:/front
      - ./back:/back
    # 日志
    logging:
      driver: json-file
      options:
        max-size: "10M"
        max-file: "10"
    # 容器发生意外时,能自动重启
    restart: always

nginx 配置参考

1、nginx.conf

client_max_body_size 需要配置一下,否则上传大文件会失败

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    # 开启gzip
    gzip on;

    # 启用gzip压缩的最小文件小于设置值的文件将不会被压缩
    gzip_min_length 1k;

    # gzip 压缩级别 1-9
    gzip_comp_level 2;

    # 进行压缩的文件类型
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;

    # 是否在http header中添加Vary: Accept-Encoding建议开启
    gzip_vary on;
    
    # 这个最好配置一下否则上传大文件会失败
    client_max_body_size 100m;

    include /etc/nginx/conf.d/*.conf;
}

vhost配置

农场,示例

server {
  listen 80;
  # host主机可以多个
  # server_name host1 host2;
  server_name farm.xxx.com;
  root /front/farm;
  index index.html index.htm;
}

农场大数据,示例

server {
  listen 80;
  server_name farm-admin.xxx.com;
  root /front/farm-admin;
  index index.html index.htm;
}

农场销售页面,示例

server {
  listen 80;
  # host主机可以多个
  # server_name host1 host2;
  server_name farm-sales.xxx.com;
  root /front/farm-sales;
  index index.html index.htm;
}

农场溯源,示例

server {
  listen 80;
  # host主机可以多个
  # server_name host1 host2;
  server_name farm-source.xxx.com;
  root /front/farm-source;
  index index.html index.htm;
}

php

server {
  listen 80;
  server_name farm-api.xxx.com;
  root /back/public;
  index index.php;
  location / {
    # 下面三行是为了支持跨域
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Headers X-Requested-With;
    add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
    if (!-e $request_filename){
       rewrite  ^(.*)$  /index.php/$1  last;
       break;
    }
  }
  location ~ \.php(.*)$ {
    fastcgi_pass   php:9000;
    fastcgi_index  index.php;
    fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
    fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
    fastcgi_param  PATH_INFO  $fastcgi_path_info;
    include        fastcgi_params;
  }
}

hls直播

server {
  listen 80;
  server_name live.xxx.com;
  root /srs/hls;
  location /live {  # 新摄像头服务(dev) HLS
      types {
          application/vnd.apple.mpegurl m3u8;
          video/mp2t ts;
      }
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
      add_header 'Access-Control-Allow-Headers' '*';
      add_header 'Cache-Control' 'no-cache';
  }
}

https配置支持

server {
  listen 443 ssl;
  # 注意这里的路径ssl为容器nginx的路径
  # 使用前注意在docker-compose中做数据卷映射,  ./nginx/ssl:/ssl
  ssl_certificate /ssl/fullchain.pem;
  ssl_certificate_key /ssl/key.pem;
  # OCSP Stapling 开启OCSP是用于在线查询证书吊销情况的服务使用OCSP Stapling能将证书有效状态的信息缓存到服 务器提高 TLS 握手速度
  #ssl_stapling on;
  #ssl_stapling_verify on;
  #ssl_trusted_certificate  /etc/nginx/ssl/*.dev.nongbotech.cn/fullchain.pem;
  #resolver 8.8.8.8 8.8.4.4 1.1.1.1 valid=60s;
  #resolver_timeout 20s;
  # http请求重定向到https
  location / {
    if ($ssl_protocol = "") {return 301 https://$host$request_uri;}
  }
}

反向代理,设置代理头

使后端可以获取真实的host地址及ip

    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

证书生成

这里采用免费证书生成工具acme

一、安装acme
curl https://get.acme.sh | sh -s email=my@example.com
二、设置别名
acme.sh=~/.acme.sh/acme.sh.
三、设置自动升级
acme.sh --upgrade --auto-upgrade
四、证书签发
# 证书安装
acme.sh --issue -d example.com -w /home/wwwroot/example.com
# 安装证书到nginx
acme.sh --install-cert -d example.com \
--key-file       /data/www/nginx/ssl/example.com/key.pem  \
--fullchain-file /data/www/nginx/ssl/example.com/cert.pem \
--reloadcmd     "docker restart nginx"

首次安装证书时,需要先屏蔽ssl及证书路径配置,等生成成功后在加上这些配置