Nginx 操作指南
|
17
|
0
|
教程

713 字
|
12 分钟

一、Nginx 是什么?为什么企业都在用它?

市面上可用的 Web Server 非常多,比如 Apache、Caddy、Nginx、IIS 等。

我选择 Nginx,原因只有三个,但已经足够:

  1. 高并发能力极强(事件驱动模型)
  2. 资源占用低、稳定性高
  3. 同时胜任:
    • Web Server(静态资源)
    • Reverse Proxy(反向代理)
    • Load Balancer(负载均衡)

在真实企业架构中,Nginx 基本永远在最外层,负责:

  • TLS / HTTPS 终结
  • 安全响应头
  • 请求转发
  • 限流、缓存、日志

二、Nginx 安装(Ubuntu / Debian)

sudo apt update
sudo apt install -y nginx

安装完成后,核心目录如下:

/etc/nginx/
├── nginx.conf              # 主配置(全局)
├── sites-available/        # 站点配置(未启用)
├── sites-enabled/          # 已启用站点(软链接)
├── conf.d/                 # 直接 include 的配置(你当前用的方式)

生产环境推荐:

  • 一个站点一个配置文件
  • 不直接堆在 nginx.conf 里

三、Nginx 常用运维命令(必背)

# 查看版本
nginx -v

# 测试配置是否正确(极其重要)
nginx -t

# 启动 Nginx
sudo systemctl start nginx

# 停止 Nginx
sudo systemctl stop nginx

# 平滑重载配置(不会中断连接)
sudo systemctl reload nginx

# 重启(会短暂中断)
sudo systemctl restart nginx

# 查看运行状态
sudo systemctl status nginx

改配置 → 一定先 nginx -t → 再 reload

四、推荐的站点管理方式(企业通用)

# 创建站点配置
sudo nano /etc/nginx/sites-available/example.com.conf

# 启用站点(软链接)
sudo ln -s /etc/nginx/sites-available/example.com.conf \
           /etc/nginx/sites-enabled/

# 重载生效
sudo systemctl reload nginx

你当前使用 /etc/nginx/conf.d/ 也是完全 OK 的,只要:

  • 文件命名清晰
  • 不混乱

五、第一步:仅 HTTP(80),用于 Certbot 验证

强烈推荐流程:

1️⃣ 先跑 80
2️⃣ Certbot 申请证书
3️⃣ 再上 443

1️⃣ 最简单的 HTTP 站点(可直接用)

server {
    listen 80;
    server_name example.com www.example.com;

    root /var/www/example.com/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    access_log /var/log/nginx/example.com.access.log;
    error_log  /var/log/nginx/example.com.error.log warn;
}

确认能访问后,再执行 Certbot。

六、使用 Certbot 自动生成 HTTPS

sudo apt install -y certbot python3-certbot-nginx

sudo certbot --nginx -d example.com -d www.example.com

Certbot 详细教程》

七、基础静态网站(HTTP + HTTPS 完整版)

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    root /var/www/example.com/html;
    index index.html index.htm;

    location / {
        try_files $uri $uri/ =404;
    }

    # 安全响应头
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Strict-Transport-Security "max-age=31536000" always;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/example.com.access.log;
    error_log  /var/log/nginx/example.com.error.log warn;
}

八、反向代理(企业最常见)

场景

  • Java / Spring Boot
  • PHP-FPM
  • Node.js
  • Python Web

示例:反向代理后端服务

upstream backend_app {
    server 127.0.0.1:8080;
    keepalive 32;
}

server {
    listen 80;
    server_name app.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name app.example.com;

    location / {
        proxy_pass http://backend_app;

        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    ssl_certificate     /etc/letsencrypt/live/app.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
}

九、WebSocket 反向代理(必须这样配)

server {
    listen 443 ssl http2;
    server_name ws.example.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
    }

    ssl_certificate     /etc/letsencrypt/live/ws.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ws.example.com/privkey.pem;
}

十、生产级完整模板(与你当前配置同级)

这一份,可以直接作为你以后所有站点的母版

upstream app_backend {
    server 192.168.1.5:80;
    keepalive 32;
}

server {
    listen 80;
    server_name www.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.example.com;

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        proxy_pass http://app_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    ssl_certificate     /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/www.example.com.access.log;
    error_log  /var/log/nginx/www.example.com.error.log warn;
}

十一、总结(企业经验一句话)

  • Nginx 永远在最外层
  • HTTP → Certbot → HTTPS 是最稳流程
  • 所有服务都走反向代理
  • 日志独立、配置可复制
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
Certbot 运维规范文档(Let’s Encrypt SSL/TLS 管理)

							
							

							
深入解析全球网络架构:从 AS 自治系统到 CN2/9929 线路选购与性能调优指南

							
							

							
[PVE避坑] 16G傲腾做系统盘,根目录却只有6G?详解PVE安装分区逻辑与无损扩容

							
							

							
解决 Proxmox VE 更新报错:401 Unauthorized 与 Keyring GPG 签名错误

							
							

							
浪潮 NF5270M3 (M2220) 老服务器改造:PCIe NVMe 固态硬盘 UEFI 启动完美教程

							
							

							
解决「短信转发器」提示「证书验证失败」的完整指南(Root+ADB 方案)

							
							

							
如何解锁小米12手机的ROOT权限

							
							

							
长虹IHO-3000电视盒子刷机教程(可使用遥控器)

							
							

							
Wireguard实现异地组网