worker_processes auto; # 自动设置工作进程数,通常为CPU核心数
worker_rlimit_nofile 100000; # 每个worker进程能打开的最大文件描述符数
events {
worker_connections 4096; # 每个worker进程的最大连接数
multi_accept on; # 一次接受多个新连接
use epoll; # Linux下高性能事件模型
}
http {
sendfile on; # 启用高效文件传输模式
tcp_nopush on; # 仅在sendfile开启时有效,优化数据包发送
tcp_nodelay on; # 禁用Nagle算法,减少延迟
keepalive_timeout 30; # 保持连接超时时间
keepalive_requests 1000; # 单个连接上最大请求数
client_body_buffer_size 10K; # 客户端请求体缓冲区大小
client_header_buffer_size 1k; # 客户端请求头缓冲区大小
client_max_body_size 8m; # 最大允许的客户端请求体大小
large_client_header_buffers 4 8k; # 大型请求头的缓冲区
open_file_cache max=200000 inactive=20s; # 文件描述符缓存
open_file_cache_valid 30s; # 缓存验证时间
open_file_cache_min_uses 2; # 最少使用次数才缓存
open_file_cache_errors on; # 缓存错误
gzip on; # 启用gzip压缩
gzip_min_length 1024; # 最小压缩文件大小
gzip_comp_level 6; # 压缩级别(1-9)
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_disable "msie6"; # 对IE6禁用gzip
}
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d; # 长期缓存静态资源
access_log off; # 关闭访问日志
add_header Cache-Control "public"; # 明确缓存控制
}
ssl_protocols TLSv1.2 TLSv1.3; # 仅启用安全协议版本
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on; # 优先使用服务器端密码套件
ssl_session_cache shared:SSL:10m; # SSL会话缓存
ssl_session_timeout 10m; # SSL会话超时
ssl_session_tickets off; # 禁用会话票证(更安全)
ssl_stapling on; # OCSP装订
ssl_stapling_verify on; # 验证OCSP响应
server_tokens off; # 隐藏Nginx版本信息
add_header X-Frame-Options "SAMEORIGIN"; # 防止点击劫持
add_header X-Content-Type-Options "nosniff"; # 防止MIME类型嗅探
add_header X-XSS-Protection "1; mode=block"; # XSS保护
add_header Referrer-Policy "no-referrer-when-downgrade"; # 引用控制
add_header Content-Security-Policy "default-src 'self'"; # 内容安全策略
# 限制HTTP方法
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
# IP访问限制
location /admin {
allow 192.168.1.0/24;
allow 10.0.0.1;
deny all;
}
# 速率限制
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
location /api/ {
limit_req zone=one burst=20 nodelay;
}
# 限制连接数
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
limit_conn addr 10; # 每个IP最多10个连接
}
# 屏蔽常见恶意请求
location ~* (wp-admin|xmlrpc.php|.git) {
deny all;
return 403;
}
log_format security '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time';
access_log /var/log/nginx/security.log security;
# /etc/sysctl.conf
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 4096
fs.file-max = 2097152
upstream backend {
least_conn; # 最少连接算法
server backend1.example.com weight=5;
server backend2.example.com;
server backend3.example.com max_fails=3 fail_timeout=30s;
keepalive 32; # 保持的连接数
}
server {
location / {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
listen 443 ssl http2; # 启用HTTP/2
http2_max_concurrent_streams 128; # 最大并发流数
http2_recv_timeout 30s; # 接收超时
实时监控工具:
nginx -t - 测试配置nginx -s reload - 重载配置stub_status_module - 内置状态模块日志分析工具:
性能测试工具:
通过综合应用以上优化措施,可以显著提升Nginx服务器的性能和安全性。建议根据实际业务需求逐步实施这些优化,并在每次更改后进行测试以确保稳定性。