Nginx自建CDN 第二篇
Nginx反代Cloudflare网站
反代Cloudflare的好处在哪里
可以解决国内用户访问慢的问题(反代机器的线路质量决定)
可以解决源站和反代机器之间延迟过高,延迟不稳定的问题,缓解源站压力,被Cloudflare缓存的页面可以直接从Cloudflare读取。
如果只是简单的反代http页面,在反代服务器简单的配置以下即可,例如使用宝塔面板的,默认设置即可成功实现反代cloudflare http站点
(反代服务器如果跟cloudflare给予的Anycast节点IP延迟过高,或者因为反代服务器IP是广播问题而造成的cloudflare分配到错误的节点问题,可以通过修改反代服务器的hosts文件进行修改)
如果接下来只是单纯的Nginx文件配置设置,把反代的地址从http改为https的话,你会发现报错(有些Nginx环境配置好后可以打开页面,但是动态链接无法使用,例如无法评论,无法注册登录,也是相同报错)只要在反代设置规则里面加入
proxy_ssl_name $host;
proxy_ssl_server_name on;
即可成功反代Cloudflare的https站点
方法来自好东东大佬
Nginx缓存到内存
这个只需将缓存目录设置在/dev/shm/下即可
配置文件:
proxy_cache_path /dev/shm/moec.top levels=1:2 keys_zone=laoxong:1m inactive=30m max_size=50m;
server {
listen 80;
listen 443 ssl http2;
ssl_certificate /usr/local/nginx/conf/ssl/moec.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/moec.key;
ssl_session_timeout 1d;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5";
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
server_name 你的域名;
access_log /usr/local/nginx/caches/moec.top_nginx.log combined;
charset utf-8,gbk;
location / {
proxy_set_header Accept-Encoding "";
proxy_pass https://你的网站;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache laoxong;
proxy_cache_key $uri$is_args$args;
proxy_cache_valid 200 304 30m;
proxy_cache_valid 301 24h;
proxy_cache_valid 500 502 503 504 0s;
proxy_cache_valid any 1s;
proxy_cache_min_uses 1;
expires 12h;
}
location ~ /purge(/.*) {
allow all;
allow 127.0.0.1;
# deny all;
proxy_cache_purge laoxong $1$is_args$args;
}
}
注意max_size不要超了内存大小哦
/dev/shm的容量默认最大为内存的一半大小,使用df -h命令可以看到。但它并不会真正的占用这块内存,如果/dev/shm/下没有任何文件,它占用的内存实际上就是0字节。
如果需要使用到这个目录,并且默认的大小不够使用,而其他程序占用的内存又比较少的时候,可以修改器最大占用内存的大小,来达到自己的目的。
其实修改它的原理很简单,对其进行重新挂载即可,挂载的时候指定挂载参数。
mount -o size=5128M -o remount /dev/shm
上面对/dev/shm进行了重新挂载,并修改其大小为5G。
Nginx 配置 WAF(Web Application Firewall)
1.安装 VeryNginx
VeryNginx 依赖以下三个 Nginx 模块:
- lua-nginx-module
- http_stub_status_module
- http_ssl_module
VeryNginx 安装
git clone https://github.com/alexazhou/VeryNginx.git
cd VeryNginx
python install.py install verynginx
2.编译Nginx
是的,又要编译Nginx
所需插件:LuaJIT ngx_devel_kit ngx_lua
Oneinstack用户
如果你是Oneinstack用户且看过上一篇可以使用一下方法编译
cd ~/oneinstack/src/
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT*.tar.gz
cd LuaJIT-2.0.5/
make
make install
ln -sf luajit-2.0.5 /usr/local/LuaJIT/bin/luajit
echo "/usr/local/luajit/lib" > /etc/ld.so.conf.d/usr_local_luajit_lib.conf
ldconfig
cd ../
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0/
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.zip
unzip v0.3.0.zip
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.14.tar.gz
tar xvf v0.10.14.tar.gz
tar zxvf pcre-8.43.tar.gz
tar zxvf openssl-1.1.1d.tar.gz
wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
tar zxvf ngx_cache_purge-2.3.tar.gz
tar zxf nginx-*.tar.gz
cd nginx-1.16.1
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.1.1d --with-pcre=../pcre-8.43 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../lua-nginx-module-0.10.14
make -j2
mv /usr/local/nginx/sbin/nginx{,$(date +%m%d)}
cp objs/nginx /usr/local/nginx/sbin
nginx -t
service nginx restart
其他用户
下载以下插件
LuaJIT
wget http://luajit.org/download/LuaJIT-2.0.5.tar.gz
tar -zxvf LuaJIT-2.0.5.tar.gz
cd LuaJIT-2.0.5/
make
make install
cd ../
设置环境变量:
export LUAJIT_LIB=/usr/local/lib
export LUAJIT_INC=/usr/local/include/luajit-2.0/
ngx_devel_kit
wget https://github.com/simpl/ngx_devel_kit/archive/v0.3.0.zip
unzip v0.3.0.zip
ngx_lua
wget https://github.com/openresty/lua-nginx-module/archive/v0.10.7.zip
unzip v0.10.7.zip
编译安装(自行修改代码)
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-openssl=../openssl-1.1.1d --with-pcre=../pcre-8.43 --with-pcre-jit --with-ld-opt=-ljemalloc --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../lua-nginx-module-0.10.7
如出现
nginx: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: No such file or directory
编辑/etc/ld.so.conf.d/usr_local_lib.conf ,加入
# libc default configuration
/usr/local/lib
/usr/local/LuaJIT/lib
和
cat /etc/ld.so.conf
echo "/usr/local/lib" >> /etc/ld.so.conf
3.配置Nginx
将
/opt/verynginx/verynginx/nginx_conf/in_external.conf;
/opt/verynginx/verynginx/nginx_conf/in_http_block.conf;
/opt/verynginx/verynginx/nginx_conf/in_server_block.conf;
分别放在Nginx的主配置文件(/usr/local/nginx/conf/)的http配置块外部,http配置块内部,服务器配置块内部,在修改时请保留这三条。
user www www;
worker_processes auto;
error_log /data/wwwlogs/error_nginx.log crit;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
#CC
include /opt/verynginx/verynginx/nginx_conf/in_external.conf;
http {
#CC
include /opt/verynginx/verynginx/nginx_conf/in_http_block.conf;
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 1024m;
client_body_buffer_size 10m;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
server_tokens off;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
#Gzip Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest+json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject
image/x-icon;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
##Brotli Compression
#brotli on;
#brotli_comp_level 6;
#brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
##If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can save some latency.
#open_file_cache max=1000 inactive=20s;
#open_file_cache_valid 30s;
#open_file_cache_min_uses 2;
#open_file_cache_errors on;
######################## default ############################
server {
#CC
include /opt/verynginx/verynginx/nginx_conf/in_server_block.conf;
listen 80;
server_name _;
access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.php;
#error_page 404 /404.html;
#error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ [^/]\.php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
deny all;
}
}
########################## vhost #############################
include vhost/*.conf;
}
#CC下的为添加的语句
之后测试配置看有没有报错:
nginx -t
没有的话,重启一下Nginx就OK了:
systemctl restart nginx
访问服务器的公网IP+/verynginx/index.html (默认的管理员账号密码:verynginx)即可看到配置页面
Comments 1 条评论
补充教程: proxy_pass https://你的网站;
直接写IP,
然后加个 proxy_set_header Host $proxy_host;
不需要改hosts