Nginx 访问控制与限流
Access Control and Rate Limiting
访问控制和限流是保护Web服务器免受滥用和攻击的重要手段。本文将详细介绍Nginx的访问控制机制、限流配置和最佳实践。
1. 基本访问控制
1.1 IP地址访问控制
server {
listen 80;
server_name example.com;
# 允许特定IP
allow 192.168.1.100;
allow 192.168.1.0/24;
allow 10.0.0.0/8;
# 拒绝所有其他IP
deny all;
location /admin {
# 更严格的管理区域控制
allow 192.168.1.100;
deny all;
}
}
1.2 基于时间的访问控制
map $time_iso8601 $maintenance_mode {
default 0;
~T0[0-6]: 1; # 凌晨0-6点维护模式
}
server {
listen 80;
server_name example.com;
if ($maintenance_mode) {
return 503 "Site under maintenance";
}
location / {
root /var/www/html;
}
}
2. 限流配置
2.1 请求频率限制
http {
# 定义限流区域
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
server {
listen 80;
server_name example.com;
location / {
limit_req zone=one burst=5 nodelay;
root /var/www/html;
}
location /api/ {
limit_req zone=api burst=3 nodelay;
proxy_pass http://backend;
}
}
}
2.2 连接数限制
http {
# 连接数限制
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn_zone $server_name zone=perserver:10m;
server {
listen 80;
server_name example.com;
# 每个IP最多10个连接
limit_conn addr 10;
# 整个服务器最多1000个连接
limit_conn perserver 1000;
location / {
root /var/www/html;
}
}
}
3. 高级访问控制
3.1 基于User-Agent的控制
map $http_user_agent $blocked_agent {
default 0;
~*bot 1;
~*crawler 1;
~*spider 1;
~*scanner 1;
}
server {
listen 80;
server_name example.com;
if ($blocked_agent) {
return 403 "Access denied";
}
location / {
root /var/www/html;
}
}
3.2 基于Referer的控制
map $http_referer $invalid_referer {
default 1;
~*example\.com 0;
~*google\.com 0;
"" 0; # 直接访问允许
}
server {
listen 80;
server_name example.com;
location /images/ {
if ($invalid_referer) {
return 403 "Hotlinking not allowed";
}
root /var/www;
expires 1d;
}
}
Nginx HTTP认证配置
HTTP Authentication Configuration
HTTP认证是保护Web资源的基本方法。本文将介绍Nginx支持的各种认证方式和配置方法。
1. 基本认证 (Basic Auth)
1.1 创建密码文件
# 使用htpasswd创建密码文件
sudo htpasswd -c /etc/nginx/.htpasswd admin
sudo htpasswd /etc/nginx/.htpasswd user1
# 或使用openssl
echo -n 'admin:' | sudo tee /etc/nginx/.htpasswd
openssl passwd -apr1 | sudo tee -a /etc/nginx/.htpasswd
1.2 配置基本认证
server {
listen 80;
server_name auth.example.com;
location /admin {
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;
root /var/www/admin;
try_files $uri $uri/ =404;
}
location /protected {
auth_basic "Protected Area";
auth_basic_user_file /etc/nginx/.htpasswd;
# 允许本地访问无需认证
satisfy any;
allow 127.0.0.1;
allow 192.168.1.0/24;
deny all;
root /var/www/protected;
}
}
2. 客户端证书认证
2.1 SSL客户端证书配置
server {
listen 443 ssl;
server_name cert-auth.example.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
# 客户端证书配置
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
location / {
proxy_set_header X-SSL-Client-CN $ssl_client_s_dn_cn;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
proxy_pass http://backend;
}
}
2.2 可选客户端证书
server {
listen 443 ssl;
server_name optional-cert.example.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client optional;
location /secure {
if ($ssl_client_verify != SUCCESS) {
return 401 "Certificate required";
}
root /var/www/secure;
}
location / {
root /var/www/public;
}
}
Nginx 缓存配置与优化
Caching Configuration and Optimization
缓存是提高Web性能的重要手段。本文将详细介绍Nginx的各种缓存机制和优化策略。
1. 代理缓存
1.1 基本代理缓存配置
http {
proxy_cache_path /var/cache/nginx
levels=1:2
keys_zone=my_cache:10m
max_size=1g
inactive=60m
use_temp_path=off;
server {
listen 80;
server_name cache.example.com;
location / {
proxy_cache my_cache;
proxy_cache_key $scheme$proxy_host$request_uri;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_pass http://backend;
add_header X-Cache-Status $upstream_cache_status;
}
}
}
1.2 高级缓存配置
server {
listen 80;
server_name advanced-cache.example.com;
location /api/ {
proxy_cache my_cache;
proxy_cache_key $scheme$proxy_host$uri$is_args$args;
# 缓存控制
proxy_cache_bypass $cookie_nocache $arg_nocache;
proxy_no_cache $cookie_nocache $arg_nocache;
# 在更新时使用旧缓存
proxy_cache_use_stale error timeout updating
http_500 http_502 http_503 http_504;
# 后台更新
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_pass http://api_backend;
}
}
2. 静态文件缓存
2.1 浏览器缓存配置
server {
listen 80;
server_name static.example.com;
# 图片缓存1年
location ~* \.(jpg|jpeg|png|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, immutable";
add_header Vary Accept-Encoding;
}
# CSS/JS缓存1个月
location ~* \.(css|js)$ {
expires 1M;
add_header Cache-Control "public";
add_header Vary Accept-Encoding;
}
# HTML不缓存
location ~* \.html$ {
expires -1;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
}
2.2 条件缓存
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ 1M;
}
server {
listen 80;
server_name conditional-cache.example.com;
expires $expires;
location / {
root /var/www/html;
}
}
Nginx 压缩与静态文件优化
Compression and Static File Optimization
压缩可以显著减少传输数据量,提高网站加载速度。本文将介绍Nginx的压缩配置和静态文件优化。
1. Gzip压缩配置
1.1 基本Gzip配置
http {
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
server {
listen 80;
server_name compressed.example.com;
location / {
root /var/www/html;
}
}
}
1.2 预压缩文件配置
server {
listen 80;
server_name precompressed.example.com;
# 启用预压缩文件
gzip_static on;
location ~* \.(css|js)$ {
# 查找预压缩的.gz文件
try_files $uri$gzip_suffix $uri =404;
# 添加适当的头部
add_header Vary Accept-Encoding;
expires 1y;
}
location / {
root /var/www/html;
}
}
2. Brotli压缩
2.1 Brotli配置
# 需要安装nginx-module-brotli
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
http {
# Brotli压缩
brotli on;
brotli_comp_level 6;
brotli_types
text/plain
text/css
application/json
application/javascript
text/xml
application/xml
application/xml+rss
text/javascript;
server {
listen 80;
server_name brotli.example.com;
location / {
root /var/www/html;
}
}
}
3. 静态文件优化
3.1 文件传输优化
server {
listen 80;
server_name optimized.example.com;
# 启用sendfile
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# 静态文件位置
location /static/ {
root /var/www;
# 开启目录索引
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
# 缓存配置
expires 1y;
add_header Cache-Control "public, immutable";
# 压缩配置
gzip_static on;
brotli_static on;
}
# 大文件传输优化
location /downloads/ {
root /var/www;
# 限制传输速度
limit_rate 1m;
# 在传输一定量后开始限速
limit_rate_after 10m;
# 缓存配置
expires 1d;
}
}
Nginx 连接优化与调优
Connection Optimization and Tuning
连接优化是提高Nginx性能的关键。本文将介绍各种连接优化配置和调优技巧。
1. 连接池配置
1.1 基本连接参数
events {
# 使用epoll模型
use epoll;
# 每个工作进程的连接数
worker_connections 1024;
# 允许同时接受多个连接
multi_accept on;
# 接受连接的负载均衡
accept_mutex off;
}
http {
# 连接保持
keepalive_timeout 65;
keepalive_requests 1000;
# 客户端连接超时
client_header_timeout 60;
client_body_timeout 60;
# 发送超时
send_timeout 60;
server {
listen 80;
server_name optimized.example.com;
location / {
root /var/www/html;
}
}
}
1.2 上游连接池优化
upstream backend {
server 192.168.1.10:8080;
server 192.168.1.11:8080;
# 连接池配置
keepalive 32;
keepalive_requests 1000;
keepalive_timeout 60s;
}
server {
listen 80;
server_name upstream-optimized.example.com;
location / {
proxy_pass http://backend;
# 启用HTTP/1.1和连接复用
proxy_http_version 1.1;
proxy_set_header Connection "";
# 连接超时优化
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
2. 缓冲区优化
2.1 代理缓冲区配置
server {
listen 80;
server_name buffered.example.com;
location / {
proxy_pass http://backend;
# 代理缓冲配置
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
proxy_busy_buffers_size 8k;
proxy_max_temp_file_size 1024m;
proxy_temp_file_write_size 8k;
# 客户端缓冲配置
client_body_buffer_size 128k;
client_max_body_size 100m;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
}
}
2.2 FastCGI缓冲优化
server {
listen 80;
server_name php-optimized.example.com;
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# FastCGI缓冲配置
fastcgi_buffering on;
fastcgi_buffer_size 4k;
fastcgi_buffers 8 4k;
fastcgi_busy_buffers_size 8k;
fastcgi_max_temp_file_size 1024m;
fastcgi_temp_file_write_size 8k;
# FastCGI超时配置
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_read_timeout 60s;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
3. 工作进程优化
3.1 工作进程配置
# 主配置
user nginx;
worker_processes auto; # 自动检测CPU核心数
worker_rlimit_nofile 65535;
# 绑定工作进程到CPU核心
worker_cpu_affinity auto;
# 工作进程优先级
worker_priority -5;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# 文件缓存
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
server {
listen 80;
server_name performance.example.com;
location / {
root /var/www/html;
}
}
}
小结
通过这5篇文章的学习,你应该掌握了:
- 访问控制与限流: IP控制、时间控制、请求频率限制、连接数限制
- HTTP认证: 基本认证、客户端证书认证、多种认证方式组合
- 缓存配置: 代理缓存、静态文件缓存、条件缓存、缓存优化策略
- 压缩优化: Gzip压缩、Brotli压缩、预压缩文件、静态文件优化
- 连接优化: 连接池配置、缓冲区优化、工作进程调优、性能优化技巧
这些技术是构建高性能、高安全性Web服务的重要基础。