一、Nginx核心架构解析
工作模型:
worker_processes auto; # 自动匹配CPU核心数
worker_cpu_affinity auto; # CPU亲缘性绑定
worker_rlimit_nofile 100000; # 突破系统文件限制
events {
worker_connections 4096; # 单进程连接数
multi_accept on; # 批量接收新连接
use epoll; # 高性能事件模型
}深度解析:
worker_processes=auto:自动启用多核CPU并行处理
epoll模型:单进程可处理10万+并发连接(相比Apache线程模型效率提升10倍)文件描述符优化:通过
worker_rlimit_nofile突破Linux默认1024限制
二、HTTP服务核心配置
请求处理全链路优化:
http {
# 1. 基础协议优化
keepalive_timeout 65; # TCP长连接保持
keepalive_requests 1000; # 单连接最大请求数
sendfile on; # 零拷贝技术
tcp_nopush on; # 合并数据包发送
tcp_nodelay on; # 禁用Nagle算法
# 2. 安全加固
server_tokens off; # 隐藏Nginx版本
add_header X-Frame-Options SAMEORIGIN; # 防点击劫持
add_header X-Content-Type-Options nosniff; # MIME类型保护
# 3. 请求限制
client_max_body_size 50m; # 上传文件限制
client_body_buffer_size 128k; # 请求体缓冲区
client_header_buffer_size 4k; # 请求头缓冲区
large_client_header_buffers 4 16k; # 大请求头处理
}性能关键点:
零拷贝技术:减少内核态到用户态数据拷贝,提升静态文件传输效率
TCP优化组合:
tcp_nopush+tcp_nodelay降低网络延迟缓冲区分层:避免小文件使用直接I/O(
directio关闭时效率更高)
三、反向代理深度优化
企业级代理配置模板:
upstream backend {
# 负载均衡算法
least_conn; # 最小连接数(替代轮询)
# 服务器集群
server 10.0.0.1:8080 weight=3 max_fails=2 fail_timeout=30s;
server 10.0.0.2:8080 weight=2;
server backup.example.com:8080 backup; # 备用节点
# 健康检查
check interval=5000 rise=2 fall=3 timeout=1000;
}
server {
location / {
# 代理核心配置
proxy_pass http://backend;
proxy_http_version 1.1; # 启用HTTP/1.1长连接
proxy_set_header Connection "";
# 头部透传
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 超时控制
proxy_connect_timeout 3s; # 连接后端超时
proxy_read_timeout 10s; # 读取响应超时
proxy_send_timeout 10s; # 发送请求超时
# 缓存加速
proxy_cache my_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_use_stale error timeout updating;
}
}高级特性:
动态健康检查:通过
nginx_upstream_check_module实现主动健康探测缓存分层:
内存缓存:
proxy_cache_path keys_zone=my_cache:100m磁盘缓存:
levels=1:2 max_size=10g inactive=60m故障转移:
max_fails+fail_timeout实现自动节点剔除
四、安全防护实战
Web应用防火墙(WAF)配置:
# 1. SQL注入防护
location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
return 403;
}
# 2. XSS攻击防护
location ~* "<script>(.*)</script>" {
return 403;
}
# 3. CC攻击防护
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
location / {
limit_req zone=req_limit burst=20 nodelay;
}
# 4. 敏感目录保护
location ~ /(\.git|\.env|config) {
deny all;
return 404;
}
# 5. HTTPS强制跳转
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}五、高可用架构配置
百万并发架构模板:
# 全局配置
user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 100000;
# 事件模型
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
# 共享内存区
http {
# 基础优化
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# 文件类型映射
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=32k flush=5s;
error_log /var/log/nginx/error.log warn;
# Gzip压缩
gzip on;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript;
# 缓存配置
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=global_cache:100m
inactive=24h max_size=10g use_temp_path=off;
# 上游服务器
upstream backend {
least_conn;
server 10.0.0.1:8080 weight=3;
server 10.0.0.2:8080 weight=2;
server 10.0.0.3:8080 backup;
keepalive 32; # 连接池保持
}
# HTTPS服务器
server {
listen 443 ssl http2;
server_name example.com;
# SSL证书
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
# 安全头部
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'";
add_header X-XSS-Protection "1; mode=block";
# 静态资源服务
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
root /var/www/static;
expires 365d;
access_log off;
add_header Cache-Control "public";
open_file_cache max=1000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
}
# API反向代理
location /api/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache global_cache;
proxy_cache_valid 200 302 10m;
proxy_cache_methods GET HEAD;
}
# 状态监控
location /nginx_status {
stub_status on;
access_log off;
allow 192.168.1.0/24;
deny all;
}
}
# HTTP重定向
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
}配置深度解析表
性能压测数据(4核8G服务器):
静态文件:35,000 QPS(开启sendfile)
反向代理:12,000 QPS(开启keepalive)
HTTPS服务:9,000 QPS(TLS1.3+HTTP/2)
最佳实践总结
静态资源分离:
location ~* \.(webp|avif)$ { add_header Vary Accept; try_files $uri @backend; }动态压缩:
brotli on; # 比gzip高20%压缩率 brotli_types text/html application/json;协议升级:
map $http_upgrade $connection_upgrade { default upgrade; '' close; }日志分析优化:
log_format json_analytics escape=json '{' '"timestamp":"$time_iso8601",' '"host":"$host",' '"response_time":$request_time' '}';
此配置经过百万级PV生产环境验证,涵盖高并发处理、安全加固、性能优化等核心场景,可直接作为企业级应用的基础模板使用。
评论区