Nginx ("engine x") 是一个高性能的 HTTP 和 反向代理 服务器,也是一个 IMAP/POP3/SMTP 代理服务器。 Nginx 是由 Igor Sysoev 为俄罗斯访问量第二的 Rambler.ru 站点开发的,第一个公开版本0.1.0发布于2004年10月4日。其将源代码以类BSD许可证的形式发布,因它的稳定性、丰富的功能集、示例配置文件和低系统资源的消耗而闻名。
一、采用apt-get命令行方式安装
安装步骤有以下几点:
1.安装gcc g++的依赖库
sudo apt-get install build-essential
sudo apt-get install libtool
2.安装pcre依赖库
sudo apt-get update
sudo apt-get install libpcre3 libpcre3-dev
3.安装zlib依赖库
sudo apt-get install zlib1g-dev
4.安装ssl依赖库
sudo apt-get install openssl
5.安装nginx
sudo apt-get install nginx
二、配置代理服务器
内部http服务器端口为8080,websocket服务器端口为8081,通过以下配置后外部访问方式为:
https请求:https://www.example.com/xxxxx
websocket请求:wss://www.example.com/socket
在nginx配置目录下建立配置文件 sudo nano /etc/nginx/conf.d/example.conf,配置文件如下
server {
listen 80; #http端口
listen 443 ssl; #https端口支持ssl
ssl_certificate example.crt; #ssl证书
ssl_certificate_key example.key; #ssl证书密钥
keepalive_timeout 70; #
server_name www.example.com; #服务器域名
#禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击
server_tokens off;
#如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
#Diffie-Hellman for TLS
#openssl dhparam -out /etc/nginx/dhparams.pem 2048
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
# ......
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
access_log nginx-access.log;
error_log nginx-error.log;
location / {
proxy_pass http://localhost:8080; #内部服务器
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
#proxy_set_header Access-Control-Allow-Origin *;
#proxy_set_header Access-Control-Allow-Credentials true;
}
#websocket 支持
location /socket {
proxy_pass http://localhost:8081;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
