# 安装Nginx
[root@fgedu-web ~]# yum install -y nginx
[root@fgedu-web ~]# systemctl enable nginx –now

# 优化Nginx配置
[root@fgedu-web ~]# cat > /etc/nginx/nginx.conf << 'EOF' user nginx; worker_processes auto; worker_rlimit_nofile 65535; error_log /var/log/nginx/error.log warn; pid /run/nginx.pid; events { worker_connections 65535; use epoll; multi_accept on; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time"'; access_log /var/log/nginx/access.log maifrom PG视频:www.itpux.comn buffer=32k flush=5s; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # Gzip压缩 gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; gzip_min_length 1000; # 缓冲配置 client_body_buffer_size 128k; client_max_body_size 50m; large_client_header_buffers 4 16k; # 文件缓存 open_file_cache max=65535 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # 上游服务器 upstream fgedu_backend { least_conn; server 192.168.1.20:8080 weight=5; server 192.168.1.21:8080 weight=5; server 192.学习交流加群风哥微信: itpux-com168.1.22:8080 weight=5 backup; keepalive 32; } include /etc/nginx/conf.d/*.conf; } EOF # 配置虚拟主机 [root@fgedu-web ~]# cat > /etc/nginx/conf.更多视频教程www.fgedu.net.cnd/fgedu.conf << 'EOF' server { listen 80; server_name www.fgedu.net.cn fgedu.net.cn; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name www.fgedu.net.cn fgedu.net.cn; ssl_certificate /etc/nginx/ssl/fgedu.crt; ssl_certificate_key /etc/nginx/ssl/fgedu.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # 安全头 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 静态文件 location /static/ { alias /var/www/fgedu/static/; expires 30d; add_header Cache-Control "public, immutable"; } # API代理 location /api/ { proxy_pass http://fgedu_backend/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 32k; } # 健康检查 location /health { access_log off; return 200 "OK\n"; add_header Content-Type text/plain; } # 状态页面 location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; allow 192.168.1.0/24; deny all; } } EOF # 测试配置 [root@fgedu-web ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@fgedu-web ~]# systemctl reload nginx

# 配置负载均衡
[root@fgedu-web ~]# cat > /etc/nginx/conf.d/loadbalance.conf << 'EOF' upstream fgedu_app { least_conn; server 192.168.1.20:8080 weight=3 max_fails=3 fail_timeout=30s; server 192.168.1.21:8080 weight=3 max_fails=3 fail_timeout=30s; server 192.168.1.22:8080 weight=2 max_fails=3 fail_timeout=30s; keepalive 32; keepalive_requests 100; keepalive_timeout 60s; } server { listen 80; server_name app.fgedu.net.cn; location / { proxy_pass http://fgedu_app; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_connect_timeout 5s; proxy_send_timeout 10s; proxy_read_timeout 10s; proxy_next_upstream error timeout http_500 http_502 http_503 http_504; proxy_next_upstream_tries 3; } } EOF # 配置健康检查 [root@fgedu-web ~]# cat > /etc/nginx/conf.d/healthcheck.conf << 'EOF' map $upstream_addr $upstream_custom { default $upstream_addr; } log_format health '$remote_addr - $upstream_custom - $upstream_status - $request_time'; server { listen 8080; location /check { access_log /var/log/nginx/health.log health; proxy_pass http://fgedu_app/health; } } EOF # 创建监控脚本 [root@fgedu-web ~]# cat > /usr/local/bin/nginx-monitor.sh << 'EOF' #!/bin/bash # nginx-monitor.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== Nginx监控报告 ===" echo "监控时间: $(date)" echo "" echo "1. 连接状态" echo "----------------------------------------" curl -s http://localhost/nginx_status Active connections: 150 server accepts handled requests 5000 5000 10000 Reading: 0 Writing: 10 Waiting: 140 echo "" echo "2. 后端服务器状态" echo "----------------------------------------" for server in 192.168.1.20 192.168.1.21 192.168.1.22; do status=$(curl -s -o /dev/null -w "%{http_code}" http://${server}:8080/health --connect-timeout 2) if [ "$status" == "200" ]; then echo "$server: 正常 ($status)" else echo "$server: 异常 ($status)" fi done echo "" echo "3. 访问统计" echo "----------------------------------------" echo "今日请求量: $(grep "$(date +%d/%b/%Y)" /var/log/nginx/access.log | wc -l)" echo "今日错误数: $(grep "$(date +%d/%b/%Y)" /var/log/nginx/access.log | grep -E " 5[0-9]{2} " | wc -l)" echo "" echo "=== 监控完成 ===" EOF [root@fgedu-web ~]# chmod +x /usr/local/bin/nginx-monitor.sh

# 配置缓存
[root@f学习交流加群风哥QQ113257174gedu-web ~]# cat > /etc/nginx/conf.d/cache.conf << 'EOF' proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=fgedu_cache:100m max_size=10g inactive=60m use_temp_path=off; server { listen 80; server_name cache.fgedu.net.cn; location / { proxy_pass http://fgedu_backend; proxy_cache fgedu_cache; proxy_cache_valid 200 302 10m; proxy_cache_valid 404 1m; proxy_cache_key $scheme$request_method$host$request_uri; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_cache_lock_timeout 5s; add_header X-Cache-Status $upstream_cache_status; add_header X-Cache-Key $scheme$request_method$host$request_uri; } location /purge { allow 127.0.0.1; allow 192.168.1.0/24; deny all; proxy_cache_purge fgedu_cache $scheme$request_method$host$request_uri; } } EOF # 创建缓存管理脚本 [root@fgedu-web ~]# cat > /usr/local/bin/cache-manage.sh << 'EOF' #!/bin/bash # cache-manage.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn CACHE_DIR="/var/cache/nginx" case "$1" in status) echo "缓存目录大小:" du -sh $CACHE_DIR echo "" echo "缓存文件数量:" find $CACHE_DIR -type f | wc -l ;; clear) echo "清理缓存..." rm -rf $CACHE_DIR/* nginx -s reload echo "缓存已清理" ;; purge) if [ -z "$2" ]; then echo "用法: $0 purge ”
exit 1
fi
curl -X PURGE “$2”
;;
*)
echo “用法: $0 {status|clear|purge }”
;;
esac
EOF

[root@fgedu-web ~]# chmod +x /usr/local/bin/cache-manage.sh

# 查看缓存状态
[root@fgedu-web ~]# /usr/local/bin/cache-manage.sh status
缓存目录大小:
2.5G /var/cache/nginx

缓存文件数量:
15000

# 配置安全限制
[root@fgedu-web ~]# cat > /etc/nginx/conf.d/security.conf << 'EOF' # 限制请求速率 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; # 封禁恶意IP geo $blocked_ip { default 0; 10.0.0.0/8 1; 172.16.0.0/12 1; 192.168.0.0/16 0; } server { listen 80 default_server; server_name _; # 封禁IP if ($blocked_ip) { return 403; } # 限制请求 limit_req zone=req_limit burst=20 nodelay; limit_conn conn_limit 10; # 禁止敏感文件访问 location ~* \.(git|svn|htaccess|htpasswd|env|config)$ { deny all; } # 禁止敏感目录 location ~* ^/(admin|backup|config|data|logs|tmp)/ { deny all; } # 防止目录遍历 location ~* \.\. { deny all; } # 防止SQL注入 if ($request_uri ~* "(union|select|insert|delete|update|drop|script|alert|eval)") { return 403; } # 防止XSS if ($args ~* "