https://linzeyan.github.io/categories/nginx/Recent content in Nginx on RickyHugo -- gohugo.ioenTue, 03 Feb 2026 09:41:12 +0800https://linzeyan.github.io/posts/2026/20260203-selectively_disabling_http_1/Tue, 03 Feb 2026 09:41:12 +0800https://linzeyan.github.io/posts/2026/20260203-selectively_disabling_http_1/<ul> <li><a href="https://markmcb.com/web/selectively_disabling_http_1/" target="_blank" rel="noopener">Selectively Disabling HTTP/1.0 and HTTP/1.1</a></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Check for text-based browsers </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#e6db74">map</span> $http_user_agent $is_text_browser { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Text-Based Browsers (not exhaustive) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">&#34;~*^w3m&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*^Links&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*^ELinks&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*^lynx&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Bots (not exhaustive) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">&#34;~*Googlebot&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*bingbot&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*Yahoo!</span> <span style="color:#e6db74">Slurp&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*DuckDuckBot&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*YandexBot&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;~*Kagibot&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Check if request is HTTP/1.X </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">map</span> $server_protocol $is_http1 { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;HTTP/1.0&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;HTTP/1.1&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># If Request is not text-based browser, </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e"># and is HTTP/1.X, set the http1_and_unknown variable </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e"># to 1, which is equivalent to &#34;true&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">map</span> <span style="color:#e6db74">&#34;</span>$is_http1:$is_text_browser&#34; $http1_and_unknown { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;1:0&#34;</span> <span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">...</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">}</span> </span></span></code></pre></div>https://linzeyan.github.io/posts/2025/20251208-fail2ban/Mon, 08 Dec 2025 16:45:51 +0800https://linzeyan.github.io/posts/2025/20251208-fail2ban/<ul> <li><a href="https://tao.zz.ac/homelab/fail2ban.html" target="_blank" rel="noopener">Harden a Server with Fail2Ban + nftables</a></li> </ul>https://linzeyan.github.io/posts/2025/20251020-nginx-acme-module/Mon, 20 Oct 2025 16:31:00 +0800https://linzeyan.github.io/posts/2025/20251020-nginx-acme-module/<ul> <li><a href="https://sconts.com/post/nginx-native-acme-support/" target="_blank" rel="noopener">NGINX Native ACME Support: Rethinking TLS Automation from the Ground Up</a></li> </ul> <h2 id="ngx_http_acme_module"><code>ngx_http_acme_module</code></h2> <ul> <li>NGINX 1.25.1</li> </ul> <h2 id="pre-install">Pre-install</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Install build tools and NGINX dependencies on Debian/Ubuntu</span> </span></span><span style="display:flex;"><span>sudo apt update </span></span><span style="display:flex;"><span>sudo apt install build-essential libpcre3-dev zlib1g-dev libssl-dev pkg-config libclang-dev git -y </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Install the Rust toolchain (cargo and rustc)</span> </span></span><span style="display:flex;"><span>curl --proto <span style="color:#e6db74">&#39;=https&#39;</span> --tlsv1.2 -sSf https://sh.rustup.rs | sh </span></span><span style="display:flex;"><span>source $HOME/.cargo/env </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>mkdir -pv /app/nginx/<span style="color:#f92672">{</span>logs,conf,cache, acme<span style="color:#f92672">}</span> /app/nginx-build </span></span><span style="display:flex;"><span>cd /app/nginx-build </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Clone the ACME module source</span> </span></span><span style="display:flex;"><span>git clone https://github.com/nginx/nginx-acme.git /app/nginx-build/nginx-acme </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># git clone git@github.com:nginx/nginx-acme.git /app/nginx-build/nginx-acme</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Download the NGINX source (replace with the version you need)</span> </span></span><span style="display:flex;"><span>wget https://nginx.org/download/nginx-1.28.0.tar.gz </span></span><span style="display:flex;"><span>tar -zxf nginx-1.28.0.tar.gz </span></span></code></pre></div><h2 id="compile">Compile</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd nginx-1.28.0 </span></span><span style="display:flex;"><span>./configure <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --prefix<span style="color:#f92672">=</span>/app/nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --error-log-path<span style="color:#f92672">=</span>/app/nginx/error.log <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-log-path<span style="color:#f92672">=</span>/app/nginx/access.log <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --pid-path<span style="color:#f92672">=</span>/app/nginx/nginx.pid <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --lock-path<span style="color:#f92672">=</span>/app/nginx/nginx.lock <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-client-body-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/client_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-proxy-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/proxy_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-fastcgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/fastcgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-uwsgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/uwsgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --http-scgi-temp-path<span style="color:#f92672">=</span>/app/nginx/cache/scgi_temp <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --user<span style="color:#f92672">=</span>nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --group<span style="color:#f92672">=</span>nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-compat <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-file-aio <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-threads <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_addition_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_auth_request_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_dav_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_flv_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_gunzip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_gzip_static_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_mp4_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_random_index_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_secure_link_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_slice_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_stub_status_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_sub_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_v2_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-http_v3_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-mail <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-mail_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-stream_ssl_preread_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-cc-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;-g -O2 -ffile-prefix-map=/home/builder/debuild/nginx-1.28.0/debian/debuild-base/nginx-1.28.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --with-ld-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie&#39;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> --add-dynamic-module<span style="color:#f92672">=</span>/app/nginx-build/nginx-acme </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>make <span style="color:#f92672">&amp;&amp;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> make modules <span style="color:#f92672">&amp;&amp;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span> make install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Run the configure script; the key is --add-dynamic-module</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Note: include all existing NGINX build flags; see nginx -V</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Build the module; note it is make modules, not make install</span> </span></span></code></pre></div><h2 id="config">Config</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e"># /app/nginx/conf/nginx.conf </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">user</span> <span style="color:#e6db74">nginx</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">error_log</span> <span style="color:#e6db74">error.log</span> <span style="color:#e6db74">debug</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">pid</span> <span style="color:#e6db74">nginx.pid</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">load_module</span> <span style="color:#e6db74">modules/ngx_http_acme_module.so</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">events</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">worker_connections</span> <span style="color:#ae81ff">1024</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">multi_accept</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">include</span> <span style="color:#e6db74">mime.types</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/octet-stream</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">log_format</span> <span style="color:#e6db74">main</span> <span style="color:#e6db74">&#39;</span>$remote_addr <span style="color:#e6db74">-</span> $remote_user <span style="color:#e6db74">[</span>$time_local] <span style="color:#e6db74">&#34;</span>$host&#34; <span style="color:#e6db74">&#34;</span>$request&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;</span>$status $body_bytes_sent <span style="color:#e6db74">&#34;</span>$http_referer&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;</span>$http_user_agent&#34; <span style="color:#e6db74">&#34;</span>$http_x_forwarded_for&#34;&#39;; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_log</span> <span style="color:#e6db74">access.log</span> <span style="color:#e6db74">main</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">sendfile</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">tcp_nopush</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">charset</span> <span style="color:#e6db74">utf-8</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">keepalive_timeout</span> <span style="color:#ae81ff">65</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">gzip</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">resolver</span> 8.8.8.8 1.1.1.1; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Define an ACME issuer instance named letsencrypt </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_issuer</span> <span style="color:#e6db74">letsencrypt</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Set the ACME directory URL; this is Let&#39;s Encrypt production </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">uri</span> <span style="color:#e6db74">https://acme-v02.api.letsencrypt.org/directory</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Provide a contact email for CA notices (e.g., expiration) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">contact</span> <span style="color:#e6db74">mailto:security-alerts@aidig.co</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># State file path for ACME account key material </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">state_path</span> <span style="color:#e6db74">acme/letsencrypt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Accept the terms of service; required for Let&#39;s Encrypt </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">accept_terms_of_service</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Optional acme_shared_zone stores certs, keys, and challenges for issuers. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e"># Default size is 256K; increase as needed. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_shared_zone</span> <span style="color:#e6db74">zone=acme_shared:1M</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">ssl.aidig.co</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Step 1: enable ACME for this server and select the letsencrypt issuer </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">acme_certificate</span> <span style="color:#e6db74">letsencrypt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Step 2: use dynamic variables managed in memory by the ACME module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_certificate</span> $acme_certificate; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> $acme_certificate_key; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_cache</span> <span style="color:#e6db74">max=2</span>; <span style="color:#75715e"># required ngx 1.27.4+ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">text/plain</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">200</span> <span style="color:#e6db74">&#39;OK&#39;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span> <span style="color:#e6db74">default_server</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">_</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ACME handles /.well-known/acme-challenge/ automatically; this is for all other requests </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">301</span> <span style="color:#e6db74">https://</span>$host$request_uri; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div>https://linzeyan.github.io/posts/2025/20251002-hide-web/Thu, 02 Oct 2025 09:54:00 +0800https://linzeyan.github.io/posts/2025/20251002-hide-web/<ul> <li> <p><a href="https://tao.zz.ac/homelab/hide-web.html" target="_blank" rel="noopener">Reduce the Chance of Home Web Services Being Reported</a></p> </li> <li> <p>When a plaintext request hits an HTTPS service, Nginx returns a special 497 status code. If that happens, we want Nginx to close the connection and return no response. This requires another non-standard status code 444. Combining the two, add the following config in the server:</p> </li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">error_page</span> <span style="color:#ae81ff">497</span> <span style="color:#e6db74">@close</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">location</span> <span style="color:#e6db74">@close</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">444</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>Use the error_page directive to map 497 to the virtual path @close. When Nginx handles @close, it returns 444 and closes the connection.</p>https://linzeyan.github.io/posts/2024/20240615-if-is-evil/Sat, 15 Jun 2024 19:55:10 +0800https://linzeyan.github.io/posts/2024/20240615-if-is-evil/<ul> <li><a href="https://taoshu.in/nginx/if-is-evil.html" target="_blank" rel="noopener">Nginx if 避坑指南</a></li> <li><a href="https://archive.ph/hyEoc" target="_blank" rel="noopener">If is Evil&hellip; when used in location context</a></li> </ul> <p>if 指令由 rewrite 模块提供，显然它主要是用于 URL 重写领域。典型的 if 用法如下：</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">8080</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">if</span> <span style="color:#e6db74">(</span>$http_user_agent ~ <span style="color:#e6db74">MSIE)</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">rewrite</span> <span style="color:#e6db74">^(.*)</span>$ <span style="color:#e6db74">/msie/</span>$1 <span style="color:#e6db74">break</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">if</span> <span style="color:#e6db74">(</span>$request_method = <span style="color:#e6db74">POST)</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">405</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>上例中第一个 if 检查如果 user agent 字符串中包含 MSIE，就把 URL 重写为 /msie 开头的路径，这样就可以给微软的 IE 浏览器提供特供版本内容。</p> <p>第二个 if 检查当前请求的 HTTP 方法，如果是 POST 请求则直接返回 405 状态码。</p> <p>以上就是 if 最典型的用法，也是 Nginx 最初设想的用法～但很快就被用户玩坏了 😂</p> <p>天下苦静态配置久矣，Nginx 终于支持动态配置了 👏 这个 if 不就是 c 语言里的条件判断吗？大家玩起来 🎢</p>https://linzeyan.github.io/posts/2022/20220916-avoiding-top-10-nginx-configuration-mistakes/Fri, 16 Sep 2022 15:22:23 +0800https://linzeyan.github.io/posts/2022/20220916-avoiding-top-10-nginx-configuration-mistakes/<ul> <li><a href="https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/" target="_blank" rel="noopener">Avoiding the Top 10 NGINX Configuration Mistakes - NGINX</a></li> </ul> <h2 id="1-not-enough-file-descriptors-fds-per-worker">1) Not enough file descriptors (FDs) per worker</h2> <h3 id="whats-wrong">What&rsquo;s wrong</h3> <ul> <li><code>worker_connections</code> limits how many concurrent connections <strong>a single worker</strong> can hold (default 512).</li> <li>But each worker is also limited by the OS per-process <strong>file descriptor</strong> limit (often 1024 by default).</li> <li>Common mistake: increasing <code>worker_connections</code> but not raising the FD limit, causing early exhaustion.</li> </ul> <h3 id="fix">Fix</h3> <ul> <li>Set <code>worker_rlimit_nofile</code> in the <strong>main context</strong> to at least <strong>2×</strong> <code>worker_connections</code> (rule of thumb).</li> <li>Also validate the system-wide FD cap (<code>fs.file-max</code>) so that: <code>worker_rlimit_nofile * worker_processes</code> is well below <code>fs.file-max</code>.</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e"># main context </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">worker_connections</span> <span style="color:#ae81ff">1024</span>; <span style="color:#75715e"># inside events {} </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">worker_rlimit_nofile</span> <span style="color:#ae81ff">2048</span>; <span style="color:#75715e"># main context </span></span></span></code></pre></div><hr> <h2 id="2-the-error_log-off-directive-it-does-not-disable-error-logging">2) The <code>error_log off</code> directive (it does not disable error logging)</h2> <h3 id="whats-wrong-1">What&rsquo;s wrong</h3> <ul> <li>Unlike <code>access_log</code>, <code>error_log</code> does <strong>not</strong> accept an <code>off</code> parameter.</li> <li><code>error_log off;</code> creates a file literally named <code>off</code> (often under <code>/etc/nginx/</code>).</li> </ul> <h3 id="fix-generally-not-recommended">Fix (generally not recommended)</h3> <ul> <li>If you must suppress error logging due to storage constraints, send it to <code>/dev/null</code> and restrict severity:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e"># main context </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">error_log</span> <span style="color:#e6db74">/dev/null</span> <span style="color:#e6db74">emerg</span>; </span></span></code></pre></div><h3 id="note">Note</h3> <ul> <li>This only applies after NGINX reads and validates config; startup/reload may still log to the default location unless you start NGINX with <code>-e &lt;error_log_location&gt;</code>.</li> </ul> <hr> <h2 id="3-not-enabling-keepalive-connections-to-upstream-servers">3) Not enabling keepalive connections to upstream servers</h2> <h3 id="whats-wrong-2">What&rsquo;s wrong</h3> <ul> <li>Default behavior: NGINX opens a new upstream connection for each request.</li> <li>At high load this can consume resources and can exhaust ephemeral source ports due to TIME-WAIT, preventing new upstream connections.</li> </ul> <h3 id="fix-1">Fix</h3> <p><strong>(A) Add <code>keepalive</code> to each <code>upstream {}</code></strong></p>https://linzeyan.github.io/posts/2022/20220810-top-25-nginx-tips-and-tricks-from-practical-experience/Wed, 10 Aug 2022 12:27:28 +0800https://linzeyan.github.io/posts/2022/20220810-top-25-nginx-tips-and-tricks-from-practical-experience/<ul> <li> <p><a href="https://hackernoon.com/top-25-nginx-tips-and-tricks-from-practical-experience" target="_blank" rel="noopener">Top 25 Nginx Tips and Tricks From Practical Experience</a></p> </li> <li> <p><code>server_tokens off;</code></p> </li> <li> <p><code>ssl_protocols TLSv1.2 TLSv1.3;</code></p> </li> <li> <p>Disable any undesirable HTTP methods</p> </li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span> <span style="color:#66d9ef">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">limit_except</span> <span style="color:#e6db74">GET</span> <span style="color:#e6db74">HEAD</span> <span style="color:#e6db74">POST</span> { <span style="color:#f92672">deny</span> <span style="color:#e6db74">all</span>; } </span></span><span style="display:flex;"><span> } </span></span></code></pre></div><ul> <li>Enable sysctl based protection</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>net.ipv4.conf.all.rp_filter <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span> </span></span><span style="display:flex;"><span>net.ipv4.tcp_syncookies <span style="color:#f92672">=</span> <span style="color:#ae81ff">1</span> </span></span></code></pre></div><ul> <li>Stop image hotlinking</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">location</span> <span style="color:#e6db74">/images/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">valid_referers</span> <span style="color:#e6db74">none</span> <span style="color:#e6db74">blocked</span> <span style="color:#e6db74">www.domain.com</span> <span style="color:#e6db74">domain.com</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">if</span> <span style="color:#e6db74">(</span>$invalid_referer<span style="color:#e6db74">)</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">403</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ul> <li><code>add_header X-Content-Type-Options nosniff;</code></li> <li><code>add_header X-XSS-Protection &quot;1; mode=block&quot;;</code></li> <li><code>add_header Strict-Transport-Security &quot;max-age=31536000; includeSubDomains; preload&quot; always;</code></li> <li></li> </ul>https://linzeyan.github.io/posts/2022/20220704-nginx-ab-testing/Mon, 04 Jul 2022 14:36:23 +0800https://linzeyan.github.io/posts/2022/20220704-nginx-ab-testing/<ul> <li><a href="https://u.sb/nginx-ab-testing/" target="_blank" rel="noopener">Simple A/B Testing with Nginx split_clients</a></li> </ul> <h5 id="ngx_"><a href="https://nginx.org/en/docs/http/ngx_http_split_clients_module.html" target="_blank" rel="noopener">ngx_http_split_clients_module</a></h5> <h5 id="configure">Configure</h5> <blockquote> <p>For example, suppose we want 20% of users to be redirected to <a href="https://example.com/" target="_blank" rel="noopener">https://example.com/</a>, 30% to <a href="https://example.org/" target="_blank" rel="noopener">https://example.org/</a>, and the rest to <a href="https://example.edu/" target="_blank" rel="noopener">https://example.edu/</a>.</p></blockquote> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">split_clients</span> <span style="color:#e6db74">&#34;</span>${remote_addr}AAA&#34; $variant { </span></span><span style="display:flex;"><span> <span style="color:#f92672">20%</span> <span style="color:#e6db74">https://example.com/</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">30%</span> <span style="color:#e6db74">https://example.org/</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span> <span style="color:#e6db74">https://example.edu/</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#e6db74">[::]:80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">_</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">302</span> ${variant}; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>In the example above, the visitor&rsquo;s IP address plus the string AAA is hashed with MurmurHash2 into a number. If the number falls in the first 20%, $variant is <a href="https://example.com/" target="_blank" rel="noopener">https://example.com/</a>. If it falls in the middle 30%, $variant is <a href="https://example.org/" target="_blank" rel="noopener">https://example.org/</a>. Otherwise it is <a href="https://example.edu/" target="_blank" rel="noopener">https://example.edu/</a>.</p>https://linzeyan.github.io/posts/2021/20211227-how-nginx-hide-upstream-errors/Mon, 27 Dec 2021 15:47:12 +0800https://linzeyan.github.io/posts/2021/20211227-how-nginx-hide-upstream-errors/<ul> <li><a href="https://russelltao.github.io/2021/02/22/nginx/Nginx%E6%80%8E%E6%A0%B7%E9%9A%90%E8%97%8F%E4%B8%8A%E6%B8%B8%E9%94%99%E8%AF%AF/#more" target="_blank" rel="noopener">How Nginx Hides Upstream Errors</a></li> </ul> <h5 id="nginx-allows-enabling-next-upstream-for-the-following-seven-retryable-error-codes">Nginx allows enabling next upstream for the following seven retryable error codes</h5> <ul> <li>403 Forbidden</li> <li>404 Not Found</li> <li>429 Too Many Requests</li> <li>500 Internal Server Error</li> <li>502 Bad Gateway</li> <li>503 Server Unavailable</li> <li>504 Gateway Timeout</li> </ul> <h5 id="when-upstream-returns-404-return-a-200-response-with-a-not-found-image">When upstream returns 404, return a 200 response with a not-found image</h5> <blockquote> <p>You can use <code>proxy_intercept_errors</code> to achieve this.\n&gt; When <code>proxy_intercept_errors</code> is enabled, requests with upstream response codes &gt;= 300 can be further handled via the error_page directive.</p>https://linzeyan.github.io/posts/2021/20211119-nginx/Fri, 19 Nov 2021 14:35:58 +0800https://linzeyan.github.io/posts/2021/20211119-nginx/<h1 id="record-nginx-configuration-file-and-explanation">Record Nginx configuration file and explanation.</h1> <h2 id="files-structure">files structure</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>. </span></span><span style="display:flex;"><span>├── geoip.conf </span></span><span style="display:flex;"><span>├── nginx.conf </span></span><span style="display:flex;"><span>├── sites-available </span></span><span style="display:flex;"><span>│ ├── default.conf </span></span><span style="display:flex;"><span>├── sites-enabled </span></span><span style="display:flex;"><span>│ ├── default.conf -&gt; ../sites-available/default.conf </span></span><span style="display:flex;"><span>├── upstream.conf </span></span></code></pre></div><h3 id="geoipconf">geoip.conf</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_http_geoip2_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## https://github.com/leev/ngx_http_geoip2_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## Read the GeoIP database and set variables </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">geoip2</span> <span style="color:#e6db74">/usr/share/GeoIP/GeoLite2-Country.mmdb</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">auto_reload</span> <span style="color:#ae81ff">60m</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">$geoip2_metadata_country_build</span> <span style="color:#e6db74">metadata</span> <span style="color:#e6db74">build_epoch</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set $geoip2_data_country_code to the ISO 3116 country code for $remote_addr </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">$geoip2_data_country_code</span> <span style="color:#e6db74">source=</span>$remote_addr <span style="color:#e6db74">country</span> <span style="color:#e6db74">iso_code</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set $geoip2_data_country_name to the corresponding English city name </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">$geoip2_data_country_name</span> <span style="color:#e6db74">country</span> <span style="color:#e6db74">names</span> <span style="color:#e6db74">en</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="upstreamconf">upstream.conf</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_http_upstream_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## Define server groups </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">upstream</span> <span style="color:#e6db74">to_nodejs1</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">## server address [parameters]; define a server </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## parameters: </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## weight=number defines the weight, default is 1 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## max_fails=number sets max retries to the upstream server, default is 1 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## fail_timeout=time sets the time to stop sending requests to this upstream server after reaching max_fails, default is 10 seconds </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## backup marks this upstream server as a backup when others are unavailable </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## down marks this upstream server as unavailable </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">server</span> 10.7.0.12:<span style="color:#ae81ff">9000</span> <span style="color:#e6db74">max_fails=3</span> <span style="color:#e6db74">fail_timeout=5s</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> 10.7.0.12:<span style="color:#ae81ff">9001</span> <span style="color:#e6db74">max_fails=3</span> <span style="color:#e6db74">fail_timeout=5s</span> <span style="color:#e6db74">backup</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">upstream</span> <span style="color:#e6db74">to_nodejs2</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> 10.7.0.12:<span style="color:#ae81ff">9002</span> <span style="color:#e6db74">max_fails=3</span> <span style="color:#e6db74">fail_timeout=5s</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> 10.7.0.12:<span style="color:#ae81ff">9003</span> <span style="color:#e6db74">max_fails=3</span> <span style="color:#e6db74">fail_timeout=5s</span> <span style="color:#e6db74">backup</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">upstream</span> <span style="color:#e6db74">to_nodejs9005</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> 10.7.0.12:<span style="color:#ae81ff">9005</span> <span style="color:#e6db74">max_fails=3</span> <span style="color:#e6db74">fail_timeout=5s</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_http_map_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## map string $variable { ... } creates a new variable </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">map</span> $arg_agent $game_api { </span></span><span style="display:flex;"><span> <span style="color:#75715e">## $arg_agent is the agent value in the request (https://abc.com/?agent=123) </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## When agent=123, $game_api is to_nodejs95 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">123</span> <span style="color:#e6db74">to_nodejs95</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## If agent ends with 1, 2, 3, or 4, $game_api is to_nodejs1 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">~*1$</span> <span style="color:#e6db74">to_nodejs1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">~*2$</span> <span style="color:#e6db74">to_nodejs1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">~*3$</span> <span style="color:#e6db74">to_nodejs1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">~*4$</span> <span style="color:#e6db74">to_nodejs1</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## If agent does not match the rules above, $game_api defaults to to_nodejs2 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">default</span> <span style="color:#e6db74">to_nodejs2</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="defaultconf">default.conf</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_http_limit_req_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## Limit request handling </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## limit_req_zone key zone=name:size rate=rate [sync]; defines request limiting rules </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">limit_req_zone</span> $binary_remote_addr$server_name <span style="color:#e6db74">zone=websocket:10m</span> <span style="color:#e6db74">rate=1r/m</span>; </span></span><span style="display:flex;"><span><span style="color:#75715e">## limit_req_status code; sets HTTP status code for rejected connections, default is 503 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">limit_req_status</span> <span style="color:#ae81ff">502</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## Configure virtual host </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">## listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]]; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Set the listen port, default is *:80 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Below listens on port 80 and is the default virtual host </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span> <span style="color:#e6db74">default_server</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## server_name name ...; set virtual host name, regex allowed, default is &#34;&#34; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">_</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_log</span> <span style="color:#e6db74">logs/default/default.log</span> <span style="color:#e6db74">json</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">error_log</span> <span style="color:#e6db74">logs/default/default.error.log</span> <span style="color:#e6db74">warn</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_http_access_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## allow address | CIDR | unix: | all; allow IP access </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">allow</span> 1.1.1.1; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## deny address | CIDR | unix: | all; deny IP access </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">deny</span> 12.34.56.78; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set the root directory for requests </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">root</span> <span style="color:#e6db74">/usr/share/nginx/html</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## limit_req zone=name [burst=number] [nodelay | delay=number]; set request limiting zone </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">limit_req</span> <span style="color:#e6db74">zone=websocket</span> <span style="color:#e6db74">nodelay</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## limit_req_log_level info | notice | warn | error; set log level for rejected requests, default is error </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">limit_req_log_level</span> <span style="color:#e6db74">warn</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## location [ = | ~ | ~* | ^~ ] uri { ... } </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## location @name { ... } configure based on the request URI </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/json</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Return HTTP status code 200 with a string </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">200</span> <span style="color:#e6db74">&#39;</span>{<span style="color:#f92672">&#34;Code&#34;:</span> <span style="color:#e6db74">&#34;</span>$status&#34;, <span style="color:#e6db74">&#34;IP&#34;:</span> <span style="color:#e6db74">&#34;</span>$remote_addr&#34;}&#39;; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Below listens on port 443 and is the default virtual host; all connections use SSL </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">default_server</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">_</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">access_log</span> <span style="color:#e6db74">logs/default/default.log</span> <span style="color:#e6db74">json</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">error_log</span> <span style="color:#e6db74">logs/default/default.error.log</span> <span style="color:#e6db74">warn</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_http_ssl_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Set the PEM-format certificate </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/etc/ssl/hddv1.com.crt</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set the PEM-format key </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/etc/ssl/hddv1.com.key</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set SSL versions, default is TLSv1 TLSv1.1 TLSv1.2 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_protocols</span> <span style="color:#e6db74">TLSv1.2</span> <span style="color:#e6db74">TLSv1.3</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set enabled ciphers, default is HIGH:!aNULL:!MD5 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_ciphers</span> <span style="color:#e6db74">&#34;EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC2:!RC4:!aNULL:!eNULL:!LOW:!IDEA:!DES:!TDES:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!EXPORT:!ANON&#34;</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Specify the DH parameter file for DHE ciphers </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_dhparam</span> <span style="color:#e6db74">/etc/ssl/dhparams.pem</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Prefer server ciphers, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_prefer_server_ciphers</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Set cache and size, default is none </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_session_cache</span> <span style="color:#e6db74">shared:SSL:1m</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set session reuse time, default is 5 minutes </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_session_timeout</span> <span style="color:#ae81ff">5m</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">X-Frame-Options</span> <span style="color:#e6db74">&#34;SAMEORIGIN&#34;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">X-XSS-Protection</span> <span style="color:#e6db74">&#34;1</span>; <span style="color:#f92672">mode=block&#34;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">Strict-Transport-Security</span> <span style="color:#e6db74">&#34;max-age=31536000</span>; <span style="color:#f92672">includeSubdomains</span>; <span style="color:#f92672">preload&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">root</span> <span style="color:#e6db74">/usr/share/nginx/html</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">limit_req</span> <span style="color:#e6db74">zone=websocket</span> <span style="color:#e6db74">nodelay</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">limit_req_log_level</span> <span style="color:#e6db74">warn</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/json</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/json</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">200</span> <span style="color:#e6db74">&#39;</span>{<span style="color:#f92672">&#34;Code&#34;:</span> <span style="color:#e6db74">&#34;</span>$status&#34;, <span style="color:#e6db74">&#34;IP&#34;:</span> <span style="color:#e6db74">&#34;</span>$remote_addr&#34;}&#39;; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="nginxconf">nginx.conf</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_core_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## worker_processes number | auto; number of Nginx worker processes, auto equals CPU count </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">worker_processes</span> <span style="color:#e6db74">auto</span>; </span></span><span style="display:flex;"><span><span style="color:#75715e">## worker_rlimit_nofile number; max open files for workers, default is system RLIMIT_NOFILE </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">worker_rlimit_nofile</span> <span style="color:#ae81ff">131072</span>; </span></span><span style="display:flex;"><span><span style="color:#75715e">## worker_shutdown_timeout time; shutdown timeout for reloads and related commands </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">worker_shutdown_timeout</span> <span style="color:#ae81ff">60</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## error_log file [level]; set error log path </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## debug, info, notice, warn, error, crit, alert, emerg </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">error_log</span> <span style="color:#e6db74">logs/error.log</span> <span style="color:#e6db74">warn</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## pid file; master process ID file location </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pid</span> <span style="color:#e6db74">logs/nginx.pid</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_core_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## Connection handling </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">events</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">## worker_connections number; max concurrent connections per worker, default is 512, must be less than worker_rlimit_nofile </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## max connections = worker_connections * worker_processes </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">worker_connections</span> <span style="color:#ae81ff">102400</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## accept_mutex on | off; default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## When on, only one worker accepts new connections while others remain idle </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## When off, all workers wake up; one accepts, the rest go back to sleep </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## With TCP long connections and high traffic, off performs better for throughput and QPS </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">accept_mutex</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## multi_accept on | off; accept all connections at once, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">multi_accept</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## module: ngx_http_core_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## HTTP server settings </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_core_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## include file | mask; include settings from file </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Below sets MIME types, defined in the mime.type file </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">include</span> <span style="color:#e6db74">mime.types</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## default_type mime-type; default MIME type, default is text/plain </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">default_type</span> <span style="color:#e6db74">application/octet-stream</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## server_names_hash_max_size size; max size of the server_name hash table, default is 512k </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">server_names_hash_max_size</span> <span style="color:#ae81ff">2048</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Size of the server_name hash table for fast lookup, default depends on CPU L1 cache </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">server_names_hash_bucket_size</span> <span style="color:#ae81ff">256</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## server_tokens on | off | build | string; show Nginx version on error pages, default is on </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">server_tokens</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Log 404 in the error log </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">log_not_found</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Enable sendfile() for file transfer efficiency, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">sendfile</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Use full packets for file sending, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">tcp_nopush</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Send data as soon as possible, default is on </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">tcp_nodelay</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Set keepalive timeout seconds; Nginx closes after timeout, default is 75 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">keepalive_timeout</span> <span style="color:#ae81ff">70</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## client_max_body_size size; max allowed request body size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">client_max_body_size</span> <span style="color:#e6db74">64M</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_http_gzip_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Enable gzip compression, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Minimum Content-Length to gzip, default is 20 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip_min_length</span> <span style="color:#ae81ff">1k</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Gzip buffer size, default is one memory page </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## gzip_buffers number size; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip_buffers</span> <span style="color:#ae81ff">4</span> <span style="color:#ae81ff">32k</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Compression level, range 1-9, default is 1 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip_comp_level</span> <span style="color:#ae81ff">7</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## MIME types to compress, default is text/html </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip_types</span> <span style="color:#e6db74">text/plain</span> <span style="color:#e6db74">application/x-javascript</span> <span style="color:#e6db74">text/css</span> <span style="color:#e6db74">application/xml</span> <span style="color:#e6db74">text/javascript</span> <span style="color:#e6db74">application/x-httpd-php</span> <span style="color:#e6db74">application/json</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Add Vary: Accept-Encoding to HTTP response headers, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip_vary</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Disable compression for specific User-Agent </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Below disables IE 6 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">gzip_disable</span> <span style="color:#e6db74">&#34;MSIE</span> <span style="color:#e6db74">[1-6]\.&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## resolver address ... [valid=time] [ipv6=on|off] [status_zone=zone]; use the specified DNS servers for server_name and upstreams </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">resolver</span> 114.114.114.114 8.8.8.8 1.1.1.1; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_http_headers_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## add_header name value [always]; add fields to HTTP response headers </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## Below allows CORS </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">Access-Control-Allow-Origin</span> <span style="color:#e6db74">*</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">Access-Control-Allow-Headers</span> <span style="color:#e6db74">DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">Access-Control-Allow-Methods</span> <span style="color:#e6db74">GET,POST,OPTIONS</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">Access-Control-Expose-Headers</span> <span style="color:#e6db74">&#39;WWW-Authenticate,Server-Authorization,User-Identity-Token&#39;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_http_realip_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## set_real_ip_from address | CIDR | unix:; set trusted proxy IPs such as reverse proxies </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">set_real_ip_from</span> 10.0.0.0<span style="color:#e6db74">/8</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">set_real_ip_from</span> 172.16.0.0<span style="color:#e6db74">/12</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">set_real_ip_from</span> 192.168.0.0<span style="color:#e6db74">/16</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## real_ip_header field | X-Real-IP | X-Forwarded-For | proxy_protocol; define which header provides client IP, default is X-Real-IP </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">real_ip_header</span> <span style="color:#e6db74">X-Forwarded-For</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## Use the last non-trusted IP or last IP in real_ip_header as the real IP, default is off </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">real_ip_recursive</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">## module: ngx_http_log_module </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## log_format name [escape=default|json|none] string ...; set log format </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">log_format</span> <span style="color:#e6db74">json</span> <span style="color:#e6db74">escape=json</span> <span style="color:#e6db74">&#39;</span>{<span style="color:#f92672">&#34;@timestamp&#34;:&#34;$time_iso8601&#34;,&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;@source&#34;:&#34;</span>$server_addr&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;ip&#34;:&#34;</span>$http_x_forwarded_for&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;client&#34;:&#34;</span>$remote_addr&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;request_method&#34;:&#34;</span>$request_method&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;scheme&#34;:&#34;</span>$scheme&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;domain&#34;:&#34;</span>$server_name&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;client_host&#34;:&#34;</span>$host&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;referer&#34;:&#34;</span>$http_referer&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;request&#34;:&#34;</span>$request_uri&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;args&#34;:&#34;</span>$args&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;sent_bytes&#34;:</span>$body_bytes_sent,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;status&#34;:</span>$status,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;responsetime&#34;:</span>$request_time,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;upstreamtime&#34;:&#34;</span>$upstream_response_time&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;upstreamaddr&#34;:&#34;</span>$upstream_addr&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;http_user_agent&#34;:&#34;</span>$http_user_agent&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;Country&#34;:&#34;</span>$geoip2_data_country_name&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;State&#34;:&#34;</span>$geoip2_data_state_name&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;City&#34;:&#34;</span>$geoip2_data_city_name&#34;,&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;https&#34;:&#34;</span>$https&#34;&#39; </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;</span><span style="color:#960050;background-color:#1e0010">}</span><span style="color:#e6db74">&#39;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">log_format</span> <span style="color:#e6db74">main</span> <span style="color:#e6db74">&#39;</span>$remote_addr <span style="color:#e6db74">-</span> $remote_user <span style="color:#e6db74">[</span>$time_local] <span style="color:#e6db74">&#34;</span>$request&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;</span>$status $body_bytes_sent <span style="color:#e6db74">&#34;</span>$http_referer&#34; <span style="color:#e6db74">&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#39;&#34;</span>$http_user_agent&#34; <span style="color:#e6db74">&#34;</span>$http_x_forwarded_for&#34;&#39;; </span></span><span style="display:flex;"><span> <span style="color:#75715e">## access_log path [format [buffer=size] [gzip[=level]] [flush=time] [if=condition]]; set log path and format name </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">## access_log off; disable logging </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">access_log</span> <span style="color:#e6db74">logs/access.log</span> <span style="color:#e6db74">json</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div>https://linzeyan.github.io/posts/2021/20211009-nginx-worker-many-file-fix/Sat, 09 Oct 2021 11:51:06 +0800https://linzeyan.github.io/posts/2021/20211009-nginx-worker-many-file-fix/<ul> <li><a href="https://blog.longwin.com.tw/2011/05/nginx-worker-many-file-fix-2011/" target="_blank" rel="noopener">Fix Nginx 500 errors (too many open files, connection)</a></li> </ul> <p>Nginx 500 errors only show up in logs. Two common cases:</p> <h3 id="socket-failed-24-too-many-open-files-while-connecting-to-upstream">socket() failed (24: Too many open files) while connecting to upstream</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ sudo su - www-data </span></span><span style="display:flex;"><span>$ ulimit -n <span style="color:#75715e"># check current limit (ulimit -a shows all params)</span> </span></span><span style="display:flex;"><span><span style="color:#ae81ff">1024</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># vim /etc/security/limits.conf # set nofile (max number of open files)</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># add/modify the following two lines</span> </span></span><span style="display:flex;"><span>* soft nofile <span style="color:#ae81ff">655360</span> </span></span><span style="display:flex;"><span>* hard nofile <span style="color:#ae81ff">655360</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ulimit -n <span style="color:#75715e"># log out and log back in to see the new value</span> </span></span><span style="display:flex;"><span><span style="color:#ae81ff">655360</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># If ulimit -n is not 655360, run ulimit -n 655360 to force set it</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Then verify with ulimit -n or ulimit -Sn (soft) and ulimit -Hn (hard) (or ulimit -a).</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Calculate and set from system level</span> </span></span><span style="display:flex;"><span>lsof | wc -l <span style="color:#75715e"># count open files</span> </span></span><span style="display:flex;"><span>sudo vim /etc/sysctl.conf </span></span><span style="display:flex;"><span>fs.file-max <span style="color:#f92672">=</span> <span style="color:#ae81ff">3268890</span> </span></span><span style="display:flex;"><span>sudo sysctl -p </span></span></code></pre></div><h3 id="512-worker_connections-are-not-enough-while-connecting-to-upstream">512 worker_connections are not enough while connecting to upstream</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># /etc/nginx/nginx.conf</span> </span></span><span style="display:flex;"><span>worker_connections 10240; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Refer to Nginx CoreModule</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># worker_processes 2;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># worker_rlimit_nofile 10240;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># events {</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># # worker_connections 10240;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># }</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Increasing Nginx connections can slow down overall speed because php-cgi is not enough.</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Adjust as follows.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># php-cgi was started with phpfcgid_children=&#34;10&#34; and phpfcgid_requests=&#34;500&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># ab was run on another server, connect via a switch using GBit ethernet</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># http://till.klampaeckel.de/blog/archives/30-PHP-performance-III-Running-nginx.html</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># vim /etc/nginx/nginx.conf</span> </span></span><span style="display:flex;"><span>worker_connections 10240; </span></span><span style="display:flex;"><span>worker_rlimit_nofile </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># vim /etc/init.d/php-fcgi</span> </span></span><span style="display:flex;"><span>PHP_FCGI_CHILDREN<span style="color:#f92672">=</span><span style="color:#ae81ff">15</span> </span></span><span style="display:flex;"><span>PHP_FCGI_MAX_REQUESTS<span style="color:#f92672">=</span><span style="color:#ae81ff">1000</span> </span></span><span style="display:flex;"><span>change to </span></span><span style="display:flex;"><span>PHP_FCGI_CHILDREN<span style="color:#f92672">=</span><span style="color:#ae81ff">512</span> <span style="color:#75715e"># or 150 and increase gradually, watch MySQL connections</span> </span></span><span style="display:flex;"><span>PHP_FCGI_MAX_REQUESTS<span style="color:#f92672">=</span><span style="color:#ae81ff">10240</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># The article&#39;s phpfcgid_stop() function is good and can be used if needed.</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># phpfcgid_stop() {</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># echo &#34;Stopping $name.&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># pids=`pgrep php-cgi`</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># pkill php-cgi</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># wait_for_pids $pids</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># }</span> </span></span></code></pre></div>https://linzeyan.github.io/posts/2021/20210514-105819628/Fri, 14 May 2021 16:04:04 +0800https://linzeyan.github.io/posts/2021/20210514-105819628/<ul> <li><a href="https://blog.csdn.net/zzhongcy/article/details/105819628" target="_blank" rel="noopener">Nginx request_time and upstream_response_time explained</a></li> </ul> <h3 id="time-definitions">Time definitions</h3> <p><strong>request_time</strong></p> <p>Time from the first byte of the client request to the completion of response data being sent. <code>$request_time</code> includes time to receive the request, time for the upstream to respond, and time to send the response (excluding log write time).</p> <p><strong>upstream_response_time</strong></p> <p>Time from Nginx establishing a connection to the upstream until all data is received and the connection is closed.</p> <p><strong>upstream_connect_time</strong></p> <p>Time to connect to the upstream server. If using an encrypted protocol, this includes handshake time.</p>https://linzeyan.github.io/posts/2021/20210426-nginx-x-frame-options/Mon, 26 Apr 2021 17:39:33 +0800https://linzeyan.github.io/posts/2021/20210426-nginx-x-frame-options/<ul> <li><a href="https://blog.whezh.com/nginx-x-frame-options/" target="_blank" rel="noopener">Bypass X-Frame-Options with Nginx</a></li> </ul> <p>The <code>X-Frame-Options</code> HTTP response header tells the browser whether a page can be displayed inside <code>&lt;frame&gt;</code>, <code>&lt;iframe&gt;</code>, <code>&lt;embed&gt;</code>, or <code>&lt;object&gt;</code>. Sites can prevent clickjacking by ensuring their pages are not embedded elsewhere. By using Nginx as a forward proxy, we can bypass <code>X-Frame-Options</code> and embed a third-party page in our own page.</p> <p><code>X-Frame-Options</code> has three possible values:</p> <ul> <li>deny: the page cannot be displayed in a frame, even on the same origin.</li> <li>sameorigin: the page can be displayed in a frame on the same origin.</li> <li>allow-from uri: the page can be displayed in a frame only from the specified origin.</li> </ul> <p>When Chrome tries to load frame content and <code>X-Frame-Options</code> denies it, the console shows an error like: <code>Refuse to display 'http://192.168.20.101:8080' in a frame because it set 'X-Frame-Options' to 'deny'.</code></p>https://linzeyan.github.io/posts/2021/20210423-configuring-jwt-authentication/Fri, 23 Apr 2021 11:13:34 +0800https://linzeyan.github.io/posts/2021/20210423-configuring-jwt-authentication/<ul> <li><a href="https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-jwt-authentication/" target="_blank" rel="noopener">Setting up JWT Authentication</a></li> <li><a href="https://segmentfault.com/a/1190000015677681" target="_blank" rel="noopener">Nginx 实现 JWT 验证-基于 OpenResty 实现</a></li> </ul>https://linzeyan.github.io/posts/2021/20210122-7d432c3c3d134cc3cb7e98b30a76c287/Fri, 22 Jan 2021 13:49:17 +0800https://linzeyan.github.io/posts/2021/20210122-7d432c3c3d134cc3cb7e98b30a76c287/<ul> <li><a href="https://gist.github.com/VirtuBox/7d432c3c3d134cc3cb7e98b30a76c287" target="_blank" rel="noopener">Nginx SSL/TLS configuration with TLSv1.2 and TLSv1.3 - ECDHE and strong ciphers suite (Openssl 1.1.1)</a></li> </ul> <h5 id="sslconf">ssl.conf</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e">## </span></span></span><span style="display:flex;"><span><span style="color:#75715e"># SSL Settings (TLSv1.2 and TLSv1.3) </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">ssl_protocols</span> <span style="color:#e6db74">TLSv1.2</span> <span style="color:#e6db74">TLSv1.3</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_ciphers</span> <span style="color:#e6db74">&#39;TLS13+AESGCM+AES128:EECDH+AES128&#39;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_prefer_server_ciphers</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_session_cache</span> <span style="color:#e6db74">shared:SSL:50m</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_session_timeout</span> <span style="color:#e6db74">1d</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_session_tickets</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_ecdh_curve</span> <span style="color:#e6db74">X25519:sect571r1:secp521r1:secp384r1</span> </span></span></code></pre></div><h5 id="universal-sslconf">universal-ssl.conf</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#75715e">## </span></span></span><span style="display:flex;"><span><span style="color:#75715e"># SSL Settings (TLSv1.0 + TLSv1.1 + TLSv1.2 + TLSv1.3) </span></span></span><span style="display:flex;"><span><span style="color:#75715e">## </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">ssl_protocols</span> <span style="color:#e6db74">TLSv1</span> <span style="color:#e6db74">TLSv1.1</span> <span style="color:#e6db74">TLSv1.2</span> <span style="color:#e6db74">TLSv1.3</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_ciphers</span> <span style="color:#e6db74">&#39;TLS13+AESG+AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-R-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-S:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&#39;</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_prefer_server_ciphers</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_session_cache</span> <span style="color:#e6db74">shared:SSL:50m</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_session_timeout</span> <span style="color:#e6db74">1d</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_session_tickets</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">ssl_ecdh_curve</span> <span style="color:#e6db74">X25519:sect571r1:secp521r1:secp384r1</span>; </span></span></code></pre></div>https://linzeyan.github.io/posts/2020/20201027-nginx_geoip2/Tue, 27 Oct 2020 15:44:48 +0800https://linzeyan.github.io/posts/2020/20201027-nginx_geoip2/<ul> <li><a href="https://www.cnblogs.com/faberbeta/p/nginx_geoip2.html" target="_blank" rel="noopener">In 2020, the latest NGINX ngx_http_geoip2 module can precisely block IP access by country or region</a></li> <li><a href="https://www.cnblogs.com/baxiqiuxing/p/12376879.html" target="_blank" rel="noopener">Install GeoIP2 on CentOS 7 and route requests by IP country in nginx</a></li> </ul> <h5 id="install-geoip2-lib">Install geoip2 lib</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd /usr/local/src </span></span><span style="display:flex;"><span>rm -f libmaxminddb-1.4.2.tar.gz </span></span><span style="display:flex;"><span>wget https://github.com/maxmind/libmaxminddb/releases/download/1.4.2/libmaxminddb-1.4.2.tar.gz </span></span><span style="display:flex;"><span>tar -xzf libmaxminddb-1.4.2.tar.gz </span></span><span style="display:flex;"><span>cd libmaxminddb-1.4.2 </span></span><span style="display:flex;"><span>yum install gcc gcc-c++ make -y </span></span><span style="display:flex;"><span>./configure </span></span><span style="display:flex;"><span>make </span></span><span style="display:flex;"><span>make check </span></span><span style="display:flex;"><span>sudo make install </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>echo <span style="color:#e6db74">&#39;/usr/local/lib&#39;</span> &gt; /etc/ld.so.conf.d/geoip.conf </span></span><span style="display:flex;"><span>sudo ldconfig </span></span></code></pre></div><h5 id="download-ngx_http_geoip2_module">Download ngx_http_geoip2_module</h5> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cd /usr/local/src </span></span><span style="display:flex;"><span>wget https://github.com/leev/ngx_http_geoip2_module/archive/3.3.tar.gz </span></span><span style="display:flex;"><span>tar -xzf 3.3.tar.gz </span></span><span style="display:flex;"><span>mv ngx_http_geoip2_module-3.3 ngx_http_geoip2_module </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># nginx集成</span> </span></span><span style="display:flex;"><span>cd /usr/local/src </span></span><span style="display:flex;"><span>wget http://nginx.org/download/nginx-1.16.1.tar.gz </span></span><span style="display:flex;"><span>tar -zxf nginx-1.16.1.tar.gz </span></span><span style="display:flex;"><span>cd nginx-1.16.1 </span></span><span style="display:flex;"><span>useradd -M -s /sbin/nologin www </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>yum install gcc gcc-c++ make pcre-devel zlib-devel openssl-devel -y </span></span><span style="display:flex;"><span>./configure --user<span style="color:#f92672">=</span>www --group<span style="color:#f92672">=</span>www --prefix<span style="color:#f92672">=</span>/usr/local/nginx <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--with-ld-opt<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;-Wl,-rpath -Wl,/usr/local/lib&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--with-http_sub_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--with-http_realip_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--with-http_gzip_static_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--with-http_ssl_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--with-http_v2_module <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span><span style="color:#ae81ff"></span>--add-module<span style="color:#f92672">=</span>/usr/local/src/ngx_http_geoip2_module </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>make </span></span><span style="display:flex;"><span>make install </span></span></code></pre></div><h5 id="download-geoip2-ip-database">Download geoip2 IP database</h5> <p>The latest GeoLite2-City.mmdb for 2020 cannot be downloaded directly. You must register a maxmind account.</p>https://linzeyan.github.io/posts/2020/20201017-38e044411a02530ec3481078fe2d81d8/Sat, 17 Oct 2020 12:31:02 +0800https://linzeyan.github.io/posts/2020/20201017-38e044411a02530ec3481078fe2d81d8/<ul> <li><a href="https://gist.github.com/dbrownidau/38e044411a02530ec3481078fe2d81d8" target="_blank" rel="noopener">Nginx HTTPS with Basic Auth reverse proxy for VMware ESXi 6.5 fixed VMRC /screen</a></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">esxi.hackion.com</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">301</span> <span style="color:#e6db74">https://</span>$server_name$request_uri; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">esxi.hackion.com</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/mycert.crt</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/mykey.key</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">auth_basic</span> <span style="color:#e6db74">&#34;Restricted</span> <span style="color:#e6db74">Content&#34;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">auth_basic_user_file</span> <span style="color:#e6db74">/etc/nginx/.htpasswd</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Upgrade</span> $http_upgrade; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-For</span> $proxy_add_x_forwarded_for; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Host</span> $host; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Real-IP</span> $remote_addr; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Origin</span> <span style="color:#e6db74">&#39;&#39;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Authorization</span> <span style="color:#e6db74">&#39;&#39;</span>; <span style="color:#75715e">#Don&#39;t pass the Nginx Basic Auth to ESXi or it will break VMRC. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">proxy_pass_header</span> <span style="color:#e6db74">X-XSRF-TOKEN</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">https://esxi_server</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_send_timeout</span> <span style="color:#ae81ff">300</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_read_timeout</span> <span style="color:#ae81ff">300</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">send_timeout</span> <span style="color:#ae81ff">300</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">client_max_body_size</span> <span style="color:#ae81ff">1000m</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># enables WS support </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">proxy_http_version</span> <span style="color:#ae81ff">1</span><span style="color:#e6db74">.1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Upgrade</span> $http_upgrade; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Connection</span> <span style="color:#e6db74">&#34;upgrade&#34;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><hr> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span> <span style="color:#e6db74">http2</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ssl_certificate and ssl_certificate_key are required </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/etc/letsencrypt/live/myletsencryptdomain/fullchain.pem</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/etc/letsencrypt/live/myletsencryptdomain/privkey.pem</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">include</span> <span style="color:#e6db74">/etc/nginx/snippets/ssl-params.conf</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># removed DH params as my ssl-params.conf specifies to only use ECDHE key exchange. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">fqdn.extern</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Host</span> $http_host; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Real-IP</span> $remote_addr; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_ssl_verify</span> <span style="color:#66d9ef">off</span>; <span style="color:#75715e"># No need on isolated LAN </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">https://vcenter.ip</span>; <span style="color:#75715e"># esxi IP Address </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_http_version</span> <span style="color:#ae81ff">1</span><span style="color:#e6db74">.1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Upgrade</span> $http_upgrade; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Connection</span> <span style="color:#e6db74">&#34;upgrade&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_buffering</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">client_max_body_size</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_read_timeout</span> <span style="color:#e6db74">36000s</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_redirect</span> <span style="color:#e6db74">https://fqdn.local/</span> <span style="color:#e6db74">https://fqdn.extern/</span>; <span style="color:#75715e"># read comment below </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e"># replace vcenter-hostname with your actual vcenter&#39;s hostname, and esxi with your nginx&#39;s server_name. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/websso/SAML2</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Host</span> <span style="color:#e6db74">fqdn.local</span>; <span style="color:#75715e"># your actual vcenter&#39;s hostname </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Real-IP</span> $remote_addr; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_ssl_verify</span> <span style="color:#66d9ef">off</span>; <span style="color:#75715e"># No need on isolated LAN </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">https://vcenter.ip</span>; <span style="color:#75715e"># esxi IP Address </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_http_version</span> <span style="color:#ae81ff">1</span><span style="color:#e6db74">.1</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Upgrade</span> $http_upgrade; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Connection</span> <span style="color:#e6db74">&#34;upgrade&#34;</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_buffering</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">client_max_body_size</span> <span style="color:#ae81ff">0</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_read_timeout</span> <span style="color:#e6db74">36000s</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_ssl_session_reuse</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_redirect</span> <span style="color:#e6db74">https://fqdn.local/</span> <span style="color:#e6db74">https://fqdn.extern/</span>; <span style="color:#75715e"># read comment below </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e"># replace vcenter-hostname with your actual vcenter&#39;s hostname, and esxi with your nginx&#39;s server_name. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div>https://linzeyan.github.io/posts/2020/20200426-nginx_upstream_check_modue/Sun, 26 Apr 2020 20:05:37 +0800https://linzeyan.github.io/posts/2020/20200426-nginx_upstream_check_modue/<ul> <li><a href="https://www.cnblogs.com/dance-walter/p/12212607.html" target="_blank" rel="noopener">nginx 添加第三方 nginx_upstream_check_module 模块实现健康状态检测</a></li> <li><a href="https://github.com/yaoweibin/nginx_upstream_check_modue" target="_blank" rel="noopener">nginx_upstream_check_module Health check HTTP servers inside an upstream</a></li> </ul> <p><strong>nginx.conf</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span> <span style="color:#66d9ef">http</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">upstream</span> <span style="color:#e6db74">cluster</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e"># simple round-robin </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#f92672">server</span> 192.168.0.1:<span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server</span> 192.168.0.2:<span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">check</span> <span style="color:#e6db74">interval=5000</span> <span style="color:#e6db74">rise=1</span> <span style="color:#e6db74">fall=3</span> <span style="color:#e6db74">timeout=4000</span>; </span></span><span style="display:flex;"><span> <span style="color:#75715e">#check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">#check interval=3000 rise=2 fall=5 timeout=1000 type=http; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">#check_http_send &#34;HEAD / HTTP/1.0\r\n\r\n&#34;; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#75715e">#check_http_expect_alive http_2xx http_3xx; </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } </span></span><span style="display:flex;"><span><span style="color:#f92672">...</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span> <span style="color:#66d9ef">check</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">syntax:</span> <span style="color:#e6db74">*check</span> <span style="color:#e6db74">interval=milliseconds</span> <span style="color:#e6db74">[fall=count]</span> <span style="color:#e6db74">[rise=count]</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">[timeout=milliseconds]</span> <span style="color:#e6db74">[default_down=true|false]</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">[type=tcp|http|ssl_hello|mysql|ajp|fastcgi]*</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">默认配置：interval=3000</span> <span style="color:#e6db74">fall=5</span> <span style="color:#e6db74">rise=2</span> <span style="color:#e6db74">timeout=1000</span> <span style="color:#e6db74">default_down=true</span> <span style="color:#e6db74">type=tcp*</span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">...</span> </span></span></code></pre></div><ul> <li>interval： 检测间隔 3 秒</li> <li>fall: 连续检测失败次数 5 次时，认定 relaserver is down</li> <li>rise: 连续检测成功 2 次时，认定 relaserver is up</li> <li>timeout: 超时 1 秒</li> <li>default_down: 初始状态为 down,只有检测通过后才为 up</li> <li>type: 检测类型方式 tcp <ol> <li>tcp :tcp 套接字,不建议使用，后端业务未 100%启动完成,前端已经放开访问的情况</li> <li>ssl_hello： 发送 hello 报文并接收 relaserver 返回的 hello 报文</li> <li>http: 自定义发送一个请求，判断上游 relaserver 接收并处理</li> <li>mysql: 连接到 mysql 服务器，判断上游 relaserver 是否还存在</li> <li>ajp: 发送 AJP Cping 数据包，接收并解析 AJP Cpong 响应以诊断上游 relaserver 是否还存活(AJP tomcat 内置的一种协议)</li> <li>fastcgi: php 程序是否存活</li> </ol> </li> </ul> <p><strong>example</strong></p>https://linzeyan.github.io/posts/2019/20191220-nginx-defend-ddos/Fri, 20 Dec 2019 09:42:50 +0800https://linzeyan.github.io/posts/2019/20191220-nginx-defend-ddos/<ul> <li><a href="https://magiclen.org/nginx-defend-ddos/" target="_blank" rel="noopener">How Does Nginx Defend Against DDoS?</a></li> <li><a href="https://www.itread01.com/content/1547474225.html" target="_blank" rel="noopener">Nginx limit module for access rate and max concurrent connections (DDoS protection)</a></li> </ul> <h4 id="ngx_http_limit_req_module">ngx_http_limit_req_module</h4> <p><code>limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;</code></p>https://linzeyan.github.io/posts/2019/20191007-serve-webp-on-the-fly-with-nginx-and-mod_pagespeed/Mon, 07 Oct 2019 10:35:22 +0800https://linzeyan.github.io/posts/2019/20191007-serve-webp-on-the-fly-with-nginx-and-mod_pagespeed/<ul> <li><a href="https://nova.moe/serve-webp-on-the-fly-with-nginx-and-mod_pagespeed/" target="_blank" rel="noopener">Use Nginx and mod_pagespeed to Convert Images to WebP on the Fly</a></li> </ul> <h4 id="compile-ngx_pagespeed">Compile ngx_pagespeed</h4> <blockquote> <p>First make sure Nginx is built with <code>--with-compat</code>, so we do not need to rebuild Nginx from scratch.</p> <p>incubator: <a href="https://github.com/apache/incubator-pagespeed-ngx.git" target="_blank" rel="noopener">https://github.com/apache/incubator-pagespeed-ngx.git</a></p></blockquote> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#75715e"># Switch to the nginx source directory and configure the build</span> </span></span><span style="display:flex;"><span>./configure --with-compat --add-dynamic-module<span style="color:#f92672">=</span>../incubator-pagespeed-ngx </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Build modules</span> </span></span><span style="display:flex;"><span>make modules </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Copy the built module into the nginx modules directory</span> </span></span><span style="display:flex;"><span>sudo cp objs/ngx_pagespeed.so /etc/nginx/modules/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Create the cache directory for converted images</span> </span></span><span style="display:flex;"><span>sudo mkdir -p /var/ngx_pagespeed_cache </span></span><span style="display:flex;"><span>sudo chown -R www-data:www-data /var/ngx_pagespeed_cache </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">load_module</span> <span style="color:#e6db74">modules/ngx_pagespeed.so</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># enable pagespeed module on this server block </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pagespeed</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Needs to exist and be writable by nginx. Use tmpfs for best performance. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">pagespeed</span> <span style="color:#e6db74">FileCachePath</span> <span style="color:#e6db74">/var/ngx_pagespeed_cache</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Ensure requests for pagespeed optimized resources go to the pagespeed handler </span></span></span><span style="display:flex;"><span><span style="color:#75715e"># and no extraneous headers get set. </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span><span style="color:#66d9ef">location</span> ~ <span style="color:#e6db74">&#34;\.pagespeed\.([a-z]\.)?[a-z]</span>{<span style="color:#f92672">2}\.[^.]{10}\.[^.]+&#34;</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">add_header</span> <span style="color:#e6db74">&#34;&#34;</span> <span style="color:#e6db74">&#34;&#34;</span>; </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#f92672">location</span> ~ <span style="color:#e6db74">&#34;^/pagespeed_static/&#34;</span> { } </span></span><span style="display:flex;"><span><span style="color:#f92672">location</span> ~ <span style="color:#e6db74">&#34;^/ngx_pagespeed_beacon$&#34;</span> { } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">pagespeed</span> <span style="color:#e6db74">RewriteLevel</span> <span style="color:#e6db74">CoreFilters</span>; </span></span></code></pre></div><p>The last line (<code>pagespeed RewriteLevel CoreFilters;</code>) specifies the enabled optimizations. It includes basic filters such as:</p>https://linzeyan.github.io/posts/2019/20190819-force-file-download-with-nginx/Mon, 19 Aug 2019 12:12:32 +0800https://linzeyan.github.io/posts/2019/20190819-force-file-download-with-nginx/<ul> <li><a href="https://coderwall.com/p/3yb8vg/force-file-download-with-nginx" target="_blank" rel="noopener">Force file download with Nginx</a></li> </ul> <p><code>add_header Content-Disposition 'attachment;';</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">my.domain.com</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> ~ <span style="color:#e6db74">^.*/(?P&lt;request_basename&gt;[^/]+\.(mp3))$</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">root</span> <span style="color:#e6db74">/path/to/mp3/</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">add_header</span> <span style="color:#e6db74">Content-Disposition</span> <span style="color:#e6db74">&#39;attachment</span>; <span style="color:#f92672">filename=&#34;$request_basename&#34;&#39;</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">{</span> </span></span><span style="display:flex;"><span> <span style="color:#e6db74">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">server_name</span> <span style="color:#e6db74">backup.baifu-tech.net</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">root</span> <span style="color:#e6db74">/data/backup/rechargecent-mago</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">auth_basic</span> <span style="color:#e6db74">&#34;baifu</span> <span style="color:#e6db74">backup</span> <span style="color:#e6db74">center&#34;</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">auth_basic_user_file</span> <span style="color:#e6db74">/etc/nginx/ssl/htpasswd</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">autoindex</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">autoindex_exact_size</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">autoindex_localtime</span> <span style="color:#66d9ef">on</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span><span style="color:#66d9ef">}</span> </span></span></code></pre></div>https://linzeyan.github.io/posts/2019/20190307-nginx/Thu, 07 Mar 2019 14:05:55 +0800https://linzeyan.github.io/posts/2019/20190307-nginx/<ul> <li><a href="https://mp.weixin.qq.com/s/otQIhuLABU3omOLtRfJnZQ" target="_blank" rel="noopener">Do you understand the Nginx request processing flow?</a></li> </ul> <h3 id="11-processing-phases">11 processing phases</h3> <ol> <li>NGX_HTTP_POST_READ_PHASE:</li> </ol> <p>A phase after receiving the full HTTP headers. It is before URI rewrite. Very few modules register in this phase, and it is skipped by default.</p> <ol start="2"> <li>NGX_HTTP_SERVER_REWRITE_PHASE:</li> </ol> <p>The phase that modifies the URI before matching the location, used for redirects. This is where rewrite directives in the server block but outside location are executed. While reading request headers, nginx selects the virtual host by host and port.</p>https://linzeyan.github.io/posts/2018/20180724-milliseconds-server-time/Tue, 24 Jul 2018 18:31:42 +0800https://linzeyan.github.io/posts/2018/20180724-milliseconds-server-time/<p>Nginx access logs can record millisecond timestamps, but they are milliseconds since <code>EPOCH</code>, for example <code>1503544071.865</code>. Another variable, <code>$time_local</code>, records a second-level time format, for example <code>24/Aug/2017:11:07:51 +0800</code>. Under heavy traffic, we need a millisecond-precision format like <code>24/Aug/2017:11:07:51.865 +0800</code>. This can be done with Lua.</p> <p>First, define a variable named <code>time_millis</code> in nginx.conf and initialize it to empty. This is similar to providing a fallback self-signed certificate when using <code>auto-ssl</code>.</p>https://linzeyan.github.io/posts/2018/20180720-defend-against-ddos-with-nginx-iptable-and-fail2ban/Fri, 20 Jul 2018 18:47:42 +0800https://linzeyan.github.io/posts/2018/20180720-defend-against-ddos-with-nginx-iptable-and-fail2ban/<ul> <li><a href="https://blog.techbridge.cc/2016/08/12/defend-against-ddos-with-nginx-iptable-and-fail2ban/" target="_blank" rel="noopener">Fighting DDoS: nginx, iptables, and fail2ban</a></li> </ul>