生产NGINX配置手册

日志格式配置规范：

log_format access '$remote_addr - $remote_user [$time_local] "$server_name" "$request" '
     '$status $body_bytes_sent "$request_body" "$http_referer" '
     '"$http_user_agent" "$http_x_forwarded_for" '
     '$connection $upstream_addr '
     '$upstream_response_time $request_time ';

商业单向HTTPS配置规范：

server {
   listen       443;
   server_name  xxx.ejf123.com;
   ssl                  on;
   #请根据不同的根域名加载对应的商业证书
   ssl_certificate      /usr/local/nginx/ca/xxx/ejf123.com.crt;
   ssl_certificate_key  /usr/local/nginx/ca/xxx/ejf123.com.key;
   ssl_session_timeout  5m;
   ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 ;
   ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHERSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
   ssl_prefer_server_ciphers   off;
   ssl_session_cache shared:SSL:10m;

私有双向HTTPS配置规范：

server {
    listen       443;
    server_name  xxx.ejf123.com;
    ssl                  on;
    #请根据不同的根域名加载对应的自制证书
    ssl_certificate      /usr/local/nginx/ca/xxx/ccbmngserver.crt;
    ssl_certificate_key  /usr/local/nginx/ca/xxx/ccbmngserver.key.unsecure;
    ssl_client_certificate /usr/local/nginx/ca/ccbmng/RongLianCA.crt;
    ssl_session_timeout  5m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHERSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS;
    ssl_prefer_server_ciphers   on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_verify_client on;

强制HTTPS调整配置规范：

1
2
3

if ( $request_uri ~ / ) {
   rewrite ^(.*) https://$server_name$1 redirect;
}

访问日志配置规范：

1 2	access_log /usr/local/nginx/logs/access/${二级域名}${顶级域名}_access.log access; error_log /usr/local/nginx/logs/error/${二级域名}${顶级域名}_error.log;

错误信息提示配置规范：

#请注意域名配置文件中根（location /）目录中root的配置路径，需要将40x、50x等错误提示页放置其中才可引用
    error_page      404 401 404 405 406 407 408 409 410 411 412 413 414 415 416 417 /400.html;
    error_page      500 501 502 503 504 505 /500.html;
    error_page      403 /403.html;

    location = /500.html {
        root   html;
    }
    location /RequestDenied{
        return 403;
    }
    location = /400.html {
        root   html;
    }
    location = /403.html {
        root   html;
    }

维护页配置示例：

	if ( $request_uri ~ /gjj ) {
       rewrite ^(.*) http://hall.xazfgjj.gov.cn/tongzhi.html break;
    }
    location = /tongzhi.html {
        root   html/xagjj;
    }
    location = /bg.png {
        root   html/xagjj;
    }

#根据url参数中包含appid=6468的请求，进行rewrite拦截跳转，?表示跳转后不接参数
    if ( $args ~ appid=6468 ) {
        rewrite ^ http://dlwx.ejf123.com/tongzhi.html? last;
    }
    location = /tongzhi.html {
        root   html/dlwx;
    }

if指令配置示例：

#判断如果请求为/jfpt_common/logon!toAdminlogon.action?appid=(6|2760|5117|251|7259)$结尾，则rewrite为：https://$server_name/jfpt_common_sw/jfpt_common/logon!toAdminlogon.action?appid=(6|2760|5117|251|7259)

    if ( $request_uri ~ /jfpt_common/logon!toAdminlogon.action\?appid=(6|2760|5117|251|7259)$ ) {
           rewrite ^/jfpt_common/(.*) https://$server_name/jfpt_common_sw/$1 redirect;
    }

#判断如果请求为/xxdkdf/login!toLogon.action，则rewrite为：https://$server_name/xxdkdf/login!toLogon.action

    if ( $request_uri ~ /xxdkdf/logon\!toLogon\.action ) {
           rewrite ^(.*) https://$server_name$1 redirect;
    }

#如果提交方法为POST，则返回状态405（Method not allowed）。return不能返回301,302

    if ($request_method = POST) {
        return 405;
    }

#如果URL请求为.(php|aspx|asp|txt|zip|tar|rar|gz|exe)结尾的访问，则返回状态403

    location ~* .*\.(php|aspx|asp|txt|zip|tar|rar|gz|exe)$ {
        return 403;
    }