在 Arch Linux 上安装的 Nginx 默认将配置全部塞进了 /etc/nginx/nginx.conf,有时候想修改某一个站点的配置时要翻半天
创建分类文件夹
1# 创建全局配置文件夹,比如 hash_size 配置
2sudo mkdir -p /etc/nginx/conf.d
3# 创建可复用配置文件夹,比如通配证书设置
4sudo mkdir -p /etc/nginx/tmpl.d
5# 创建站点配置文件夹
6sudo mkdir -p /etc/nginx/sites.d
在主配置文件中包含文件夹
修改 /etc/nginx/nginx.conf
1...;
2
3http {
4 ...;
5
6 include conf.d/*.conf;
7 include sites.d/*.conf;
8}
部分实用配置
conf.d/hash_size.conf
如果不设置的话 nginx -t 的时候会有 warning
1types_hash_max_size 4096;
2types_hash_bucket_size 64;
3client_max_body_size 0;
conf.d/http_to_https.conf
1server {
2 listen 80 default_server;
3 listen [::]:80 default_server;
4
5 location / {
6 return 301 https://$host$request_uri;
7 }
8}
tmpl.d/tls_example.com.conf
可复用的通配域名配置
1ssl_certificate /usr/share/lego/certificates/_.example.com.crt;
2ssl_certificate_key /usr/share/lego/certificates/_.example.com.key;
3ssl_session_timeout 1d;
4ssl_session_cache shared:MozSSL:10m;
5ssl_session_tickets off;
6ssl_dhparam /usr/share/lego/certificates/dhparam;
7ssl_protocols TLSv1.2 TLSv1.3;
8ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
9ssl_prefer_server_ciphers off;
10add_header Strict-Transport-Security "max-age=63072000" always;
生成 dhparam:
1sudo openssl dhparam -out /usr/share/lego/certificates/dhparam 2048
2sudo chmod 644 /usr/share/lego/certificates/dhparam
使用:
1server {
2 include tmpl.d/tls_example.com.conf;
3}
反向代理 Websocket
1location /ws/ {
2 proxy_pass http://127.0.0.1:5090;
3 proxy_http_version 1.1;
4 proxy_set_header Upgrade $http_upgrade;
5 proxy_set_header Connection "Upgrade";
6 proxy_set_header Host $host;
7}
同端口下 http 跳转到 https
1server {
2 listen 51443 http2 ssl;
3 listen [::]:51443 http2 ssl;
4 server_name _;
5
6 error_page 497 301 =307 https://$host:$server_port$request_uri;
7
8 include tmpl.d/tls_example.com.conf;
9}