本文所有配置均经过生产环境验证,格式适配绝大多数网站 CMS 系统,复制后无排版错乱,内容精简聚焦核心操作,新手也能直接落地。
一、生产环境一键安装
CentOS/RHEL/ 阿里云 Linux 系统
bash
运行
yum install -y yum-utils epel-release
yum-config-manager --add-repo https://nginx.org/packages/centos/nginx.repo
yum install -y nginx
systemctl enable --now nginx
nginx -v
Ubuntu/Debian 系统
bash
运行
apt update && apt install -y curl gnupg2 ca-certificates lsb-release
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | tee /etc/apt/sources.list.d/nginx.list
apt update && apt install -y nginx
systemctl enable --now nginx
nginx -v
核心目录说明
- 主配置文件:
/etc/nginx/nginx.conf - 站点配置目录:
/etc/nginx/conf.d/(所有业务配置放这里,.conf 后缀自动加载) - 日志目录:
/var/log/nginx/
二、反向代理标准配置
新建 /etc/nginx/conf.d/你的域名.conf,修改域名和后端地址后直接复制使用。
nginx
server {
listen 80;
server_name example.com www.example.com; # 替换为你的域名
# 核心反向代理
location / {
proxy_pass http://127.0.0.1:8080; # 替换为你的后端服务地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 30s;
proxy_read_timeout 60s;
proxy_buffering off;
}
# 静态资源分离
location ~* .(jpg|png|css|js|ico)$ {
root /usr/share/nginx/html/static;
expires 30d;
access_log off;
}
}
核心避坑点
90% 的 404 报错源于proxy_pass路径配置,记住 2 条规则:
- 地址末尾不带 /:原样转发请求路径,例:
proxy_pass http://127.0.0.1:8080; - 地址末尾带 /:替换掉匹配的路径前缀,例:
location /api/+proxy_pass http://127.0.0.1:8080/;,会把/api/xxx转发为/xxx
三、负载均衡核心配置
第一步:配置后端服务集群
在/etc/nginx/nginx.conf的http块内,添加以下配置:
nginx
http {
# 原有默认配置保留,新增以下内容
upstream backend_api {
# 加权轮询:weight权重越高,分配的请求越多
server 10.0.0.10:8080 weight=5 max_fails=3 fail_timeout=30s;
server 10.0.0.11:8080 weight=5 max_fails=3 fail_timeout=30s;
# 备用节点:所有主节点故障时自动启用
server 10.0.0.12:8080 backup;
# 长连接优化,高并发场景必备
keepalive 64;
}
include /etc/nginx/conf.d/*.conf;
}
第二步:代理到集群
修改站点配置文件,把proxy_pass指向集群名称:
nginx
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://backend_api; # 对应上面的集群名称
# 复制上文反向代理的请求头和超时配置即可
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
3 种常用调度策略
- 默认轮询:无需额外配置,请求按顺序分发
- IP Hash:同 IP 固定访问同一个实例,适合会话保持,在
upstream内加一行ip_hash;即可 - 最少连接:请求优先分给连接数最少的实例,在
upstream内加一行least_conn;即可
四、HTTPS 生产级精简配置
nginx
# 80端口自动跳转HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
# HTTPS核心配置
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# 替换为你的证书路径
ssl_certificate /etc/nginx/ssl/example.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/example.com/privkey.pem;
# SSL安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# 安全头配置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN always;
# 反向代理配置,复制上文的内容即可
location / {
proxy_pass http://backend_api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
五、配置生效 & 排错核心命令
所有配置修改后,必须先校验再重载,避免服务中断:
# 1. 配置合法性校验,必执行!报错会直接提示错误行号
nginx -t
# 2. 平滑重载配置,不中断现有请求(线上推荐)
systemctl reload nginx
# 3. 重启服务(仅重大修改时使用)
systemctl restart nginx
# 4. 查看运行状态
systemctl status nginx
# 5. 查看错误日志,定位问题
tail -n 50 /var/log/nginx/error.log
