乐闻世界logo
搜索文章和话题

面试题手册

Kafka 消息丢失的原因是什么?如何解决?

Kafka 消息丢失原因及解决方案Kafka 在设计上通过多种机制保证消息不丢失,但在实际应用中,消息丢失仍可能发生。了解这些原因和解决方案对于构建可靠的系统至关重要。消息丢失的常见原因1. Producer 端丢失网络问题:消息发送过程中网络中断异步发送:使用异步发送时,Producer 在消息发送前就返回重试机制未配置:发送失败后没有重试缓冲区溢出:消息积压导致缓冲区满,消息被丢弃2. Broker 端丢失未刷盘:消息写入内存但未刷到磁盘就宕机副本不足:副本数设置为 1,Broker 宕机导致消息丢失副本同步延迟:Leader 收到消息但未同步到 Follower 就宕机磁盘故障:物理磁盘损坏导致数据丢失3. Consumer 端丢失自动提交 Offset:消息消费后但在处理完成前提交了 Offset处理失败:消息处理失败但 Offset 已提交异常退出:Consumer 异常退出导致未提交的消息重新消费解决方案Producer 端配置# 设置重试次数retries=3# 设置确认级别acks=all # Leader 和所有 ISR 中的 Follower 都确认# 启用幂等性enable.idempotence=true# 设置缓冲区大小buffer.memory=33554432# 设置批量发送大小batch.size=16384Broker 端配置# 设置副本数default.replication.factor=3# 设置最小同步副本数min.insync.replicas=2# 设置刷盘策略log.flush.interval.messages=10000log.flush.interval.ms=1000# 启用副本失效检测replica.lag.time.max.ms=30000Consumer 端配置# 禁用自动提交enable.auto.commit=false# 手动提交 Offset# 在消息处理完成后提交consumer.commitSync()# 设置合理的超时时间session.timeout.ms=30000最佳实践合理设置 acks 参数acks=0:不等待确认,性能最高但可能丢失acks=1:等待 Leader 确认,平衡性能和可靠性acks=all:等待所有 ISR 副本确认,最可靠但性能较低使用事务开启 Producer 事务支持确保消息要么全部成功,要么全部失败监控和告警监控消息积压情况监控 Consumer Lag设置合理的告警机制定期备份定期备份 Kafka 数据建立灾难恢复方案测试验证进行故障模拟测试验证消息不丢失机制的有效性性能与可靠性的权衡高可靠性配置会降低性能需要根据业务场景选择合适的配置对于关键业务数据,优先保证可靠性对于非关键数据,可以适当牺牲可靠性换取性能通过合理配置和监控,可以在大多数场景下有效避免 Kafka 消息丢失问题。
Kafka
阅读 0·2月21日 16:58

Nginx 如何配置日志?有哪些日志格式和优化方法?

Nginx 如何配置日志?有哪些日志格式和优化方法?Nginx 日志对于监控、调试和安全审计非常重要。合理配置日志可以帮助快速定位问题和优化性能。访问日志配置:http { # 自定义日志格式 log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time'; # 详细日志格式 log_format detailed '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time ' '$upstream_addr $upstream_status ' '$http_x_forwarded_for $request_id'; # JSON 格式日志 log_format json_combined escape=json '{' '"time_local":"$time_local",' '"remote_addr":"$remote_addr",' '"remote_user":"$remote_user",' '"request":"$request",' '"status":"$status",' '"body_bytes_sent":"$body_bytes_sent",' '"request_time":"$request_time",' '"http_referrer":"$http_referer",' '"http_user_agent":"$http_user_agent"' '}'; # 应用日志格式 access_log /var/log/nginx/access.log main; server { listen 80; server_name example.com; # 使用不同的日志格式 access_log /var/log/nginx/example.com.access.log detailed; location / { proxy_pass http://backend; } }}错误日志配置:# 错误日志级别:debug, info, notice, warn, error, crit, alert, emergerror_log /var/log/nginx/error.log warn;# 不同级别的错误日志error_log /var/log/nginx/error.log info;error_log /var/log/nginx/crit.log crit;日志优化:http { # 禁用特定路径的日志 location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { access_log off; } # 禁用健康检查日志 location /health { access_log off; return 200 "OK"; } # 缓冲日志写入 access_log /var/log/nginx/access.log main buffer=32k flush=5s; # 压缩日志 access_log /var/log/nginx/access.log main gzip=9;}条件日志记录:http { # 根据状态码记录日志 map $status $loggable { ~^[23] 0; default 1; } # 根据请求方法记录日志 map $request_method $loggable_method { GET 1; POST 1; default 0; } server { listen 80; server_name example.com; # 只记录特定状态码的请求 access_log /var/log/nginx/access.log main if=$loggable; # 只记录特定方法的请求 access_log /var/log/nginx/method.log main if=$loggable_method; location / { proxy_pass http://backend; } }}分离日志:http { # API 日志 log_format api '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time"'; server { listen 80; server_name example.com; # 主站点日志 access_log /var/log/nginx/main.log main; # API 日志 location /api/ { access_log /var/log/nginx/api.log api; proxy_pass http://api_backend; } # 静态资源不记录 location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { access_log off; root /var/www/static; } }}日志轮转:# /etc/logrotate.d/nginx/var/log/nginx/*.log { daily missingok rotate 14 compress delaycompress notifempty create 0640 nginx adm sharedscripts postrotate [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid` endscript}日志分析变量:log_format analysis '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time ' '$upstream_addr $upstream_status ' '$scheme $server_name $request_uri ' '$http_host $http_x_forwarded_for ' '$request_id $connection $connections ' '$time_iso8601 $msec';常用日志变量:| 变量 | 说明 ||------|------|| $remoteaddr | 客户端 IP 地址 || $remoteuser | 认证用户名 || $timelocal | 本地时间 || $request | 完整的请求行 || $status | 响应状态码 || $bodybytessent | 发送的字节数 || $httpreferer | 来源页面 || $httpuseragent | 用户代理 || $requesttime | 请求处理时间 || $upstreamresponsetime | 上游响应时间 || $upstreamaddr | 上游服务器地址 || $upstreamstatus | 上游状态码 || $requestid | 请求 ID || $httpxforwarded_for | 真实客户端 IP |日志监控和告警:# 自定义错误日志格式log_format error_log_format '$time_local [$level] $message';# 记录慢请求log_format slow_request '$remote_addr - $remote_user [$time_local] ' '"$request" $status $request_time ' 'upstream_response_time=$upstream_response_time';http { # 慢请求阈值 map $request_time $slow_request { default 0; ~^([1-9]\d*\.?\d*|0\.\d*[1-9]\d*) 1; } server { listen 80; server_name example.com; # 记录慢请求 access_log /var/log/nginx/slow.log slow_request if=$slow_request; location / { proxy_pass http://backend; } }}日志安全:http { # 不记录敏感信息 log_format secure '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time'; server { listen 80; server_name example.com; # 不记录密码等敏感信息 location /login { access_log /var/log/nginx/login.log secure; proxy_pass http://auth_backend; } # 不记录敏感路径 location ~* ^/(admin|api/v1/users) { access_log /var/log/nginx/sensitive.log secure; proxy_pass http://backend; } }}完整日志配置示例:user nginx;worker_processes auto;http { # 日志格式 log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time'; log_format api '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time" ' 'upstream_addr=$upstream_addr upstream_status=$upstream_status'; log_format json_combined escape=json '{' '"time_local":"$time_local",' '"remote_addr":"$remote_addr",' '"remote_user":"$remote_user",' '"request":"$request",' '"status":"$status",' '"body_bytes_sent":"$body_bytes_sent",' '"request_time":"$request_time",' '"http_referrer":"$http_referer",' '"http_user_agent":"$http_user_agent",' '"upstream_response_time":"$upstream_response_time"' '}'; # 全局日志 access_log /var/log/nginx/access.log main buffer=32k flush=5s; error_log /var/log/nginx/error.log warn; # 条件日志 map $status $loggable { ~^[23] 0; default 1; } # 慢请求 map $request_time $slow_request { default 0; ~^([1-9]\d*\.?\d*|0\.\d*[1-9]\d*) 1; } server { listen 80; server_name example.com; # 主日志 access_log /var/log/nginx/example.com.access.log main if=$loggable; # 慢请求日志 access_log /var/log/nginx/slow.log main if=$slow_request; # API 日志 location /api/ { access_log /var/log/nginx/api.log api; proxy_pass http://api_backend; } # 静态资源不记录 location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { access_log off; root /var/www/static; } # 健康检查不记录 location /health { access_log off; return 200 "OK"; } location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }}日志分析工具:GoAccess:实时日志分析AWStats:Web 日志分析ELK Stack:Elasticsearch + Logstash + KibanaGrafana + Loki:日志监控和可视化Splunk:企业级日志分析日志优化建议:合理设置日志级别:生产环境使用 warn 或 error使用缓冲:减少磁盘 I/O定期轮转:避免日志文件过大压缩旧日志:节省磁盘空间分离日志:按业务类型分离条件记录:只记录必要的信息使用 JSON 格式:便于机器解析监控日志大小:防止磁盘占满
Nginx
阅读 0·2月21日 16:57

Nginx 如何配置反向代理?

Nginx 如何配置反向代理?Nginx 反向代理是指 Nginx 服务器接收客户端请求,然后将请求转发到后端服务器,再将后端服务器的响应返回给客户端。客户端只知道 Nginx 服务器的存在,不知道实际处理请求的后端服务器。基本配置示例:server { listen 80; server_name example.com; location / { proxy_pass http://backend_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }}upstream backend_server { server 192.168.1.100:8080; server 192.168.1.101:8080;}关键配置指令说明:proxy_pass:指定后端服务器地址,可以是 IP 地址、域名或 upstream 组名proxysetheader:设置转发给后端服务器的请求头Host:保留原始请求的主机名X-Real-IP:记录客户端真实 IPX-Forwarded-For:记录请求经过的代理链X-Forwarded-Proto:记录原始协议(http/https)upstream:定义后端服务器组,实现负载均衡常用反向代理配置选项:location /api/ { proxy_pass http://backend_api; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # 缓冲设置 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; # WebSocket 支持 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 禁用重定向 proxy_redirect off;}负载均衡策略:轮询(默认):按顺序分配请求least_conn:分配给活动连接数最少的服务器ip_hash:根据客户端 IP 进行哈希分配,保证同一 IP 的请求到同一服务器least_time:分配给响应时间最短的服务器(需要商业版)实际应用场景:将请求转发到多个应用服务器隐藏后端服务器真实 IP统一入口,简化客户端配置实现 SSL 终止缓存静态内容WebSocket 代理
Nginx
阅读 0·2月21日 16:57

Nginx 如何配置 WebSocket 代理?

Nginx 如何配置 WebSocket 代理?WebSocket 是一种在单个 TCP 连接上进行全双工通信的协议。Nginx 可以作为 WebSocket 代理,将客户端的 WebSocket 连接转发到后端服务器。基本配置:map $http_upgrade $connection_upgrade { default upgrade; '' close;}server { listen 80; server_name example.com; location /ws { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 超时设置 proxy_connect_timeout 7d; proxy_send_timeout 7d; proxy_read_timeout 7d; }}关键配置说明:proxyhttpversion 1.1:WebSocket 需要 HTTP/1.1 协议Upgrade 和 Connection 头:告诉 Nginx 这是一个 WebSocket 连接超时设置:WebSocket 是长连接,需要设置较长的超时时间完整配置示例:http { upstream websocket_backend { server 192.168.1.100:8080; server 192.168.1.101:8080; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; server_name example.com; # WebSocket 代理 location /ws { proxy_pass http://websocket_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 超时设置(根据实际需求调整) proxy_connect_timeout 60s; proxy_send_timeout 3600s; proxy_read_timeout 3600s; # 禁用缓冲 proxy_buffering off; } # 普通请求 location / { proxy_pass http://backend; proxy_set_header Host $host; } }}HTTPS WebSocket 配置:server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; location /ws { proxy_pass http://websocket_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_connect_timeout 7d; proxy_send_timeout 7d; proxy_read_timeout 7d; }}WebSocket 负载均衡:upstream websocket_backend { # 使用 ip_hash 保持会话 ip_hash; server 192.168.1.100:8080; server 192.168.1.101:8080; server 192.168.1.102:8080;}注意事项:会话保持:WebSocket 连接需要保持到同一台后端服务器,使用 ip_hash 或 sticky 模块超时设置:根据业务需求设置合适的超时时间缓冲:WebSocket 实时通信需要禁用缓冲防火墙:确保防火墙允许长连接负载均衡:避免使用轮询策略,会导致连接中断性能优化:# 增加 worker 连接数events { worker_connections 4096;}# 调整 keepaliveupstream websocket_backend { server 192.168.1.100:8080; keepalive 32;}# 优化 TCP 参数location /ws { proxy_pass http://websocket_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # TCP 优化 proxy_socket_keepalive on; proxy_connect_timeout 60s; proxy_send_timeout 3600s; proxy_read_timeout 3600s;}多路径 WebSocket:# 不同路径转发到不同后端location /chat/ws { proxy_pass http://chat_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade;}location /notification/ws { proxy_pass http://notification_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade;}监控和日志:# 自定义日志格式log_format websocket '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time"';access_log /var/log/nginx/websocket_access.log websocket;# 监控连接数location /nginx_status { stub_status on; access_log off;}故障排查:连接断开:检查超时设置是否合理无法连接:检查 Upgrade 和 Connection 头是否正确负载均衡问题:使用 ip_hash 保持会话性能问题:调整 worker_connections 和缓冲设置
Nginx
阅读 0·2月21日 16:57

Nginx 如何配置 HTTPS 和 SSL 证书?

Nginx 如何配置 HTTPS 和 SSL 证书?Nginx 配置 HTTPS 需要使用 SSL 模块,通过配置 SSL 证书来启用加密通信。HTTPS 可以保护数据传输的安全性,防止数据被窃听或篡改。基本配置示例:server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; location / { root /var/www/html; index index.html; }}SSL 证书配置参数:server { listen 443 ssl http2; server_name example.com; # 证书文件路径 ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; # SSL 协议版本 ssl_protocols TLSv1.2 TLSv1.3; # 加密套件 ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # SSL 会话缓存 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/chain.crt; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;}HTTP 自动跳转 HTTPS:server { listen 80; server_name example.com; return 301 https://$server_name$request_uri;}server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; location / { root /var/www/html; }}SSL 证书类型:自签名证书:用于测试环境,不被浏览器信任免费证书:如 Let's Encrypt,有效期 90 天,可自动续期商业证书:由 CA 机构颁发,有效期通常为 1 年Let's Encrypt 证书申请:使用 Certbot 工具申请免费证书:# 安装 Certbotsudo apt-get install certbot python3-certbot-nginx# 申请证书并自动配置 Nginxsudo certbot --nginx -d example.com -d www.example.com# 只申请证书,不自动配置sudo certbot certonly --nginx -d example.com证书续期:# 手动续期sudo certbot renew# 自动续期(添加到 crontab)0 0,12 * * * certbot renew --quiet安全配置建议:使用 TLS 1.2 或更高版本禁用弱加密套件启用 HSTS 防止降级攻击配置 OCSP Stapling 提高性能定期更新证书使用强密钥(至少 2048 位)启用 HTTP/2 提升性能性能优化:# SSL 会话缓存ssl_session_cache shared:SSL:50m;ssl_session_timeout 1d;# 启用 HTTP/2listen 443 ssl http2;# SSL 缓冲区大小ssl_buffer_size 4k;多域名证书配置:server { listen 443 ssl; server_name example.com www.example.com; ssl_certificate /etc/nginx/ssl/wildcard.crt; ssl_certificate_key /etc/nginx/ssl/wildcard.key; location / { root /var/www/html; }}证书链配置:如果证书需要中间证书,需要将证书和中间证书合并:cat example.com.crt intermediate.crt > bundle.crt然后在 Nginx 配置中使用 bundle.crt:ssl_certificate /etc/nginx/ssl/bundle.crt;
Nginx
阅读 0·2月21日 16:57

Nginx 如何进行监控和运维?有哪些监控工具?

Nginx 如何进行监控和运维?有哪些监控工具?Nginx 的监控和运维对于保证服务稳定性和性能至关重要。合理的监控可以及时发现和解决问题。内置状态监控:# 启用 stub_status 模块server { listen 80; server_name localhost; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; }}状态信息说明:Active connections:当前活动连接数accepts:已接受的连接总数handled:已处理的连接总数requests:已处理的请求总数Reading:正在读取请求头的连接数Writing:正在发送响应的连接数Waiting:空闲连接数自定义监控端点:server { listen 80; server_name localhost; # 健康检查 location /health { access_log off; return 200 "OK\n"; add_header Content-Type text/plain; } # 就绪检查 location /ready { access_log off; # 检查后端连接 proxy_pass http://backend/health; proxy_intercept_errors off; } # 版本信息 location /version { access_log off; return 200 "Nginx/1.21.0\n"; add_header Content-Type text/plain; }}日志监控:# 自定义日志格式log_format monitoring '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time" ' 'cache=$upstream_cache_status';server { listen 80; server_name example.com; access_log /var/log/nginx/monitoring.log monitoring; location / { proxy_pass http://backend; }}Prometheus 监控:# 安装 nginx-prometheus-exporter# https://github.com/nginxinc/nginx-prometheus-exporter# 配置 Nginxserver { listen 80; server_name localhost; location /metrics { proxy_pass http://localhost:9113/metrics; access_log off; allow 127.0.0.1; deny all; }}Grafana + Prometheus 监控:# prometheus.ymlglobal: scrape_interval: 15sscrape_configs: - job_name: 'nginx' static_configs: - targets: ['localhost:9113']ELK Stack 监控:# JSON 格式日志log_format json_combined escape=json '{' '"time_local":"$time_local",' '"remote_addr":"$remote_addr",' '"remote_user":"$remote_user",' '"request":"$request",' '"status":"$status",' '"body_bytes_sent":"$body_bytes_sent",' '"request_time":"$request_time",' '"http_referrer":"$http_referer",' '"http_user_agent":"$http_user_agent"''}';server { listen 80; server_name example.com; access_log /var/log/nginx/access.log json_combined; location / { proxy_pass http://backend; }}Zabbix 监控:# 安装 Zabbix Agent# 配置监控项# nginx_status[accepts]# nginx_status[handled]# nginx_status[requests]# nginx_status[reading]# nginx_status[writing]# nginx_status[waiting]性能监控指标:# 启用详细日志log_format performance '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' 'rt=$request_time ' 'uct=$upstream_connect_time ' 'uht=$upstream_header_time ' 'urt=$upstream_response_time ' 'cache=$upstream_cache_status';server { listen 80; server_name example.com; access_log /var/log/nginx/performance.log performance; location / { proxy_pass http://backend; }}告警配置:# 基于日志的告警map $status $alert_level { ~^[5] critical; ~^[4] warning; default ok;}server { listen 80; server_name example.com; access_log /var/log/nginx/access.log performance; location / { proxy_pass http://backend; # 添加告警头 add_header X-Alert-Level $alert_level; }}自动化运维脚本:#!/bin/bash# nginx_monitor.sh# 检查 Nginx 状态check_nginx_status() { if ! curl -f http://localhost/nginx_status > /dev/null 2>&1; then echo "Nginx status page is not accessible" return 1 fi return 0}# 检查进程check_nginx_process() { if ! pgrep -x nginx > /dev/null; then echo "Nginx process is not running" return 1 fi return 0}# 检查端口check_nginx_port() { if ! netstat -tlnp | grep :80 > /dev/null; then echo "Nginx is not listening on port 80" return 1 fi return 0}# 主函数main() { check_nginx_status check_nginx_process check_nginx_port echo "All checks passed"}main运维命令:# 重载配置(不中断服务)nginx -s reload# 优雅停止nginx -s quit# 快速停止nginx -s stop# 重新打开日志文件nginx -s reopen# 测试配置nginx -t# 查看版本nginx -v# 查看编译参数nginx -V日志轮转:# /etc/logrotate.d/nginx/var/log/nginx/*.log { daily missingok rotate 14 compress delaycompress notifempty create 0640 nginx adm sharedscripts postrotate [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid` endscript}完整监控配置示例:user nginx;worker_processes auto;http { # 日志格式 log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; log_format performance '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' 'rt=$request_time ' 'uct=$upstream_connect_time ' 'uht="$upstream_header_time" ' 'urt="$upstream_response_time" ' 'cache=$upstream_cache_status'; log_format json_combined escape=json '{' '"time_local":"$time_local",' '"remote_addr":"$remote_addr",' '"remote_user":"$remote_user",' '"request":"$request",' '"status":"$status",' '"body_bytes_sent":"$body_bytes_sent",' '"request_time":"$request_time",' '"http_referrer":"$http_referer",' '"http_user_agent":"$http_user_agent"' '}'; # 主站点 server { listen 80; server_name example.com; root /var/www/html; index index.html; # 性能日志 access_log /var/log/nginx/performance.log performance; error_log /var/log/nginx/error.log warn; # 监控端点 location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location /health { access_log off; return 200 "OK\n"; add_header Content-Type text/plain; } location /ready { access_log off; proxy_pass http://backend/health; proxy_intercept_errors off; } location /metrics { proxy_pass http://localhost:9113/metrics; access_log off; allow 127.0.0.1; deny all; } location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }}监控工具推荐:Prometheus + Grafana:强大的监控和可视化平台ELK Stack:日志收集、存储和分析Zabbix:企业级监控系统Nagios:成熟的监控解决方案Datadog:云端监控服务New Relic:应用性能监控AppDynamics:应用性能管理运维最佳实践:全面监控:监控性能、日志、资源使用及时告警:设置合理的告警阈值定期备份:备份配置和重要数据自动化运维:使用脚本和工具自动化运维文档记录:详细记录运维操作和问题定期演练:定期进行故障演练性能优化:持续监控和优化性能安全审计:定期进行安全检查容量规划:根据业务增长进行容量规划持续改进:根据监控数据持续改进
Nginx
阅读 0·2月21日 16:57

Nginx 如何进行性能调优?有哪些关键参数?

Nginx 如何进行性能调优?有哪些关键参数?Nginx 性能调优是一个系统工程,需要从多个维度进行优化。合理的配置可以显著提升 Nginx 的处理能力和响应速度。核心配置优化:# 全局配置user nginx;worker_processes auto; # 自动设置为 CPU 核心数worker_rlimit_nofile 100000; # 文件描述符限制worker_cpu_affinity auto; # CPU 亲和性绑定events { worker_connections 65535; # 每个 worker 的最大连接数 use epoll; # Linux 使用 epoll multi_accept on; # 同时接受多个连接 accept_mutex off; # 关闭互斥锁,减少锁竞争}http { # 基础优化 sendfile on; # 启用高效文件传输 tcp_nopush on; # 优化数据包发送 tcp_nodelay on; # 禁用 Nagle 算法 keepalive_timeout 65; # 长连接超时 keepalive_requests 100; # 长连接最大请求数 # 缓冲区优化 client_body_buffer_size 128k; # 客户端请求体缓冲区 client_max_body_size 10m; # 最大请求体大小 client_header_buffer_size 1k; # 客户端请求头缓冲区 large_client_header_buffers 4 4k; # 大请求头缓冲区 # 输出缓冲 output_buffers 1 32k; # 输出缓冲区 postpone_output 1460; # 延迟输出 # 文件缓存 open_file_cache max=100000 inactive=20s; # 文件描述符缓存 open_file_cache_valid 30s; # 缓存验证间隔 open_file_cache_min_uses 2; # 最小使用次数 open_file_cache_errors on; # 缓存错误信息 # Gzip 压缩 gzip on; gzip_vary on; gzip_min_length 1024; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss; gzip_disable "msie6";}Worker 进程优化:# 根据 CPU 核心数设置worker_processes auto;# 绑定 CPU 核心(手动设置)# 假设 4 核 CPUworker_processes 4;worker_cpu_affinity 0001 0010 0100 1000;# 设置工作进程优先级worker_priority -5; # -20 到 19,数值越小优先级越高连接优化:events { # 增加连接数 worker_connections 65535; # 同时接受多个连接 multi_accept on; # 关闭互斥锁(高并发时) accept_mutex off; # 使用高效的事件模型 use epoll; # Linux # use kqueue; # BSD/macOS}http { # 长连接优化 keepalive_timeout 65; keepalive_requests 100; # 上游服务器长连接 upstream backend { server 192.168.1.100:8080; keepalive 32; # 保持 32 个空闲连接 } # 代理超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s;}缓冲区优化:http { # 客户端缓冲区 client_body_buffer_size 128k; client_max_body_size 10m; client_header_buffer_size 1k; large_client_header_buffers 4 4k; # 代理缓冲区 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; # FastCGI 缓冲区 fastcgi_buffer_size 4k; fastcgi_buffers 8 4k; # 输出缓冲 output_buffers 1 32k; postpone_output 1460;}文件操作优化:http { # 文件缓存 open_file_cache max=100000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # 高效文件传输 sendfile on; tcp_nopush on; tcp_nodelay on; # 直接 I/O(大文件) # directio 4m;}压缩优化:http { gzip on; gzip_vary on; gzip_min_length 1024; # 最小压缩文件大小 gzip_comp_level 6; # 压缩级别 1-9 gzip_buffers 16 8k; # 压缩缓冲区 gzip_http_version 1.1; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml application/atom+xml image/svg+xml; gzip_disable "msie6"; # 静态资源预压缩 gzip_static on;}日志优化:http { # 自定义日志格式 log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time"'; # 访问日志 access_log /var/log/nginx/access.log main buffer=32k flush=5s; # 错误日志 error_log /var/log/nginx/error.log warn; # 关闭静态资源日志 location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { access_log off; }}SSL/TLS 优化:server { listen 443 ssl http2; # SSL 会话缓存 ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; # SSL 缓冲区 ssl_buffer_size 4k; # 协议和加密套件 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on;}系统级优化:# /etc/sysctl.conf# 文件描述符fs.file-max = 1000000# TCP 参数net.ipv4.tcp_max_tw_buckets = 6000net.ipv4.tcp_sack = 1net.ipv4.tcp_window_scaling = 1net.ipv4.tcp_rmem = 4096 87380 4194304net.ipv4.tcp_wmem = 4096 65536 4194304net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.core.netdev_max_backlog = 262144net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_fin_timeout = 30net.ipv4.tcp_keepalive_time = 1200net.ipv4.tcp_tw_reuse = 1# 应用配置sysctl -p用户限制:# /etc/security/limits.confnginx soft nofile 65535nginx hard nofile 65535监控和诊断:# 状态监控location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all;}# 请求追踪location /debug { add_header X-Request-ID $request_id; add_header X-Upstream-Addr $upstream_addr;}性能测试工具:# wrk 压力测试wrk -t12 -c4000 -d30s http://example.com/# ab 压力测试ab -n 10000 -c 1000 http://example.com/# siege 压力测试siege -c 100 -t 60S http://example.com/关键性能指标:QPS(每秒查询数):衡量处理能力响应时间:平均、P95、P99并发连接数:当前活动连接错误率:4xx、5xx 错误比例CPU 使用率:不应持续超过 70%内存使用:监控内存占用磁盘 I/O:监控读写性能调优建议:渐进式调优:每次只调整一个参数,观察效果基准测试:调优前后进行性能对比监控指标:持续关注关键性能指标日志分析:分析访问日志发现瓶颈定期审查:定期检查配置是否合理
Nginx
阅读 0·2月21日 16:57

Nginx 如何进行安全配置?有哪些安全最佳实践?

Nginx 如何进行安全配置?有哪些安全最佳实践?Nginx 的安全配置对于保护 Web 服务器免受各种攻击至关重要。合理的安全配置可以有效防止常见的安全威胁。基础安全配置:# 隐藏 Nginx 版本号server_tokens off;# 限制请求方法if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405;}# 限制请求体大小client_max_body_size 10m;# 限制请求头大小client_header_buffer_size 1k;large_client_header_buffers 4 4k;# 超时设置client_body_timeout 10;client_header_timeout 10;keepalive_timeout 5 5;send_timeout 10;防止常见攻击:1. 防止 SQL 注入:location ~* \.(php|jsp|asp)$ { if ($args ~* "union.*select.*\(") { return 403; } if ($args ~* "concat.*\(") { return 403; }}2. 防止 XSS 攻击:location ~* \.(php|html|htm)$ { if ($args ~* "<script>|</script>|javascript:|onerror=|onload=|onclick=") { return 403; }}3. 防止文件包含攻击:location ~* \.(php|inc|config)$ { if ($args ~* "\.\./") { return 403; }}4. 防止目录遍历:location ~* /\.\. { deny all;}访问控制:# IP 白名单location /admin { allow 192.168.1.0/24; allow 10.0.0.0/8; deny all;}# IP 黑名单location / { deny 192.168.1.100; deny 192.168.1.101; allow all;}# 基本认证location /admin { auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd;}防止 DDoS 攻击:# 限制连接数limit_conn_zone $binary_remote_addr zone=conn_limit:10m;server { limit_conn conn_limit 10; # 限制请求速率 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_req zone=req_limit burst=20 nodelay; # 限制带宽 limit_rate_after 10m; limit_rate 1m;}SSL/TLS 安全配置:server { listen 443 ssl http2; server_name example.com; # 证书配置 ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; # SSL 协议 ssl_protocols TLSv1.2 TLSv1.3; # 加密套件 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers on; # SSL 会话缓存 ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/chain.crt; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # 其他安全头 add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;}文件安全:# 禁止访问隐藏文件location ~ /\. { deny all; access_log off; log_not_found off;}# 禁止访问敏感文件location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off;}# 禁止访问备份文件location ~* \~$ { deny all; access_log off; log_not_found off;}# 禁止目录浏览autoindex off;# 禁止访问特定目录location ~* ^/(admin|config|backup|tmp)/ { deny all;}防止恶意 User-Agent:# 阻止恶意爬虫if ($http_user_agent ~* (bot|crawl|spider|scraper)) { return 403;}# 阻止特定 User-Agentif ($http_user_agent ~* (wget|curl|python-requests)) { return 403;}防止图片盗链:location ~* \.(jpg|jpeg|png|gif|ico|svg)$ { valid_referers none blocked example.com *.example.com; if ($invalid_referer) { return 403; }}日志安全:# 自定义日志格式,记录更多安全信息log_format security '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time $upstream_response_time ' '$http_x_forwarded_for';# 访问日志access_log /var/log/nginx/access.log security;# 错误日志error_log /var/log/nginx/error.log warn;# 敏感路径不记录日志location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { access_log off;}防止缓冲区溢出:# 限制缓冲区大小client_body_buffer_size 128k;client_header_buffer_size 1k;large_client_header_buffers 4 4k;client_max_body_size 10m;# 代理缓冲区proxy_buffer_size 4k;proxy_buffers 8 4k;proxy_busy_buffers_size 8k;安全最佳实践:定期更新:保持 Nginx 和系统补丁最新最小权限原则:使用非 root 用户运行 Nginx禁用不必要的模块:减少攻击面配置防火墙:限制不必要的端口访问使用 HTTPS:启用 SSL/TLS 加密定期审计日志:监控异常访问实施 WAF:使用 Web 应用防火墙备份配置:定期备份配置文件测试配置:使用 nginx -t 测试配置监控性能:使用监控工具跟踪性能指标完整安全配置示例:user nginx;worker_processes auto;worker_rlimit_nofile 65535;# 隐藏版本号server_tokens off;events { worker_connections 1024; use epoll;}http { # 基础安全 client_max_body_size 10m; client_header_buffer_size 1k; large_client_header_buffers 4 4k; # 超时设置 client_body_timeout 10; client_header_timeout 10; keepalive_timeout 5 5; send_timeout 10; # 限流 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; # 日志 log_format security '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; access_log /var/log/nginx/access.log security; error_log /var/log/nginx/error.log warn; # Gzip gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript; server { listen 80; server_name example.com; # 重定向到 HTTPS return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name example.com; # SSL 配置 ssl_certificate /etc/nginx/ssl/example.com.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; # 安全头 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # 限流 limit_req zone=req_limit burst=20 nodelay; limit_conn conn_limit 10; # 禁止访问隐藏文件 location ~ /\. { deny all; access_log off; } # 禁止访问敏感文件 location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; } # 管理后台访问控制 location /admin { allow 192.168.1.0/24; deny all; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # 主站点 location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }}
Nginx
阅读 0·2月21日 16:57

Nginx 如何实现限流?有哪些限流策略?

Nginx 如何实现限流?有哪些限流策略?Nginx 提供了强大的限流功能,可以有效防止 DDoS 攻击、保护服务器资源、防止恶意请求。Nginx 的限流主要通过 limit_req 和 limit_conn 模块实现。请求速率限制(limit_req):http { # 定义限流区域,基于客户端 IP limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; # 定义限流区域,基于请求 URI limit_req_zone $request_uri zone=uri:10m rate=5r/s; # 定义限流区域,基于服务器名称 limit_req_zone $server_name zone=server:10m rate=100r/s; server { listen 80; server_name example.com; # 应用限流 location / { limit_req zone=one burst=20 nodelay; proxy_pass http://backend; } # API 接口限流 location /api/ { limit_req zone=one burst=10 nodelay; limit_req_status 429; proxy_pass http://api_backend; } }}参数说明:limitreqzone:定义限流区域$binary_remote_addr:客户端 IP 地址(二进制格式,节省内存)zone=one:10m:区域名称和共享内存大小(10M 可存储约 16 万个 IP)rate=10r/s:每秒允许 10 个请求limit_req:应用限流规则zone=one:使用的限流区域burst=20:允许的突发请求数nodelay:不延迟处理突发请求limitreqstatus:超过限制时返回的状态码(默认 503)连接数限制(limit_conn):http { # 定义连接数限制区域 limit_conn_zone $binary_remote_addr zone=addr:10m; # 定义服务器连接数限制区域 limit_conn_zone $server_name zone=server:10m; server { listen 80; server_name example.com; # 限制每个 IP 的并发连接数 limit_conn addr 10; # 限制服务器的总连接数 limit_conn server 1000; location / { proxy_pass http://backend; } }}带宽限制:server { listen 80; server_name example.com; location /download/ { # 限制下载速度为 1MB/s limit_rate 1m; # 前 10MB 不限速 limit_rate_after 10m; root /var/www/files; }}综合限流配置:http { # 请求速率限制 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_req_zone $request_uri zone=uri_limit:10m rate=5r/s; # 连接数限制 limit_conn_zone $binary_remote_addr zone=conn_limit:10m; # 状态码限制 limit_req_status 429; limit_conn_status 429; server { listen 80; server_name example.com; # 全局限流 limit_conn conn_limit 10; # 首页限流 location = / { limit_req zone=req_limit burst=20 nodelay; proxy_pass http://backend; } # API 接口严格限流 location /api/ { limit_req zone=req_limit burst=5 nodelay; limit_req zone=uri_limit burst=2 nodelay; proxy_pass http://api_backend; } # 下载限速 location /download/ { limit_rate 1m; limit_rate_after 10m; root /var/www/files; } # 静态资源不限流 location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { root /var/www/static; } }}白名单配置:http { # 定义限流区域 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; # 定义白名单 geo $limit_key { default $binary_remote_addr; 192.168.1.0/24 ""; 10.0.0.0/8 ""; } # 基于白名单的限流 limit_req_zone $limit_key zone=whitelist_limit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=whitelist_limit burst=20 nodelay; proxy_pass http://backend; } }}动态限流:http { # 根据请求方法限流 map $request_method $limit_key { default $binary_remote_addr; GET ""; HEAD ""; } limit_req_zone $limit_key zone=dynamic_limit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=dynamic_limit burst=20 nodelay; proxy_pass http://backend; } }}限流日志:http { # 自定义日志格式,包含限流信息 log_format limit '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time limit=$limit_req_status'; access_log /var/log/nginx/access.log limit; # 限流区域 limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=req_limit burst=20 nodelay; limit_req_log_level warn; proxy_pass http://backend; } }}限流策略选择:固定窗口限流:rate=10r/s,每秒固定请求数滑动窗口限流:通过 burst 参数实现令牌桶算法:Nginx 默认使用,允许突发流量漏桶算法:通过 nodelay 参数控制实际应用场景:1. API 接口限流:limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/min;location /api/ { limit_req zone=api_limit burst=10 nodelay; limit_req_status 429; add_header X-RateLimit-Limit "100"; add_header X-RateLimit-Remaining "90"; add_header X-RateLimit-Reset "60"; proxy_pass http://api_backend;}2. 登录接口限流:limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/min;location /login { limit_req zone=login_limit burst=2 nodelay; limit_req_status 429; proxy_pass http://auth_backend;}3. 文件下载限速:location /download/ { limit_rate 500k; limit_rate_after 5m; root /var/www/files;}4. 防止暴力破解:limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/min;location ~* ^/(login|register|reset-password) { limit_req zone=auth_limit burst=1 nodelay; limit_req_status 429; proxy_pass http://auth_backend;}监控和调试:# 启用限流状态监控location /limit_status { limit_req_status 429; add_header Content-Type text/plain; return 200 "Rate limit status: $limit_req_status";}# 查看限流统计location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all;}最佳实践:合理设置速率:根据业务需求设置合理的限流速率使用 burst:允许一定程度的突发流量返回友好错误:设置 429 状态码,返回友好提示白名单机制:对可信 IP 放开限流监控限流效果:定期检查限流日志,调整策略分层限流:对不同接口设置不同的限流策略结合缓存:对静态资源使用缓存,减少限流压力性能考虑:共享内存大小:根据 IP 数量合理设置 zone 大小限流粒度:选择合适的限流键(IP、URI 等)日志级别:生产环境使用 warn 级别,减少日志量nodelay 使用:根据场景选择是否使用 nodelay
Nginx
阅读 0·2月21日 16:57

Nginx 如何实现访问控制?有哪些访问控制方法?

Nginx 如何实现访问控制?有哪些访问控制方法?Nginx 提供了多种访问控制方法,包括基于 IP 的访问控制、基本认证、访问令牌等,可以有效保护敏感资源。IP 访问控制:server { listen 80; server_name example.com; # IP 白名单 location /admin { allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; proxy_pass http://backend; } # IP 黑名单 location / { deny 192.168.1.100; deny 192.168.1.101; allow all; proxy_pass http://backend; }}基本认证:server { listen 80; server_name example.com; # 创建密码文件 # htpasswd -c /etc/nginx/.htpasswd username location /admin { auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # 多用户认证 location /api { auth_basic "API Access"; auth_basic_user_file /etc/nginx/.htpasswd_api; proxy_pass http://api_backend; }}访问令牌:server { listen 80; server_name example.com; # 基于 Header 的访问控制 location /api { if ($http_authorization !~* "Bearer .*") { return 401; } proxy_pass http://api_backend; } # 基于查询参数的访问控制 location /protected { if ($arg_token != "secret_token") { return 403; } proxy_pass http://backend; }}地理位置访问控制:http { # 定义地理位置映射 geo $allowed_country { default no; CN yes; US yes; } server { listen 80; server_name example.com; location / { if ($allowed_country = no) { return 403; } proxy_pass http://backend; } }}基于请求方法的访问控制:server { listen 80; server_name example.com; # 限制允许的请求方法 if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; } # 特定路径只允许特定方法 location /api { if ($request_method !~ ^(GET|POST)$ ) { return 405; } proxy_pass http://api_backend; } # 只读接口 location /api/read { if ($request_method !~ ^(GET|HEAD)$ ) { return 405; } proxy_pass http://api_backend; }}基于请求头的访问控制:server { listen 80; server_name example.com; # 检查特定的请求头 location /api { if ($http_x_api_key = "") { return 401; } proxy_pass http://api_backend; } # 检查 User-Agent location / { if ($http_user_agent ~* (bot|crawl|spider)) { return 403; } proxy_pass http://backend; } # 检查 Referer location /download { valid_referers none blocked example.com *.example.com; if ($invalid_referer) { return 403; } root /var/www/files; }}复杂访问控制:http { # 定义多个访问控制变量 geo $whitelist { default 0; 192.168.1.0/24 1; 10.0.0.0/8 1; } map $http_x_api_key $api_valid { default 0; "secret_key_123" 1; "secret_key_456" 1; } server { listen 80; server_name example.com; # 组合多个访问控制条件 location /admin { # IP 白名单 allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; # 基本认证 auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://backend; } # API 访问控制 location /api { # 检查 API Key if ($api_valid = 0) { return 401; } # 限制请求方法 if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 405; } proxy_pass http://api_backend; } # 静态资源访问控制 location /protected { # IP 白名单或认证 satisfy any; allow 192.168.1.0/24; deny all; auth_basic "Protected Area"; auth_basic_user_file /etc/nginx/.htpasswd; root /var/www/protected; } }}基于时间的访问控制:http { # 定义时间段 map $time_iso8601 $business_hours { default 0; ~^(\d{4}-\d{2}-\d{2}T(09|1[0-9]|2[0-1])) 1; } server { listen 80; server_name example.com; # 只在工作时间允许访问 location /admin { if ($business_hours = 0) { return 403; } proxy_pass http://backend; } }}防止目录遍历:server { listen 80; server_name example.com; # 禁止访问父目录 location ~* /\.\. { deny all; } # 禁止访问隐藏文件 location ~ /\. { deny all; access_log off; log_not_found off; } # 禁止目录浏览 autoindex off; location / { proxy_pass http://backend; }}限制文件类型访问:server { listen 80; server_name example.com; # 禁止访问敏感文件 location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off; } # 只允许特定文件类型 location /uploads { location ~* \.(jpg|jpeg|png|gif|pdf|doc|docx)$ { root /var/www/uploads; } location ~* \.(php|sh|exe|bat)$ { deny all; } }}访问控制最佳实践:最小权限原则:只授予必要的访问权限多层防护:组合使用多种访问控制方法定期审查:定期检查和更新访问控制规则日志记录:记录所有访问控制事件白名单优先:优先使用白名单而非黑名单测试配置:在生产环境前充分测试访问控制规则监控异常:监控异常访问行为及时更新:及时更新密码和访问令牌完整访问控制配置示例:http { # IP 白名单 geo $whitelist { default 0; 192.168.1.0/24 1; 10.0.0.0/8 1; } # API Key 验证 map $http_x_api_key $api_valid { default 0; "secret_key_123" 1; "secret_key_456" 1; } # 工作时间 map $time_iso8601 $business_hours { default 0; ~^(\d{4}-\d{2}-\d{2}T(09|1[0-9]|2[0-1])) 1; } server { listen 80; server_name example.com; # 管理后台 location /admin { # IP 白名单 allow 192.168.1.0/24; allow 10.0.0.0/8; deny all; # 基本认证 auth_basic "Admin Area"; auth_basic_user_file /etc/nginx/.htpasswd; # 工作时间限制 if ($business_hours = 0) { return 403; } proxy_pass http://backend; } # API 接口 location /api { # API Key 验证 if ($api_valid = 0) { return 401; } # 限制请求方法 if ($request_method !~ ^(GET|POST|PUT|DELETE)$ ) { return 405; } # 限流 limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/min; limit_req zone=api_limit burst=10 nodelay; proxy_pass http://api_backend; } # 受保护资源 location /protected { # IP 白名单或认证 satisfy any; allow 192.168.1.0/24; deny all; auth_basic "Protected Area"; auth_basic_user_file /etc/nginx/.htpasswd; root /var/www/protected; } # 禁止访问敏感文件 location ~* \.(htaccess|htpasswd|ini|log|sh|sql|bak|old|swp|tmp)$ { deny all; access_log off; log_not_found off; } # 禁止目录遍历 location ~* /\.\. { deny all; } # 禁止访问隐藏文件 location ~ /\. { deny all; access_log off; log_not_found off; } # 主站点 location / { proxy_pass http://backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }}
Nginx
阅读 0·2月21日 16:57