Nginx

main config

/opt/nginx/conf/nginx.conf

user  nobody nobody;
worker_processes  auto;
worker_cpu_affinity auto;
pid        logs/nginx.pid;
error_log  logs/error.log;
include /opt/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 655350;

events {
    worker_connections  102400;
	# multi_accept on;
}

##
# TCP Stream Settings
##
stream{
    log_format tcp_log '$remote_addr [$time_local]'
         '$protocol $status $bytes_sent $bytes_received $session_time'
         '"$upstream_addr" "$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
    access_log /opt/nginx/logs/tcp-access.log tcp_log;

    upstream tcp_backend_server {
        hash $remote_addr consistent; #IP hash
        server 1.1.1.1:9999;
        server 2.2.2.2:9999;
        server 3.3.3.3:9999;
    }
    server {
      listen 9999;
      proxy_pass tcp_backend_server;
    }
}

http {
    ###
    # Basic Settings
    ##
	
    sendfile on;
	tcp_nopush on;
	types_hash_max_size 2048;
    server_tokens off;
    server_names_hash_max_size 3072;
    server_names_hash_bucket_size 1024;
	
    include       mime.types;
    default_type  application/octet-stream;
	
    ##
    # SSL Settings
    ##
    #ssl_protocols SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    ## 
    # Logging Settings
    ##
    log_format main '$remote_addr $remote_user $ip2location_country_long $ip2location_region $ip2location_city '
                    '[$time_local] Host:$host Request:$request Status:$status RequestLength:$request_length BodyBytesSent:$body_bytes_sent RequestTime:$request_time '
                    'UpstreamAddr:$upstream_addr UpstreamStatus:$upstream_status UpstreamConnTime:$upstream_connect_time UpstreamResTime:$upstream_response_time '
                    'Scheme:$scheme Referer:$http_referer Cookie:$http_cookie UA:$http_user_agent XFF:$http_x_forwarded_for'
    log_format main_json escape=json '{"time_local":"$time_local",'
'"server_addr":"$server_addr",'
'"country":"$ip2location_country_long",'
'"state":"$ip2location_region",'
'"city":"$ip2location_city",'
'"http_x_forward":"$http_x_forwarded_for",'
'"remote_addr":"$remote_addr",'
'"request_method":"$request_method",'
'"uri":"$uri",'
'"scheme":"$scheme",'
'"domain":"$server_name",'
'"referer":"$http_referer",'
'"server_name":"$host",'
'"request":"$request_uri",'
'"http_user_agent":"$http_user_agent",'
'"args":"$args",'
'"body":"$request_body",'
'"cookie":"$http_cookie",'
'"request_length":"$request_length",'
'"size":$body_bytes_sent,'
'"request_completion":"$request_completion",'
'"status": "$status",'
'"proxy_host":"$proxy_host",'
'"response_time":$request_time,'
'"upstream_time":"$upstream_response_time",'
'"upstream_status":"$upstream_status",'
'"upstream_addr":"$upstream_addr",'
'"upstream_cache_status":"$upstream_cache_status",'
'"upstream_connect_time":"$upstream_connect_time",'
'"upstream_response_length":"$upstream_response_length",'
'"https":"$https",'
'"request_id":"$hostname-$request_id"'
'}';
    access_log /opt/nginx/logs/access.log main;

    ##
    # Gzip Settings
    ##
    gzip  on;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_min_length 1k;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/octet-stream;

	
    resolver 8.8.8.8 1.1.1.1 114.114.114.114 valid=5 ipv6=off;
    resolver_timeout 3s;

    keepalive_timeout 180;
    client_body_buffer_size 50m;
    client_body_timeout 300;
    client_max_body_size 50m;
    proxy_intercept_errors on;
    proxy_ignore_client_abort on;
    proxy_next_upstream error timeout http_502 http_503 http_504;
    proxy_next_upstream_timeout 20;
    proxy_connect_timeout 10;
    proxy_read_timeout 300;
    proxy_send_timeout 300;
    proxy_buffer_size 512k;
    proxy_buffers 4 512k;
    proxy_busy_buffers_size 512k;
    proxy_temp_file_write_size 512k;
    client_header_buffer_size 512k;
    large_client_header_buffers 4 512k;

    variables_hash_max_size 2048;
    variables_hash_bucket_size 2048;


    ##
    # Map Settings
    ##
    # ip2location = https://github.com/chrislim2888/IP2Location-C-Library
    ip2location_database /opt/nginx/conf/IPV6-COUNTRY-REGION-CITY.BIN;
    ip2location_proxy_recursive on;
    map $ip2location_country_short $blocked_country {
	    default no;
	    ~*(AU|IN|NG|US)$ yes;
    }
    ## geoip2 = https://github.com/leev/ngx_http_geoip2_module
    #geoip2 /opt/nginx/conf/GeoLite2-Country.mmdb {
    #   $geoip2_country_code country iso_code;
    #   $geoip2_country_name country names en;
    #}
    #geoip2 /opt/nginx/conf/GeoLite2-City.mmdb {
    #    $geoip2_city_name city names en;
    #    $geoip2_subdivisions_name subdivisions 0 names en;
    #    $geoip2_latitude location latitude;
    #    $geoip2_longitude location longitude;
    #}
    #map $geoip2_country_code $allowed_country {
    #    default no;
    #    ~*(AU|IN|NG|US)$ yes;
    #}

    # websocket connection keepalive
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # domain ssl dir
    map $ssl_server_name $domainCert {
       default /opt/nginx/conf/keys/default.crt;
       ~*^(.+\.)*([^\.]+\.[^\.]+)$ /opt/nginx/conf/keys/$2.crt;
    }
    map $ssl_server_name $domainKey {
       default /opt/nginx/conf/keys/default.key;
       ~*^(.+\.)*([^\.]+\.[^\.]+)$ /opt/nginx/conf/keys/$2.key;
    }

    ##
    # Virtual Host Configs
    ##
    include vhosts/*.conf;
}


include modules.conf;

modules.conf

cat > /opt/nginx/conf/modules.conf << EOF
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_array_var_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
load_module modules/ngx_http_ip2location_module.so;
load_module modules/ngx_http_lua_module.so;
load_module modules/ngx_http_set_misc_module.so;
load_module modules/ngx_stream_geoip2_module.so;
EOF

third iplib

[[IPV6-COUNTRY-REGION-CITY.BIN.gz|ip2location]]

[[GeoLite2-City.mmdb.gz|Geoip2]]

virtual host conf

/opt/nginx/conf/vhosts/default.conf

server {
  listen 80 default;
  listen 443 ssl http2 default_server;
  server_name _;

  ssl_certificate     /opt/nginx/conf/keys/default.crt;
  ssl_certificate_key /opt/nginx/conf/keys/default.key;

  location / {
     return 403;
  }

  location /check_status.txt {
     return 200 '2f83232835a24a45ecbae42bbf44deb2';
     access_log  off;
    }
}

# global settings for lua
lua_load_resty_core off;
lua_shared_dict limit 50m;
init_by_lua_file "/opt/nginx/conf/waf/init.lua";
lua_socket_log_errors off;

# global settings for ssl
ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve              X25519:P-256:P-384:P-224:P-521;
ssl_ciphers                 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;
ssl_session_timeout  4h;
ssl_session_cache shared:SSL:30m;
ssl_session_tickets off;

/opt/nginx/conf/vhosts/real_ip.conf

real_ip_header X-Forwarded-For;
real_ip_recursive on;
# proxy downstream real ip
set_real_ip_from 192.168.1.1/32;
set_real_ip_from 192.168.1.2/32;

/opt/nginx/conf/vhosts/template.conf

upstream backend_server {
    server 1.1.1.1:8080;
    server 2.2.2.2:8080;
    server 3.3.3.3:8080;
}

server {
    listen 80;
    listen 443 ssl http2;
    server_name
        example.com
        *.example.com
    ;
    ssl_certificate     $domainCert;
    ssl_certificate_key $domainKey;
    access_log logs/example_access.log main;

    # frontend project
    location / {
        root /app/frontend-project;
        try_files $uri $uri/ /index.html;

        # cache settings
        #if ($request_filename ~ .*\.(htm|html|json)$) {
        #    add_header Cache-Control no-cache;
        #}
        if ($request_filename ~ .*\.(htm|html)$) { add_header Cache-Control "max-age=60, s-maxage=120"; }
        if ($request_filename !~ .*\.(htm|html)$) { add_header Cache-Control "max-age=31536000, s-maxage=86400"; }

        # Cross-Origin Resource Sharing
        add_header Access-Control-Allow-Origin '*';
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';

        proxy_intercept_errors on;
        error_page 404 = /;
        error_page 401   /401;
        error_page 403   /403;
        error_page 500   /500;
        error_page 502   /502;
        error_page 503   /503;
    }

    # backend project
    location /api/ {
        proxy_pass http://backend_server;
    }

    # websocket request
    location /socket {
        proxy_pass http://backend_server;
        proxy_http_version 1.1;
        # Upgrade get by http header, Connection get by nginx map
        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
   }

    # geoip
    location /geoip2 {
        if ( $allowed_country = no ) {
            return 444;
        }
        return 200 '{
            "remote_addr": "$remote_addr",
            "x_forwarded_for": "$http_x_forwarded_for",
            "countryCode": "$geoip2_country_code",
            "countryName": "$geoip2_country_name",
            "cityName": "$geoip2_city_name",
            "citySubdivisions": "$geoip2_subdivisions_name",
            "latitude": "$geoip2_latitude",
            "longitude": "$geoip2_longitude",
            "allowed_country": "$allowed_country"
            }';
    }

    # ip2location
    location /ip2location {
        if ( $blocked_country = yes ) {
            return 444;
        }
        return 200 '{
            "remote_addr": "$remote_addr",
            "x_forwarded_for": "$http_x_forwarded_for",
            "countryCode": "$ip2location_country_short",
            "countryName": "$ip2location_country_long",
            "cityRegion": "$ip2location_region",
            "cityName": "$ip2location_city",
            "locationIsp": "$ip2location_isp",
            "latitude": "$ip2location_latitude",
            "longitude": "$ip2location_longitude",
            "blocked_country": "$blocked_country"
            }';
    }
}

PreviousMysql NextObservability

Last updated 1 month ago