Nginx
main config
/opt/nginx/conf/nginx.conf
bash
user nobody nobody;
worker_processes auto;
worker_cpu_affinity auto;
pid logs/nginx.pid;
error_log logs/error.log;
include /opt/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 655350;
events {
worker_connections 102400;
# multi_accept on;
}
##
# TCP Stream Settings
##
stream{
log_format tcp_log '$remote_addr [$time_local]'
'$protocol $status $bytes_sent $bytes_received $session_time'
'"$upstream_addr" "$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /opt/nginx/logs/tcp-access.log tcp_log;
upstream tcp_backend_server {
hash $remote_addr consistent; #IP hash
server 1.1.1.1:9999;
server 2.2.2.2:9999;
server 3.3.3.3:9999;
}
server {
listen 9999;
proxy_pass tcp_backend_server;
}
}
http {
###
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_max_size 3072;
server_names_hash_bucket_size 1024;
include mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
#ssl_protocols SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
log_format main '$remote_addr $remote_user $ip2location_country_long $ip2location_region $ip2location_city '
'[$time_local] Host:$host Request:$request Status:$status RequestLength:$request_length BodyBytesSent:$body_bytes_sent RequestTime:$request_time '
'UpstreamAddr:$upstream_addr UpstreamStatus:$upstream_status UpstreamConnTime:$upstream_connect_time UpstreamResTime:$upstream_response_time '
'Scheme:$scheme Referer:$http_referer Cookie:$http_cookie UA:$http_user_agent XFF:$http_x_forwarded_for'
log_format main_json escape=json '{"time_local":"$time_local",'
'"server_addr":"$server_addr",'
'"country":"$ip2location_country_long",'
'"state":"$ip2location_region",'
'"city":"$ip2location_city",'
'"http_x_forward":"$http_x_forwarded_for",'
'"remote_addr":"$remote_addr",'
'"request_method":"$request_method",'
'"uri":"$uri",'
'"scheme":"$scheme",'
'"domain":"$server_name",'
'"referer":"$http_referer",'
'"server_name":"$host",'
'"request":"$request_uri",'
'"http_user_agent":"$http_user_agent",'
'"args":"$args",'
'"body":"$request_body",'
'"cookie":"$http_cookie",'
'"request_length":"$request_length",'
'"size":$body_bytes_sent,'
'"request_completion":"$request_completion",'
'"status": "$status",'
'"proxy_host":"$proxy_host",'
'"response_time":$request_time,'
'"upstream_time":"$upstream_response_time",'
'"upstream_status":"$upstream_status",'
'"upstream_addr":"$upstream_addr",'
'"upstream_cache_status":"$upstream_cache_status",'
'"upstream_connect_time":"$upstream_connect_time",'
'"upstream_response_length":"$upstream_response_length",'
'"https":"$https",'
'"request_id":"$hostname-$request_id"'
'}';
access_log /opt/nginx/logs/access.log main;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_min_length 1k;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/octet-stream;
resolver 8.8.8.8 1.1.1.1 114.114.114.114 valid=5 ipv6=off;
resolver_timeout 3s;
keepalive_timeout 180;
client_body_buffer_size 50m;
client_body_timeout 300;
client_max_body_size 50m;
proxy_intercept_errors on;
proxy_ignore_client_abort on;
proxy_next_upstream error timeout http_502 http_503 http_504;
proxy_next_upstream_timeout 20;
proxy_connect_timeout 10;
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_buffer_size 512k;
proxy_buffers 4 512k;
proxy_busy_buffers_size 512k;
proxy_temp_file_write_size 512k;
client_header_buffer_size 512k;
large_client_header_buffers 4 512k;
variables_hash_max_size 2048;
variables_hash_bucket_size 2048;
##
# Map Settings
##
# ip2location = https://github.com/chrislim2888/IP2Location-C-Library
ip2location_database /opt/nginx/conf/IPV6-COUNTRY-REGION-CITY.BIN;
ip2location_proxy_recursive on;
map $ip2location_country_short $blocked_country {
default no;
~*(AU|IN|NG|US)$ yes;
}
## geoip2 = https://github.com/leev/ngx_http_geoip2_module
#geoip2 /opt/nginx/conf/GeoLite2-Country.mmdb {
# $geoip2_country_code country iso_code;
# $geoip2_country_name country names en;
#}
#geoip2 /opt/nginx/conf/GeoLite2-City.mmdb {
# $geoip2_city_name city names en;
# $geoip2_subdivisions_name subdivisions 0 names en;
# $geoip2_latitude location latitude;
# $geoip2_longitude location longitude;
#}
#map $geoip2_country_code $allowed_country {
# default no;
# ~*(AU|IN|NG|US)$ yes;
#}
# websocket connection keepalive
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# domain ssl dir
map $ssl_server_name $domainCert {
default /opt/nginx/conf/keys/default.crt;
~*^(.+\.)*([^\.]+\.[^\.]+)$ /opt/nginx/conf/keys/$2.crt;
}
map $ssl_server_name $domainKey {
default /opt/nginx/conf/keys/default.key;
~*^(.+\.)*([^\.]+\.[^\.]+)$ /opt/nginx/conf/keys/$2.key;
}
##
# Virtual Host Configs
##
include vhosts/*.conf;
}
include modules.conf;modules.conf
bash
cat > /opt/nginx/conf/modules.conf << EOF
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_array_var_module.so;
load_module modules/ngx_http_echo_module.so;
load_module modules/ngx_http_geoip2_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
load_module modules/ngx_http_ip2location_module.so;
load_module modules/ngx_http_lua_module.so;
load_module modules/ngx_http_set_misc_module.so;
load_module modules/ngx_stream_geoip2_module.so;
EOFthird iplib
ip2location (IPV6-COUNTRY-REGION-CITY.BIN.gz)
Geoip2 (GeoLite2-City.mmdb.gz)
virtual host conf
/opt/nginx/conf/vhosts/default.conf
bash
server {
listen 80 default;
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /opt/nginx/conf/keys/default.crt;
ssl_certificate_key /opt/nginx/conf/keys/default.key;
location / {
return 403;
}
location /check_status.txt {
return 200 '2f83232835a24a45ecbae42bbf44deb2';
access_log off;
}
}
# global settings for lua
lua_load_resty_core off;
lua_shared_dict limit 50m;
init_by_lua_file "/opt/nginx/conf/waf/init.lua";
lua_socket_log_errors off;
# global settings for ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:30m;
ssl_session_tickets off;/opt/nginx/conf/vhosts/real_ip.conf
bash
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# proxy downstream real ip
set_real_ip_from 192.168.1.1/32;
set_real_ip_from 192.168.1.2/32;/opt/nginx/conf/vhosts/template.conf
bash
upstream backend_server {
server 1.1.1.1:8080;
server 2.2.2.2:8080;
server 3.3.3.3:8080;
}
server {
listen 80;
listen 443 ssl http2;
server_name
example.com
*.example.com
;
ssl_certificate $domainCert;
ssl_certificate_key $domainKey;
access_log logs/example_access.log main;
# frontend project
location / {
root /app/frontend-project;
try_files $uri $uri/ /index.html;
# cache settings
#if ($request_filename ~ .*\.(htm|html|json)$) {
# add_header Cache-Control no-cache;
#}
if ($request_filename ~ .*\.(htm|html)$) { add_header Cache-Control "max-age=60, s-maxage=120"; }
if ($request_filename !~ .*\.(htm|html)$) { add_header Cache-Control "max-age=31536000, s-maxage=86400"; }
# Cross-Origin Resource Sharing
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
proxy_intercept_errors on;
error_page 404 = /;
error_page 401 /401;
error_page 403 /403;
error_page 500 /500;
error_page 502 /502;
error_page 503 /503;
}
# backend project
location /api/ {
proxy_pass http://backend_server;
}
# websocket request
location /socket {
proxy_pass http://backend_server;
proxy_http_version 1.1;
# Upgrade get by http header, Connection get by nginx map
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# geoip
location /geoip2 {
if ( $allowed_country = no ) {
return 444;
}
return 200 '{
"remote_addr": "$remote_addr",
"x_forwarded_for": "$http_x_forwarded_for",
"countryCode": "$geoip2_country_code",
"countryName": "$geoip2_country_name",
"cityName": "$geoip2_city_name",
"citySubdivisions": "$geoip2_subdivisions_name",
"latitude": "$geoip2_latitude",
"longitude": "$geoip2_longitude",
"allowed_country": "$allowed_country"
}';
}
# ip2location
location /ip2location {
if ( $blocked_country = yes ) {
return 444;
}
return 200 '{
"remote_addr": "$remote_addr",
"x_forwarded_for": "$http_x_forwarded_for",
"countryCode": "$ip2location_country_short",
"countryName": "$ip2location_country_long",
"cityRegion": "$ip2location_region",
"cityName": "$ip2location_city",
"locationIsp": "$ip2location_isp",
"latitude": "$ip2location_latitude",
"longitude": "$ip2location_longitude",
"blocked_country": "$blocked_country"
}';
}
}