nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

# base on nginx 1.16.1

user nginx;
# worker_processes auto;
worker_processes 4;
error_log /var/log/nginx/error.log error;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
    accept_mutex on;
    use epoll;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" "$server_name" $server_port';

    # 日志不立即写入磁盘，提高性能
    access_log  /var/log/nginx/access.log  main buffer=32k flush=1m;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   30;
    types_hash_max_size 2048;
    server_tokens  off;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    gzip on;
    gzip_min_length 2k;
    gzip_comp_level 4;
    gzip_types text/css text/xml image/gif image/jpeg application/javascript application/rss+xml text/plain image/png image/tiff image/x-icon image/x-ms-bmp image/svg+xml application/json;
    gzip_vary on;
    gzip_buffers 4 16k;
    # gzip_http_version 1.0;

    # 启用 Brotli 压缩，需要重新编译加入 Brotli 模块，可以与 gzip 共存，相对 gzip 压缩率更高，占用资源更少，不过只支持 https
    brotli on;
    brotli_static on;   # 预压缩
    brotli_min_length 2k;
    brotli_comp_level 6;    # 0-11
    brotli_window 512k;
    brotli_types text/css text/xml image/gif image/jpeg application/javascript application/rss+xml text/plain image/png image/tiff image/x-icon image/x-ms-bmp image/svg+xml application/json;
    brotli_buffers 4 16k;   # 最新版官方已经废弃忽略的选项

    upstream wsgi-blogbackend {
	    ip_hash;
        server 127.0.0.1:8002 max_fails=3 fail_timeout=0;
    }

	server {
		listen 80 default_server;
		listen [::]:80 default_server;
		server_name www.blog.com;
		# add_header X-Frame-Options "DENY";
        if ($host != $server_name) {    # 禁止IP访问，只能使用域名访问
            return 400;
        }

        # 封禁爬虫
        if ($http_user_agent ~* "^$|Baiduspider|Bytespider|EasouSpider|EtaoSpider|dotbot|Sougou|Scrapy|YisouSpider|bingbot|360Spider|Sogou web spider")
        {
            return 500;
        }

        location ~* \.(php|asp||aspx|jsp)$ {
            return 500;
        }

	    location /static {
        	root /home/workspace/blogproject;
        	# expires 30d;
        	if ($request_filename ~* .*\.(css|js|gif|jpg|jpeg|png|bmp|swf|svg)$)
            {
                expires 7d;
            }
    	}

	    location /media {   # 防止目录穿越， location 和 alias 都不加 /
        	alias /home/workspace/blogproject/uploads;
        	# expires 30d;
        	if ($request_filename ~* .*\.(css|js|gif|jpg|jpeg|png|bmp|swf|svg)$)
            {
                expires 7d;
            }
    	}

        location / {
            try_files $uri @proxy_to_app;
        }

        location @proxy_to_app {
		    proxy_pass http://wsgi-blogbackend;
        	proxy_http_version 1.1;
        	proxy_redirect off;
        	proxy_set_header Host $host;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_set_header X-Forwarded-Proto $scheme;
        	proxy_set_header X-Forwarded-Port $server_port;
        	proxy_set_header X-Forwarded-Host $server_name;
        	proxy_intercept_errors on;
        }

        location = /favicon.ico {
                 access_log off;    #关闭正常访问日志
        }

        error_page 404 /404.html;
        location = /404.html {
            root   /usr/share/nginx/html;
            if ( $request_uri ~ ^/favicon\.ico$ ) {    #关闭favicon.ico 404错误日志
                access_log off;
            }
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
	}

	server {
		listen 80;
		listen [::]:80;
		server_name www.leffss.com;
		add_header X-Frame-Options "DENY";
		return 307 https://$host$request_uri;
	}

    upstream wsgi-backend {
	    ip_hash;
        server 127.0.0.1:8000 max_fails=3 fail_timeout=0;
    }

    upstream asgi-backend {
	    ip_hash;
        server 127.0.0.1:8001 max_fails=3 fail_timeout=0;
    }

    # Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  www.leffss.com;

        ssl_certificate "/etc/nginx/server.crt";
        ssl_certificate_key "/etc/nginx/server.key";
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;    # nginx 支持 TLSv1.3 但是系统自带 openssl 版本太低不支持
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        #ssl_ciphers HIGH:!aNULL:!MD5;
        #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
        ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256::!MD5;
        ssl_prefer_server_ciphers on;
	    client_max_body_size 30m;
	    # http2_push_preload on;  # http2 主动推送
	
	    # HSTS 31536000 one year
	    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	    add_header X-Frame-Options "DENY";
        
	    # Load configuration files for the default server block.
        # include /etc/nginx/default.d/*.conf;
	    # location /static/ {
        #	alias /home/workspace/devops/static/;
        #	expires 1h;
    	# }

	    # location /media/ {
        #	alias /home/workspace/devops/media/;
        #	expires 1h;
    	# }

        # 【=】模式: location = path,此种模式优先级最高（但要全路径匹配）
        # 【^~】模式:location ^~ path,此种模式优先级第二高于正则；
        # 【~ or ~*】模式:location ~ path,正则模式，优先级第三，【~】正则匹配区分大小写，【~*】正则匹配不区分大小写；
        # 【path】模式: location path,中间什么都不加，直接跟路径表达式；

        # location = /uri 　　　= 开头表示精确匹配，只有完全匹配上才能生效。最高优先级。
        # location ^~ /uri 　　^~ 开头对URL路径进行前缀匹配，并且在正则之前。
        # location ~ pattern 　~ 开头表示区分大小写的正则匹配。
        # location ~* pattern 　~* 开头表示不区分大小写的正则匹配。
        # !~和!~* 分别为区分大小写不匹配及不区分大小写不匹配的正则
        # location /uri 　　　　不带任何修饰符，也表示前缀匹配，但是在正则匹配之后。
        # location / 　　　　　通用匹配，任何未匹配到其它location的请求都会匹配到，相当于switch中的default。

	    #location ~* .*\.(css|js|gif|jpg|jpeg|png|bmp|swf|svg)$ {
        #	expires 30d;
    	#}

        if ($host != $server_name) {    # 禁止IP访问，只能使用域名访问
            return 400;
        }

        # 封禁爬虫
        if ($http_user_agent ~* "^$|Baiduspider|Bytespider|EasouSpider|EtaoSpider|dotbot|Sougou|Scrapy|YisouSpider|bingbot|360Spider|Sogou web spider")
        {
            return 500;
        }

        location ^~ /admin {
            return 500;
        }

        location ~* \.(php|asp||aspx|jsp)$ {
            return 500;
        }

	    location ~* ^/(media|static) {
        	root /home/workspace/devops;
        	# expires 30d;
        	if ($request_filename ~* .*\.(css|js|gif|jpg|jpeg|png|bmp|swf|svg)$)
            {
                expires 7d;
            }
    	}

        location /ws {
            try_files $uri @proxy_to_ws;
        }

        location @proxy_to_ws {
		    proxy_pass http://asgi-backend;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection "upgrade";
        	proxy_redirect off;
        	proxy_set_header Host $host;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_set_header X-Forwarded-Proto $scheme;
        	proxy_set_header X-Forwarded-Port $server_port;
        	proxy_set_header X-Forwarded-Host $server_name;
        	proxy_intercept_errors on; #获取后端错误码并处理
        	recursive_error_pages on;
        }

        location / {
            try_files $uri @proxy_to_app;
        }

        location @proxy_to_app {
		    proxy_pass http://wsgi-backend;
        	proxy_http_version 1.1;
        	proxy_redirect off;
        	proxy_set_header Host $host;
        	proxy_set_header X-Real-IP $remote_addr;
        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        	proxy_set_header X-Forwarded-Proto $scheme;
        	proxy_set_header X-Forwarded-Port $server_port;
        	proxy_set_header X-Forwarded-Host $server_name;
        	proxy_intercept_errors on;
        	recursive_error_pages on;
        }

        location = /favicon.ico {
                 access_log off;    #关闭正常访问日志
        }

        error_page 404 /404.html;
        location = /404.html {
            root   /usr/share/nginx/html;
            if ( $request_uri ~ ^/favicon\.ico$ ) {    #关闭favicon.ico 404错误日志
                access_log off;
            }
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    }

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

}