创建目录
sh
# 创建 Nginx 数据、配置、SSL证书及日志目录
mkdir -p /home/nginx/{data,conf,conf/vhost,conf/ssl,logs}添加配置
编辑配置文件
sh
vim /home/nginx/conf/nginx.conf添加如下配置:
nginx
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 51200;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 1024m;
client_body_buffer_size 10m;
sendfile on;
tcp_nopush on;
keepalive_timeout 120;
server_tokens off;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
fastcgi_intercept_errors on;
#Gzip Compression
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest+json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject
image/x-icon;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
######################## default ############################
server {
listen 80;
server_name _;
access_log /var/log/nginx/host.access.log combined;
root /usr/share/nginx/html;
index index.html index.htm index.php;
#error_page 404 /404.html;
#error_page 502 /502.html;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) {
deny all;
}
}
########################## vhost #############################
include /etc/nginx/vhost/*.conf; # 域名配置
}启动容器
启动 Nginx 容器,挂载目录引用外部配置。
sh
# 启动nginx容器,引用外部配置丶挂载配置及日志等目录
docker run -d \
-p 80:80 \
-p 443:443 \
--name nginx \
--restart=always \
--privileged=true \
-v /home/nginx/conf:/etc/nginx \
-v /home/nginx/logs:/var/log/nginx \
-v /home/nginx/conf/ssl:/etc/nginx/ssl \
-v /home/nginx/data:/usr/share/nginx/html \
-v /home/nginx/conf/nginx.conf:/etc/nginx/nginx.conf nginxvhost 配置
在挂载目录 /home/nginx/conf/vhost/ 下创建虚拟主机(vhost) [domain].conf 配置文件,文件名一般为域名,如:baidu.com.conf。
编辑配置文件 /home/nginx/conf/vhost/baidu.com.conf。
sh
vim /home/nginx/conf/vhost/baidu.com.conf添加如下配置:
nginx
server {
listen 80;
# 这里为域名配置,需自行修改
server_name baidu.com;
access_log off;
index index.html index.htm index.php;
# 可根据自己需求自行修改,挂载目录为: /home/nginx/data/
root /usr/share/nginx/html/default;
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
# 这里域名也要替换
valid_referers none blocked *.baidu.com baidu.com;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /\.ht {
deny all;
}
}https 配置
可以使用 acme.sh 脚本进行免费证书申请,也可以使用自有证书导入。具体申请操作这里不做过多说明,更多有关 acme.sh 使用可参考:acme.sh 证书生成 。
修改 vhost 配置
sh
vim /home/nginx/conf/vhost/baidu.com.conf修改如下配置内容,增加 SSL 配置
nginx
# 修改vhost baidu.com.conf文件 配置
server {
listen 80;
# 监听443端口
listen 443 ssl http2;
# 指定SSL证书文件位置
ssl_certificate ./ssl/baidu.com.pem;
ssl_certificate_key ./ssl/baidu.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
# 需自行替换
server_name baidu.com;
access_log off;
index index.html index.htm index.php;
root /usr/share/nginx/html/default;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
#error_page 404 /404.html;
#error_page 502 /502.html;
location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
# 这里域名也要替换
valid_referers none blocked *.baidu.com baidu.com;
if ($invalid_referer) {
return 403;
}
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /\.ht {
deny all;
}
}重载配置
执行如下命令,重新加载 Nginx 配置。
sh
docker exec -it nginx nginx -s reload