NginxProxyManager的配置

作者: /

前提条件

已安装 nginx-proxy-manager

容器内的Nginx配置

# run nginx in foreground
daemon off;
pid /run/nginx/nginx.pid;
user npm;

# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

error_log /data/logs/fallback_error.log warn;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

# Custom
include /data/nginx/custom/root_top[.]conf;

events {
        include /data/nginx/custom/events[.]conf;
}

http {
        include                       /etc/nginx/mime.types;
        default_type                  application/octet-stream;
        sendfile                      on;
        server_tokens                 off;
        tcp_nopush                    on;
        tcp_nodelay                   on;
        client_body_temp_path         /tmp/nginx/body 1 2;
        keepalive_timeout             90s;
        proxy_connect_timeout         90s;
        proxy_send_timeout            90s;
        proxy_read_timeout            90s;
        ssl_prefer_server_ciphers     on;
        gzip                          on;
        proxy_ignore_client_abort     off;
        client_max_body_size          2000m;
        server_names_hash_bucket_size 1024;
        proxy_http_version            1.1;
        proxy_set_header              X-Forwarded-Scheme $scheme;
        proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header              Accept-Encoding "";
        proxy_cache                   off;
        proxy_cache_path              /var/lib/nginx/cache/public  levels=1:2 keys_zone=public-cache:30m max_size=192m;
        proxy_cache_path              /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;

        # Log format and fallback log file
        include /etc/nginx/conf.d/include/log.conf;

        # Dynamically generated resolvers file
        include /etc/nginx/conf.d/include/resolvers.conf;

        # Default upstream scheme
        map $host $forward_scheme {
                default http;
        }

        # Real IP Determination

        # Local subnets:
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
        set_real_ip_from 192.168.0.0/16;
        # NPM generated CDN ip ranges:
        include conf.d/include/ip_ranges.conf;
        # always put the following 2 lines after ip subnets:
        real_ip_header X-Real-IP;
        real_ip_recursive on;

        # Custom
        include /data/nginx/custom/http_top[.]conf;

        # Files generated by NPM
        include /etc/nginx/conf.d/*.conf;
        include /data/nginx/default_host/*.conf;
        include /data/nginx/proxy_host/*.conf;
        include /data/nginx/redirection_host/*.conf;
        include /data/nginx/dead_host/*.conf;
        include /data/nginx/temp/*.conf;

        # Custom
        include /data/nginx/custom/http[.]conf;
}

stream {
        # Files generated by NPM
        include /data/nginx/stream/*.conf;

        # Custom
        include /data/nginx/custom/stream[.]conf;
}

# Custom
include /data/nginx/custom/root[.]conf;
Nginx
展开

代理服务基本配置

# ------------------------------------------------------------
# domain
# ------------------------------------------------------------

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "127.0.0.1";
  set $port           8080;

  listen 80;
listen [::]:80;

  server_name domain;
http2 off;

  access_log /data/logs/proxy-host-4_access.log proxy;
  error_log /data/logs/proxy-host-4_error.log warn;

  location / {

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

map $scheme $hsts_header 配置

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}
  • 作用:这是一个变量映射配置,用于根据当前请求的协议($scheme,值为 http 或 https)定义变量 $hsts_header 的值。
  • 规则:当请求使用 https 协议时,$hsts_header 被赋值为 max-age=63072000; preload(HSTS 头的内容);若为 http 协议,该变量默认为空(未匹配时无值)。
  • HSTS 含义:强制客户端(浏览器)使用 HTTPS 访问,max-age=63072000 表示有效期为 2 年(63072000 秒),preload 表示允许将域名加入浏览器内置的 HSTS 预加载列表。

server 块核心配置

server {
  set $forward_scheme http;  # 定义转发协议为 HTTP
  set $server         "127.0.0.1";  # 定义转发的目标服务器 IP
  set $port           9080;  # 定义默认转发端口

  listen 80;  # 监听 IPv4 的 80 端口(HTTP)
  listen [::]:80;  # 监听 IPv6 的 80 端口(HTTP)

  server_name xxxx;  # 匹配的域名:仅处理 xxxx 的请求
  http2 off;  # 关闭 HTTP/2 协议(仅用 HTTP/1.x)
  ...
}

日志与安全配置

# Block Exploits
include conf.d/include/block-exploits.conf;  # 引入漏洞防护规则(如过滤恶意请求)

access_log /data/logs/proxy-host-3_access.log proxy;  # 访问日志路径及格式(使用 "proxy" 格式)
error_log /data/logs/proxy-host-3_error.log warn;  # 错误日志路径,级别为 "warn"(警告及以上)

location / 中的代理配置

location / {
  # 引入代理配置(通常包含通用的代理参数)
  include conf.d/include/proxy.conf;
}

文件位于容器内部(如果使用docker安装),proxy.conf

添加响应头(add_header

  • 作用:当 Nginx 向客户端返回响应时,会添加一个自定义响应头 X-Served-By,其值为 $host(即客户端请求的域名)。
  • 用途:方便调试或追踪请求由哪个域名的服务器处理(尤其在多域名代理场景中有用)。

设置代理请求头(proxy_set_header

proxy_set_header Host $host;  # 传递客户端请求的 Host 头(如 henfx.top)
proxy_set_header X-Forwarded-Scheme $scheme;  # 传递客户端请求的协议(http 或 https)
proxy_set_header X-Forwarded-Proto  $scheme;  # 同上,重复设置可能是为了兼容不同后端的需求
proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;  # 传递客户端真实 IP 及中间代理链
proxy_set_header X-Real-IP          $remote_addr;  # 传递客户端的直接 IP(最原始的客户端 IP)
  • Host 头确保后端服务知道客户端实际请求的域名(否则后端可能认为请求来自 Nginx 服务器的 IP)。
  • X-Forwarded-* 系列头是反向代理的标准做法,让后端服务能识别客户端的真实协议、IP 等(例如,后端程序需要判断用户是用 HTTP 还是 HTTPS 访问时,就依赖 X-Forwarded-Proto)。
  • $proxy_add_x_forwarded_for 会在原有 X-Forwarded-For 头的基础上追加客户端 IP(如果有多层代理,会形成一个 IP 链),而 $remote_addr 是客户端直接连接 Nginx 的 IP(更简洁)。

定义代理转发目标(proxy_pass

proxy_pass       $forward_scheme://$server:$port$request_uri;

指定请求被转发到的后端服务地址,由多个变量拼接而成

  • $forward_scheme:协议
  • $server:后端服务器 IP
  • $port:后端服务端口
  • $request_uri:客户端请求的完整路径(包含查询参数,如 /abc?x=1)。

自定义配置引入

# Custom
include /data/nginx/custom/server_proxy[.]conf;

引入自定义配置文件,实际上并没有这个文件

阻止常见漏洞

配置文件中多出以下配置

  # Block Exploits
  include conf.d/include/block-exploits.conf;
## Block SQL injections
set $block_sql_injections 0;

if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
}

if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
}

if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
}

if ($block_sql_injections = 1) {
        return 403;
}

## Block file injections
set $block_file_injections 0;

if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
}

if ($block_file_injections = 1) {
        return 403;
}

## Block common exploits
set $block_common_exploits 0;

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
}

if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
}

if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
}

if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
}

if ($block_common_exploits = 1) {
        return 403;
}

## Block spam
set $block_spam 0;

if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
        set $block_spam 1;
}

if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
        set $block_spam 1;
}

if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
        set $block_spam 1;
}

if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
        set $block_spam 1;
}

if ($block_spam = 1) {
        return 403;
}

## Block user agents
set $block_user_agents 0;

# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
        set $block_user_agents 1;
}

# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "GetRight") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "GetWeb!") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "Go!Zilla") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "Download Demon") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "Go-Ahead-Got-It") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "TurnitinBot") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "GrabNet") {
        set $block_user_agents 1;
}

if ($block_user_agents = 1) {
        return 403;
}
Nginx
展开

缓存资源

配置文件中多出以下配置

  # Asset Caching
  include conf.d/include/assets.conf;

assets.conf:

location ~* ^.*\.(css|js|jpe?g|gif|png|webp|woff|woff2|eot|ttf|svg|ico|css\.map|js\.map)$ {
        if_modified_since off;

        # use the public cache
        proxy_cache public-cache;
        proxy_cache_key $host$request_uri;

        # ignore these headers for media
        proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;

        # cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
        proxy_cache_valid any 30m;
        proxy_cache_valid 404 1m;

        # strip this header to avoid If-Modified-Since requests
        proxy_hide_header Last-Modified;
        proxy_hide_header Cache-Control;
        proxy_hide_header Vary;

        proxy_cache_bypass 0;
        proxy_no_cache 0;

        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
        proxy_connect_timeout 5s;
        proxy_read_timeout 45s;

        expires @30m;
        access_log  off;

        include conf.d/include/proxy.conf;
}
Nginx

匹配常见的静态资源文件扩展名

缓存配置

  • proxy_cache public-cache:使用名为 “public-cache” 的缓存区域
  • proxy_cache_key $host$request_uri:以域名+请求URI作为缓存键
  • proxy_cache_valid any 30m:所有状态码缓存30分钟
  • proxy_cache_valid 404 1m:404响应缓存1分钟

头信息处理

  • 忽略后端设置的缓存相关头信息
  • 隐藏 Last-Modified、Cache-Control、Vary 头
  • 关闭 If-Modified-Since 功能

其他设置

  • expires @30m:设置浏览器缓存30分钟
  • access_log off:关闭访问日志
  • 包含代理配置文件 proxy.conf

自定义位置

自定义配置会出现在location的起始行

自定义配置

自定义配置其实就是location块

重定向

只提供了域名的重定向

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  listen 80;
  listen [::]:80;

  server_name domain.com;
  http2 off;

  access_log /data/logs/redirection-host-1_access.log standard;
  error_log /data/logs/redirection-host-1_error.log warn;

  location / {
        return 302 http://domain.top$request_uri;
  }

  # Custom
  include /data/nginx/custom/server_redirect[.]conf;
}
Nginx

如果需要

  • 特定路径重定向
  • HTTP 到 HTTPS 重定向
  • 非www到www重定向
  • 多域名重定向到主域名
  • 基于条件的重定向
  • 位置块内的重定向
  • 错误页面重定向

则需要在高级页面手动编辑

重定向状态码

  • 301: 永久重定向 – 浏览器会缓存,SEO友好
  • 302: 临时重定向 – 浏览器不会缓存
  • 307: 临时重定向,保持请求方法
  • 308: 永久重定向,保持请求方法

端口转发

# ------------------------------------------------------------
# 8080 TCP: true UDP: false
# ------------------------------------------------------------


server {
  listen 8080;
  listen [::]:8080;

  proxy_pass 192.168.1.55:8083;

  # Custom
  include /data/nginx/custom/server_stream[.]conf;
  include /data/nginx/custom/server_stream_tcp[.]conf;
}
Nginx

工作流程

客户端 ───TCP连接───> Nginx:8080 ───TCP连接───> 后端服务器:8083
      (192.168.1.100)          (192.168.1.55)

错误页面

默认的配置并不是设置错误页面,而是废弃或停用输入的域名

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  listen 80;
  listen [::]:80;
  server_name error.domain.con;
  http2 off;

  access_log /data/logs/dead-host-1_access.log standard;
  error_log /data/logs/dead-host-1_error.log warn;

  location / {
    return 404;
  }

  # Custom
  include /data/nginx/custom/server_dead[.]conf;
}
Nginx

从配置上看是对所有路径的请求直接返回 404 状态码

发表评论

您的邮箱地址不会被公开。 必填项已用 * 标注

滚动至顶部