Nginx常用配置詳解（一）

本文依照nginx官方站點文檔介紹常用的nginx各種常用配置，未經過校對，如有錯誤還望海涵。

Nginx配置通用語法

Nginx最基本的配置語法

配置項名 配置項值1 [配置項值2 ....];
配置項名位于行首，配置項值與配置項名之間用空格隔開，多個配置項值之間也用空格隔開，每行配置結尾必須加上分號。

#配置項名 配置項值1 [配置項值2 ....];
#可以注釋掉本行

Nginx配置分為各個配置塊。主配置塊負責全局配置，各個子塊都會繼承全局配置。各個子塊也各有不同的配置項。

main block:主配置（全局配置）
    event{
        ...
    }事件驅動相關配置塊
    http{
        ...
    }http/https 協議相關的配置塊
    mail{
        ...
    }郵件服務器相關的配置塊
    stream{
        ...
    }流服務器相關的配置塊

主配置塊配置

主配置按功能分為四類：

1. 正常運行必備的配置
2. 優化性能相關的配置
3. 用于調試及定位問題的相關的配置
4. 事件驅動相關的配置

一、正常運行必備的配置

user

Syntax: user user [group];
Default: user nobody nobody;
Context: main

Defines user and group credentials used by worker processes. If group is omitted, a group whose name equals that of user is used.
定義worker進程使用的用戶或者組的憑證，省略組名表示組名與用戶名相同。

pid

Syntax: pid file;
Default: pid nginx.pid;
Context: main

Defines a file that will store the process ID of the main process.
指定存儲nginx matser進程ID的文件路徑。

include

Syntax: include file | mask;
Default: —
Context: any

Includes another file, or files matching the specified mask, into configuration. Included files should consist of syntactically correct directives and blocks.
配置文件可嵌入其他配置文件，include指明嵌入的文件位置可以是明確的文件名，也可以是含有通配符的文件名。（include可以是絕對路徑也可以是相對路徑，相對路徑為相對Nginx配置文件的路徑，即Nginx.conf所在目錄）

load_module

Syntax: load_module file;
Default: —
Context: main
This directive appeared in version 1.9.11.

Loads a dynamic module.
加載動態模塊。此指令只在ngnix 1.9.11 版本后生效

二、性能優化相關的配置

worker_processes

Syntax: worker_processes number | auto;
Default: worker_processes 1;
Context: main

Defines the number of worker processes.

The optimal value depends on many factors including (but not limited to) the number of CPU cores, the number of hard disk drives that store data, and load pattern. When one is in doubt, setting it to the number of available CPU cores would be a good start (the value “auto” will try to autodetect it).
定義worker進程數量。該設定會直接影響性能，最佳值取決于多種因素包括但不限于CPU核心、存書數據的硬盤數量，加載模式。較好的選擇是設定該值值等于可用的CPU數量（auto自動檢測CPU核心數量并以此為該項的設定值）。

worker_cpu_affinity

Syntax: worker_cpu_affinity cpumask ...;
        worker_cpu_affinity auto [cpumask];
Default: —
Context: main

Binds worker processes to the sets of CPUs. Each CPU set is represented by a bitmask of allowed CPUs. There should be a separate set defined for each of the worker processes. By default, worker processes are not bound to any specific CPUs.
將設定的CPU核心與worker進程綁定，每個CPU設定用位掩碼分別綁定給每一個worker進程。默認情況下worker進程不綁定在任何一個CPU上。（每一位CPUmask代表一個CPU核心）
例如：
主機有四個核心，建立四個worker進程分別綁定在每個CPU上

worker_processes4;
 worker_cpu_affinity 0001 0010 0100 1000;

主機有四個核心，建立兩個worker進程，第一個進程綁定在CPU0/CPU2上，第二個進程綁定在CPU1/CPU3上

worker_processes2;
 worker_cpu_affinity 0101 1010;

使用自動自動綁定

worker_processes auto;
 worker_cpu_affinity auto;

自動綁定并限制CPU使用

worker_cpu_affinity auto 01010101;

worker_priority

Syntax: worker_priority number;
Default: worker_priority 0;
Context: main

Defines the scheduling priority for worker processes like it is done by the nice command: a negative number means higher priority. Allowed range normally varies from -20 to 20.
定義worker進程的優先級，相當于nice指令：負數的優先級更高，取值范圍從-20到20。

worker_rlimit_nofile

Syntax: worker_rlimit_nofile number;
Default: —
Context: main

Changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes. Used to increase the limit without restarting the main process.
修改worker進程能打開文件的最大值，可以在不重啟主進程的情況下增加限制。

三、調試、定位問題

daemon

Syntax: daemon on | off;
Default: daemon on;
Context: main

Determines whether nginx should become a daemon. Mainly used during development.
決定nginx是否成為守護進程，主要用于開發期間。

master_process

Syntax: master_process on | off;
Default: master_process on;
Context: main

Determines whether worker processes are started. This directive is intended for nginx developers.
決定是否啟用worker進程。此指令打算給nginx開發者使用。

error_log

Syntax: error_log file [level];
Default: error_log logs/error.log error;
Context: main, http, mail, stream, server, location

Configures logging. Several logs can be specified on the same level (1.5.2). If on the main configuration level writing a log to a file is not explicitly defined, the default file will be used.

The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. Logging to a cyclic memory buffer can be configured by specifying the “memory:” prefix and buffer size, and is generally used for debugging (1.7.11).

The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. For example, the default level error will cause error, crit, alert, and emerg messages to be logged. If this parameter is omitted then error is used.
配置日志，幾個日志可以被指定為同一級別。如果主配置文件級別中配置文件路徑沒有明確指明，則使用默認配置。

第一個字段定義日志存儲文件位置。特殊值stderr選擇標準錯誤文件。針對syslog的文件可以在前面用syslog:指明。針對cyclic memory buffer可以在前面用memory:指明，并且要指明緩沖大小，此項指令通常用于調試。

第二字段判定日志級別，在debug, info, notice, warn, error, crit, alert, emerg之中選擇一項。這些日志級別從左到右依次從輕微到嚴重。確定日志級別后，會記錄該級別和該級別以上的級別的所有日志。例如：設定error級別會記錄error, crit, alert, emerg四個基本，如果該條目省略，則默認級別為error。

四、事件驅動相關配置

事件驅動相關的配置配置與events配置塊中

events {
    ...
}

worker_connections

Syntax: worker_connections number;
Default: worker_connections 512;
Context: events

Sets the maximum number of simultaneous connections that can be opened by a worker process.

It should be kept in mind that this number includes all connections (e.g. connections with proxied servers, among others), not only connections with clients. Another consideration is that the actual number of simultaneous connections cannot exceed the current limit on the maximum number of open files, which can be changed by worker_rlimit_nofile.
設定worker進程同步連接最大值。

這項設定需要注意，這個數字包括了所有連接（例如：代理連接服務器等），不僅僅是客戶端的連接。
另一個值得注意的問題是實際的同步連接數值要小于之前在 worker_rlimit_nofile中設定的open file值。

use

Syntax: use method;
Default: —
Context: events

Specifies the connection processing method to use. There is normally no need to specify it explicitly, because nginx will by default use the most efficient method.
指明使用的連接進程方法。通常不需要明確的指明，因為NGINX默認會使用最有效的方法。

accept_mutex

Syntax: accept_mutex on | off;
Default: accept_mutex off;
Context: events

If accept_mutex is enabled, worker processes will accept new connections by turn. Otherwise, all worker processes will be notified about new connections, and if volume of new connections is low, some of the worker processes may just waste system resources.
如果accept_mutex啟用，worker進程在接受新連接時采取輪流進行的模式。如果不這么設定，新連接將不會通知給各worker進程。在新連接較少的情況下，部分worker進程資源將被浪費。

accept_mutex_delay

Syntax: accept_mutex_delay time;
Default: accept_mutex_delay 500ms;
Context: events

If accept_mutex is enabled, specifies the maximum time during which a worker process will try to restart accepting new connections if another worker process is currently accepting new connections.
在accept_mutex啟用的情況下，指明在其他worker進程正在接受新連接時，worker進程重新接受新連接的超時時間。

http協議塊配置

http協議配置塊位于總體配置塊中，總體格式如下：

http {
        ... ...
        server {
            ...
            server_name
            root
            location [OPERATOR] /uri/ {
                ...
            }
        }
        server {
            ...
        }
    }

http配置塊按功能分類，大致可以分為以下五類：

1. 與套接字相關的配置
2. 定義路徑相關的配置
3. 定義客戶端請求的相關配置
4. 對客戶端進行限制的相關配置

一、與套接字相關的配置

server

Syntax: server { ... }
Default: —
Context: http

Sets configuration for a virtual server. There is no clear separation between IP-based (based on the IP address) and name-based (based on the “Host” request header field) virtual servers. Instead, the listen directives describe all addresses and ports that should accept connections for the server, and the server_name directive lists all server names.
設定一個虛擬主機。不需要明確區分基于ip和基于host的虛擬主機。相應的，listen指令描述了此虛擬主機接收連接監聽的地址和端口，server_name字段描述了所有虛擬主機的名稱。

listen

Syntax: listen address[:port] [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
        listen port [default_server] [ssl] [http2 | spdy] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on|off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
        listen unix:path [default_server] [ssl] [http2 | spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];
Default: listen *:80 | *:8000;
Context: server

Sets the address and port for IP, or the path for a UNIX-domain socket on which the server will accept requests. Both address and port, or only address or only port can be specified. An address may also be a hostname。
設定IP的address和port，或是設定服務器接收響應的UNIX域套接字的path?？梢酝瑫r設定address和port，或者僅僅設定address，僅僅設定port，address也可以是hostname。
例如

listen 127.0.0.1:8000;
 listen 127.0.0.1;
 listen 8000;
 listen *:8000;
 listen localhost:8000;

UNIX-domain sockets (0.8.21) are specified with the “unix:” prefix:
UNIX域套接字需要在行首用unix：指明

listen unix:/var/run/nginx.sock;

由于選項過多，且絕大多數目前階段應用不上，簡要解釋部分常用的

default_server

The default_server parameter, if present, will cause the server to become the default server for the specified address:port pair. If none of the directives have the default_server parameter then the first server with the address:port pair will be the default server for this pair.
設定當前監聽的ip地址和端口為虛擬主機，如果未明確指明默認虛擬主機，第一個虛擬主機成為該部分的默認主機。

ssl

The ssl parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode. This allows for a more compact configuration for the server that handles both HTTP and HTTPS requests.
ssl字段允許指明從該端口接收的所有連接必須以SSL協議模式工作，無論接收的請求是HTTP協議的還是HTTPS協議。

http2

The http2 parameter (1.9.5) configures the port to accept HTTP/2 connections. Normally, for this to work the ssl parameter should be specified as well, but nginx can also be configured to accept HTTP/2 connections without SSL.
http2字段配置該端口可以接受http2協議的連接，通常http2協議需要指明ssl，但是nginx可以被配置成為接收不需要SSL協議的http2協議。

spdy

The spdy parameter (1.3.15-1.9.4) allows accepting SPDY connections on this port. Normally, for this to work the ssl parameter should be specified as well, but nginx can also be configured to accept SPDY connections without SSL.
spdy字段允許該端口接收SPDY連接，通常spdy協議需要指明ssl，但是nginx可以被配置成為接收不需要SSL協議的spdy協議。

proxy_protocol

The proxy_protocol parameter (1.5.12) allows specifying that all connections accepted on this port should use the PROXY protocol.
proxy_protocol字段允許指明該端口所有接收的連接使用PROXY協議。

backlog

sets the backlog parameter in the listen() call that limits the maximum length for the queue of pending connections. By default, backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS, and to 511 on other platforms.
在listen（）中設定backlog字段可以限制后援隊列長度。默認在FreeBSD, DragonFly BSD, 和 macOS平臺該值為-1，其他平臺該值為511

rcvbuf

sets the receive buffer size (the SO_RCVBUF option) for the listening socket.
設定監聽套接字的接收緩沖大小。

sndbuf

sets the send buffer size (the SO_SNDBUF option) for the listening socket.
設定監聽套接字的發送緩沖大小。

server_name

Syntax: server_name name ...;
Default: server_name "";
Context: server

Sets names of a virtual server, for example:
設定虛擬主機的名稱例如

server {
     server_name example.com www.example.com;
 }

The first name becomes the primary server name.
第一個名稱成為虛擬主機的主名稱。
Server names can include an asterisk (“*”) replacing the first or last part of a name:
虛擬主機名稱可以在起始和末尾用通配符

*
替代

server {
     server_name example.com *.example.com www.example.*;
 }

The first two of the names mentioned above can be combined in one:
前兩個地址可以縮寫成為一個

server {
     server_name .example.com;
 }

It is also possible to use regular expressions in server names, preceding the name with a tilde (“~”):
還可以使用正則表達式匹配虛擬主機名稱，正則表達式前要用～

server {
     server_name www.example.com ~^www\d+\.example\.com$;
 }

Regular expressions can contain captures (0.7.40) that can later be used in other directives:
正則表達式的分組可以用于其它字段。

server {
     server_name ~^(www\.)?(.+)$;

     location / {
         root /sites/$2;
     }
 }

 server {
     server_name _;

     location / {
         root /sites/default;
     }
 }

Named captures in regular expressions create variables (0.8.25) that can later be used in other directives:
正則表達式匹配的優先級要低于其他字段。

server {
    server_name ~^(www\.)?(?<domain>.+)$;

    location / {
        root /sites/$domain;
    }
}

server {
    server_name _;

    location / {
        root /sites/default;
    }
}

If the directive’s parameter is set to “$hostname” (0.9.4), the machine’s hostname is inserted.
如果設定為變量$hostname會插入機器的hostname。（0.9.4之后的版本可用）
It is also possible to specify an empty server name (0.7.11):
也可以插入空的虛擬機主機名稱（0.7.11之后的版本可用）

server {
    server_name www.example.com "";
}

It allows this server to process requests without the “Host” header field — instead of the default server — for the given address:port pair. This is the default setting.
允許虛擬主機響應沒有Host頭部的，該頭部將會替換成默認虛擬主機，給予一個ip地址和端口段。該項為默認設置。

Before 0.8.48, the machine’s hostname was used by default. 
0.8.48版本前，機器的hostname為默認的。

During searching for a virtual server by name, if the name matches more than one of the specified variants, (e.g. both a wildcard name and regular expression match), the first matching variant will be chosen, in the following order of priority:
當搜尋一個虛擬的主機的名稱時。如果該名稱可以匹配多個字段（包括通配符和正則表達式的字段），優先匹配原則如下：

the exact name
the longest wildcard name starting with an asterisk, e.g. “*.example.com”
the longest wildcard name ending with an asterisk, e.g. “mail.*”
the first matching regular expression (in order of appearance in the configuration file)

1.字符串精確匹配
2.左側*通配符
3.右側*通配符
4.正則表達式

tcp_nodelay

Syntax: tcp_nodelay on | off;
Default: tcp_nodelay on;
Context: http, server, location

Enables or disables the use of the TCP_NODELAY option. The option is enabled only when a connection is transitioned into the keep-alive state.
啟用或禁用TCP_NODELAY設置，當連接轉換為長連接狀態，這個選項必須啟用。

sendfile

Syntax: sendfile on | off;
Default: sendfile off;
Context: http, server, location, if in location

Enables or disables the use of sendfile().
In this configuration, sendfile() is called with the SF_NODISKIO flag which causes it not to block on disk I/O, but, instead, report back that the data are not in memory. nginx then initiates an asynchronous data load by reading one byte. On the first read, the FreeBSD kernel loads the first 128K bytes of a file into memory, although next reads will only load data in 16K chunks. This can be changed using the read_ahead directive.
啟用或禁用sendfile（）功能。
在此項配置中，sentfile（）被稱為SF_NODISKIO標記，該標記引起不阻塞在磁盤I/O，相應的報告數據不在內存中。nginx然后會啟用一個異步加載數據讀取一個字節。第一次閱讀，FreeBSD內容加載文件的第一個128K字節至內存，盡管接下來的讀取只會在16K塊中加載數據?？梢栽?em>read_ahead指令中修改此條目。

tcp_nopush

Syntax: tcp_nopush on | off;
Default: tcp_nopush off;
Context: http, server, location

Enables or disables the use of the TCP_NOPUSH socket option on FreeBSD or the TCP_CORK socket option on Linux. The options are enabled only when sendfile is used. Enabling the option allows
禁用或啟用TCP_NOPUSH套接字的使用，其工作于FreeBSD系統或Linux系統的TCP_CORK套接字選項。這個宣講只有在sendfile使用時啟用，啟用這個選項允許

• sending the response header and the beginning of a file in one packet, on Linux and FreeBSD 4.;
  在包起始位置發送響應報文頭部（工作于Linux和FreeBSD 4.）
• sending a file in full packets.
  在完整的數據包中發送文件

二、定義路徑相關的配置

root

Syntax: root path;
Default: root html;
Context: http, server, location, if in location

Sets the root directory for requests. For example, with the following configuration
設置響應的根目錄，例如使用如下配置
location /i/ {
root /data/w3;
}

The /data/w3/i/top.gif file will be sent in response to the “/i/top.gif” request.
/data/w3/i/top.gif文件會發送到/i/top.gif響應報文中
The path value can contain variables, except $document_root and $realpath_root.
這個值可以是變量，$document_root和$realpath_root不可以使用。

root指令取代的根目錄在location目錄中替代最左端的/

alias

設定網站別名，用法基本與root相同。
alias指令取代的根目錄在location目錄中替代至最右端的/

location

Syntax: location [ = | ~ | ~* | ^~ ] uri { ... }
        location @name { ... }
Default: —
Context: server, location

Sets configuration depending on a request URI.
根據請求的URI設置配置。
The matching is performed against a normalized URI, after decoding the text encoded in the “%XX” form, resolving references to relative path components “.” and “..”, and possible compression of two or more adjacent slashes into a single slash.
匹配時針對規范化的URI執行的，解碼了% XX格式的文本，解析相對路徑的引用.和..,壓縮兩個或更多相鄰的/至一個/
A location can either be defined by a prefix string, or by a regular expression. Regular expressions are specified with the preceding “~*” modifier (for case-insensitive matching), or the “~” modifier (for case-sensitive matching). To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.
location可以由前綴字符串定義，也可以由正則表達式定義。正在表達式用～×表示不區分大小寫匹配，用～表示區分大小寫匹配。根據被給予的請求報文尋找location時，nginx優先查詢使用前置字符串定義的location。匹配字符串時最長匹配的字符串將會被選擇，并且被記住。然后會按照配置文件中出現的次序檢查正則表達式。匹配第一次正則表達式后會終止，并使用相應的配置。如果沒有發現合適的正則表達式匹配，則會使用之前記住的字符串匹配的信息。
location blocks can be nested, with some exceptions mentioned below.
location配置塊可以嵌套。

Regular expressions can contain captures (0.7.40) that can later be used in other directives.
正則表達式可以捕獲分組信息（0.7.40），之后用在其他指令
If the longest matching prefix location has the “^~” modifier then regular expressions are not checked.
如果最長匹配字段有^~修飾符，不檢查正則匹配。
Also, using the “=” modifier it is possible to define an exact match of URI and location. If an exact match is found, the search terminates. For example, if a “/” request happens frequently, defining “location = /” will speed up the processing of these requests, as search terminates right after the first comparison. Such a location cannot obviously contain nested locations.
同樣的，使用=修飾符可以定義一個精確的URI和location匹配，如果發現精確匹配，查詢終止。例如：如果“/”請求頻繁出現，定義“location = /”可以在第一次比較后終止查詢，從而加速這些請求的進程。這種location不能嵌套location。

Let’s illustrate the above by an example:
用下面的例子舉例說明

location = / {
    [ configuration A ]
}

location / {
    [ configuration B ]
}

location /documents/ {
    [ configuration C ]
}

location ^~ /images/ {
    [ configuration D ]
}

location ~* \.(gif|jpg|jpeg)$ {
    [ configuration E ]
}

The “/” request will match configuration A, the “/index.html” request will match configuration B, the “/documents/document.html” request will match configuration C, the “/images/1.gif” request will match configuration D, and the “/documents/1.jpg” request will match configuration E.
“/”請求會匹配到A，
“/index.html”會匹配到B，
“/documents/document.html”請求會匹配到C，
“/images/1.gif”會匹配到D，
“/documents/1.jpg”會匹配到E。
The “@” prefix defines a named location. Such a location is not used for a regular request processing, but instead used for request redirection. They cannot be nested, and cannot contain nested locations.
“@”定義名稱location。這樣的location不用于一個普通請求，而用于請求重定向。他們不能被嵌套，也不能嵌套其他location。
If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, or memcached_pass, then the special processing is performed. In response to a request with URI equal to this string, but without the trailing slash, a permanent redirect with the code 301 will be returned to the requested URI with the slash appended. If this is not desired, an exact match of the URI and location could be defined like this:
如果一個location定義字符串匹配時以/結尾，而且請求被proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass中的一個處理，將會執行特殊的處理方式。響應請求URI等于這個字符串時，不需要尾部有/，將會返回一個301狀態碼的永久重定向，并攜帶一個/。如果不需要的話可以像如下方法額外添加URI和location的定義。

location /user/ {
    proxy_pass http://user.example.com;
}

location = /user {
    proxy_pass http://login.example.com;
}

index

Syntax: index file ...;
Default: index index.html;
Context: http, server, location

Defines files that will be used as an index. The file name can contain variables. Files are checked in the specified order. The last element of the list can be a file with an absolute path. Example:
定義被用作索引的文件。該文件名可以包含變量。多文件按順序檢查。列表最后元素可以是一個包含絕對路徑文件。例如

index index.$geo.html index.0.html /index.html;

It should be noted that using an index file causes an internal redirect, and the request can be processed in a different location. For example, with the following configuration:
值得注意的是，使用索引文件會造成內部重定向，請求會被指向不同的location。如下面例子所示

location = / {
    index index.html;
}

location / {
    ...
}

a “/” request will actually be processed in the second location as “/index.html”.
一個“/”請求事實首先被解析成為index.html，而后被解析到第二location中。

error_page

Syntax: error_page code ... [=[response]] uri;
Default: —
Context: http, server, location, if in location

Defines the URI that will be shown for the specified errors. A uri value can contain variables.
定義顯示指定錯誤的URI。uri值可以使用變量。

Example:
例如

error_page 404             /404.html;
error_page 500 502 503 504 /50x.html;

This causes an internal redirect to the specified uri with the client request method changed to “GET” (for all methods other than “GET” and “HEAD”).
這將導致將內部重定向到指定的uri，而客戶端請求方法改為“GET”(除“GET”和“HEAD”之外的所有方法)。
Furthermore, it is possible to change the response code to another using the “=response” syntax, for example:
此外，還可以使用“=response”語法將狀態響應代碼更改為另一個，例如:

error_page 404 =200 /empty.gif;

If an error response is processed by a proxied server or a FastCGI/uwsgi/SCGI server, and the server may return different response codes (e.g., 200, 302, 401 or 404), it is possible to respond with the code it returns:
如果代理服務器或FastCGI / uwsgi / SCGI服務器處理錯誤響應，服務器可能會返回不同的響應代碼,(例如200, 302, 401 或 404)，可以響應返回碼。

error_page 404 = /404.php;

If there is no need to change URI and method during internal redirection it is possible to pass error processing into a named location:
如果在內部重定向中不需要更改URI和方法，則可以將錯誤處理傳入指定的位置:

location / {
    error_page 404 = @fallback;
}

location @fallback {
    proxy_pass http://backend;
}

If uri processing leads to an error, the status code of the last occurred error is returned to the client.
如果uri處理導致錯誤，那么最后一個發生錯誤的狀態代碼將返回給客戶端。
It is also possible to use URL redirects for error processing:
也可以使用URL重定向錯誤處理。

error_page 403      http://example.com/forbidden.html;
error_page 404 =301 http://example.com/notfound.html;

In this case, by default, the response code 302 is returned to the client. It can only be changed to one of the redirect status codes (301, 302, 303, 307, and 308).
在這種情況下，默認情況下，響應代碼302被返回給客戶端。它只能更改為一個重定向狀態碼(301、302、303、307和308)。
These directives are inherited from the previous level if and only if there are no error_page directives defined on the current level.
只有在當前級別沒有定義error_page指令的情況下，將從上一級繼承error_page信息。

try_files

Syntax: try_files file ... uri;
        try_files file ... =code;
Default: —
Context: server, location

Checks the existence of files in the specified order and uses the first found file for request processing; the processing is performed in the current context. The path to a file is constructed from the file parameter according to the root and alias directives. It is possible to check directory’s existence by specifying a slash at the end of a name, e.g. “$uri/”. If none of the files were found, an internal redirect to the uri specified in the last parameter is made. For example:
檢查指定順序文件是否存在，使用第一個找到的文件進行處理，該處理在當前上下文執行。根據root和alias指令從文件參數構建文件路徑?？梢詸z查目錄是否存在，需要后置/例如“$uri/”。如果未找到文件，內部重定向到最后一個參數中指定的uri。例如:

location /images/ {
    try_files $uri /images/default.gif;
}

location = /images/default.gif {
    expires 30s;
}

三、定義客戶端請求的相關配置

keepalive_timeout

Syntax: keepalive_timeout timeout [header_timeout];
Default: keepalive_timeout 75s;
Context: http, server, location

The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ.
第一個字段設定了長連接客戶端打開服務端的延遲，0值禁用長連接。第二字段設定HEAD字段中“Keep-Alive: timeout=time”time值。兩個字段可以不同。
The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds.
Mozilla和Konqueror瀏覽器認可HEADER頭字段中 “Keep-Alive: timeout=time”值。MSIE長連接60秒后自動關閉。

keepalive_requests

Syntax: keepalive_requests number;
Default: keepalive_requests 100;
Context: http, server, location
This directive appeared in version 0.8.0.

Sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed.
設定請求的長連接的最大值，一旦超過最大值，連接關閉。

keepalive_disable

Syntax: keepalive_disable none | browser ...;
Default: keepalive_disable msie6;
Context: http, server, location

Disables keep-alive connections with misbehaving browsers. The browser parameters specify which browsers will be affected. The value msie6 disables keep-alive connections with old versions of MSIE, once a POST request is received. The value safari disables keep-alive connections with Safari and Safari-like browsers on macOS and macOS-like operating systems. The value none enables keep-alive connections with all browsers.
在不適合的瀏覽器訪問時禁用長連接功能。browser指明那個瀏覽器收到影響。msie6值表示一旦收到老版本的MSIE瀏覽器POST請求，禁用長連接功能。safari值表示macOS和macOS類的操作系統上的Safari和類Safari的瀏覽器禁用長連接功能。none值表示所有瀏覽器啟用長連接功能。

send_timeout

Syntax: send_timeout time;
Default: send_timeout 60s;
Context: http, server, location

Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed.
設定一個傳送響應報文到客戶端的超時時間。該超時時間只是兩個寫操作之間的，不應用于全部響應。如果客戶端在這個時間不接受，連接關閉。

client_body_buffer_size

Syntax: client_body_buffer_size size;
Default: client_body_buffer_size 8k|16k;
Context: http, server, location

Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms.
設定讀取客戶機請求主體設置緩沖區大小，萬一請求主體大于緩沖區，整個主體或主體的某一部分被寫到一個臨時文件。默認情況下，緩沖區大小等于兩個內存頁，32位系統為8K，64位系統為16K。

client_body_temp_path

Syntax: client_body_temp_path path [level1 [level2 [level3]]];
Default: client_body_temp_path client_body_temp;
Context: http, server, location

Defines a directory for storing temporary files holding client request bodies. Up to three-level subdirectory hierarchy can be used under the specified directory. For example, in the following configuration
定義用于存儲客戶端請求主體的臨時文件的目錄。在指定的目錄下可以使用至多3級的子目錄層次結構。例如，在以下配置中

client_body_temp_path /spool/nginx/client_temp 1 2;

a path to a temporary file might look like this:
一個臨時文件文件可能根如下文件類似：

/spool/nginx/client_temp/7/45/00000123457

client_body_temp_path /var/tmp/client_body 2 1 1
1：表示用一位16進制數字表示一級子目錄；0-f
2：表示用2位16進程數字表示二級子目錄：00-ff
3：表示用2位16進程數字表示三級子目錄：00-ff

四、對客戶端進行限制的相關配置

limit_rate

Syntax: limit_rate rate;
Default: limit_rate 0;
Context: http, server, location, if in location

Limits the rate of response transmission to a client. The rate is specified in bytes per second. The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit.
限制傳輸到客戶端的響應速率。速率以每秒bytes指定。0值表示不限制。限制是根據每個請求設置的，如果一個客戶端同時打開兩個連接，總限制為指明限制的兩倍。
Rate limit can also be set in the $limit_rate variable. It may be useful in cases where rate should be limited depending on a certain condition:
速度限制同樣可以在$limit_rate變量中設定。當限制需要基于確定的情況時也許有用：

server {

    if ($slow) {
        set $limit_rate 4k;
    }

    ...
}

Rate limit can also be set in the “X-Accel-Limit-Rate” header field of a proxied server response. This capability can be disabled using the proxy_ignore_headers, fastcgi_ignore_headers, uwsgi_ignore_headers, and scgi_ignore_headers directives.
限速也可以在代理服務器響應中“X-Accel-Limit-Rate” HEARER字段中設定。可以使用proxy_ignore_header、fastcgi_ignore_header、uwsgi_ignore_header和scgi_ignore_header指令禁用此功能。

limit_except

Syntax: limit_except method ... { ... }
Default: —
Context: location

Limits allowed HTTP methods inside a location. The method parameter can be one of the following: GET, HEAD, POST, PUT, DELETE, MKCOL, COPY, MOVE, OPTIONS, PROPFIND, PROPPATCH, LOCK, UNLOCK, or PATCH. Allowing the GET method makes the HEAD method also allowed. Access to other methods can be limited using the ngx_http_access_module and ngx_http_auth_basic_module modules directives:
限制允許的HTTP方法訪問一個location。這個方法字段可以是GET, HEAD, POST, PUT, DELETE, MKCOL, COPY, MOVE, OPTIONS, PROPFIND, PROPPATCH, LOCK, UNLOCK, PATCH中的一個.允許GET方法也會使HEAD方法可用。允許其他方法需要用到ngx_http_access_module和ngx_http_auth_basic_module模塊中的指令。

limit_except GET {
    allow 192.168.1.0/32;
    deny  all;
}

Please note that this will limit access to all methods except GET and HEAD.
注：這將限制除了GET和HEAD之外的所有方法。

五、 文件操作優化的配置

aio

Syntax: aio on | off | threads[=pool];
Default: aio off;
Context: http, server, location
This directive appeared in version 0.8.11.

Enables or disables the use of asynchronous file I/O (AIO) on FreeBSD and Linux:
在FreeBSD、Linux系統中啟用或禁用異步文件I/O

location /video/ {
    aio            on;
    output_buffers 1 64k;
}

On FreeBSD, AIO can be used starting from FreeBSD 4.3. Prior to FreeBSD 11.0, AIO can either be linked statically into a kernel:
在FreeBSD上，FreeBSD 4.3以后開始支持AIO。FreeBSD 11.0之前，AIO可以靜態鏈接到內核。

options VFS_AIO

或動態加載成為一個內核模塊

kldload aio

On Linux, AIO can be used starting from kernel version 2.6.22. Also, it is necessary to enable directio, or otherwise reading will be blocking:
Linux系統上，Linux2.6.22之后支持AIO，同樣的必須啟用directio，否則讀取會被阻塞。

location /video/ {
    aio            on;
    directio       512;
    output_buffers 1 128k;
}

On Linux, directio can only be used for reading blocks that are aligned on 512-byte boundaries (or 4K for XFS). File’s unaligned end is read in blocking mode. The same holds true for byte range requests and for FLV requests not from the beginning of a file: reading of unaligned data at the beginning and end of a file will be blocking.
Linux系統上，directio只能用于讀取512K對齊的塊（XFS文件系統為4K）。文件未對齊的結尾在讀取時處于阻塞模式。對于字節范圍請求和FLV請求，同樣適用于文件的開頭：在文件開始和結束時讀取未對齊的數據將被阻塞。
When both AIO and sendfile are enabled on Linux, AIO is used for files that are larger than or equal to the size specified in the directio directive, while sendfile is used for files of smaller sizes or when directio is disabled.
Linux系統上同時啟用AIO和sendfile時，AIO作用域大于或等于directio指令指明的文件大小。sendfile用于小于directio指令指明的文件大小，或者directio禁用的情況。

location /video/ {
    sendfile       on;
    aio            on;
    directio       8m;
}

Finally, files can be read and sent using multi-threading (1.7.11), without blocking a worker process:
最后，文件的讀取和發送可以不被一個worker進程阻塞，使用多線程模式

location /video/ {
    sendfile       on;
    aio            threads;
}

Read and send file operations are offloaded to threads of the specified pool. If the pool name is omitted, the pool with the name “default” is used. The pool name can also be set with variables:
讀取和發送文件操作將卸載到指定池的線程。如果這個池的名稱是省略的，這個池將使用“default” 作為名稱。池名稱可以同樣用變量設置

aio threads=pool$disk;

By default, multi-threading is disabled, it should be enabled with the —with-threads configuration parameter. Currently, multi-threading is compatible only with the epoll, kqueue, and eventport methods. Multi-threaded sending of files is only supported on Linux.
默認情況下，多線程被禁用，可以使用–with-threads控制字段啟用。一般來說，多線程僅兼容epoll, kqueue, eventport方法。僅Linux系統支持多線程發送文件。

directio

Syntax: directio size | off;
Default: directio off;
Context: http, server, location

This directive appeared in version 0.7.7.

Enables the use of the O_DIRECT flag (FreeBSD, Linux), the F_NOCACHE flag (macOS), or the directio() function (Solaris), when reading files that are larger than or equal to the specified size. The directive automatically disables (0.7.15) the use of sendfile for a given request. It can be useful for serving large files:
當讀取的文件大于指定塊時，啟用O_DIRECT標記(FreeBSD, Linux)，F_NOCACHE標記(macOS)或是directio()函數(Solaris)。該指令自動禁用(0.7.15)sendfile對給定請求的使用。發送大文件時使用：

directio 4m;

or when using aio on Linux.
或在Linux系統使用aio。

open_file_cache

Syntax: open_file_cache off;
        open_file_cache max=N [inactive=time];
Default: open_file_cache off;
Context: http, server, location

Configures a cache that can store:
配置一個可以存儲如下信息的緩存：

• open file descriptors, their sizes and modification times;
• information on existence of directories;
• file lookup errors, such as “file not found”, “no read permission”, and so on. （Caching of errors should be enabled separately by the open_file_cache_errors directive. ）
  –
• open file 描述符，他們的大小和修改時間
• 存在的目錄信息
• 文件查詢錯誤，如“file not found”，“no read permission”等等（錯誤緩存需要從open_file_cache_errors單獨啟用。）

The directive has the following parameters:
該指令有如下字段
max
sets the maximum number of elements in the cache; on cache overflow the least recently used (LRU) elements are removed;
設定緩存中元素數量的最大值，當溢出時使用LRU算法。
inactive
defines a time after which an element is removed from the cache if it has not been accessed during this time; by default, it is 60 seconds;
定義一段時間，如果這段時間某元素未被訪問，則從緩存中移除該元素。默認情況下，時長60秒。
off
disables the cache
禁用緩存
Example:
例如

open_file_cache          max=1000 inactive=20s;
open_file_cache_valid    30s;
open_file_cache_min_uses 2;
open_file_cache_errors   on;

open_file_cache_errors

Syntax: open_file_cache_errors on | off;
Default: open_file_cache_errors off;
Context: http, server, location

Enables or disables caching of file lookup errors by open_file_cache.
啟用或禁用open_file_cache中的文件查看錯誤。

open_file_cache_min_uses

Syntax: open_file_cache_min_uses number;
Default: open_file_cache_min_uses 1;
Context: http, server, location

Sets the minimum number of file accesses during the period configured by the inactive parameter of the open_file_cache directive, required for a file descriptor to remain open in the cache.
設定在open_file_cache中inactive配置的期間文件的最小訪問數值，要求在緩存中保持文件描述符保持打開狀態。

open_file_cache_valid

Syntax: open_file_cache_valid time;
Default: open_file_cache_valid 60s;
Context: http, server, location

Sets a time after which open_file_cache elements should be validated.
設定緩存項有效性的檢查時間間隔。

ngx_http_access_module模塊

Example Configuration
配置樣例

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

allow

Syntax: allow address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except

Allows access for the specified network or address. If the special value unix: is specified (1.5.1), allows access for all UNIX-domain sockets.
允許指明的網絡或地址接入，如果值中有unix:,允許所有UNIX-domain套接字接入。

deny

Syntax: deny address | CIDR | unix: | all;
Default: —
Context: http, server, location, limit_except

Denies access for the specified network or address. If the special value unix: is specified (1.5.1), denies access for all UNIX-domain sockets.
阻止指明的網絡和地址，如果值中有unix:,阻止所有UNIX-domain套接字接入。

ngx_http_auth_basic_module

實現基于用戶的訪問控制，使用basic機制進行用戶認證；
Example Configuration
配置樣例

location / {
    auth_basic           "closed site";
    auth_basic_user_file conf/htpasswd;
}

auth_basic

Syntax: auth_basic string | off;
Default: auth_basic off;
Context: http, server, location, limit_except

Enables validation of user name and password using the “HTTP Basic Authentication” protocol. The specified parameter is used as a realm. Parameter value can contain variables (1.3.10, 1.2.7). The special value off allows cancelling the effect of the auth_basic directive inherited from the previous configuration level.

auth_basic_user_file

Syntax: auth_basic_user_file file;
Default: —
Context: http, server, location, limit_except

Specifies a file that keeps user names and passwords, in the following format:
指明一個保存了用戶名稱及密碼的文件文件，如下格式：

# comment
name1:password1
name2:password2:comment
name3:password3

The file name can contain variables.
文件名可以使用變量。
The following password types are supported:
密碼類型支持如下種類：

• encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the “openssl passwd” command;
• hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
• specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).
• 使用crypt()函數加密，可以使用Apache HTTP Server中的htpasswd生成或者使用openssl passwd命令。
• md5的密碼算法(apr1)的Apache變量hash，可以使用相同的工具生成;
• 像RFC 2307描述的語法一樣指明“{scheme}data”，目前實現的方案包括:PLAIN(一個示例，不應該使用)、SHA(1.3.13)(普通的SHA – 1哈希，不應該使用)和SSHA(在一些軟件包中使加鹽SHA – 1哈希，特別是OpenLDAP和Dovecot)。
  Support for SHA scheme was added only to aid in migration from other web servers. It should not be used for new passwords, since unsalted SHA-1 hashing that it employs is vulnerable to rainbow table attacks.
  對SHA方案的支持只增加了從其他web服務器遷移的幫助。它不應該被用于新密碼，因為它使用的不加鹽的sha – 1哈希很容易受到rainbow table攻擊。

ngx_http_stub_status_module

用于輸出nginx的基本狀態信息
Example Configuration
配置樣例

location /basic_status {
    stub_status;
}

This configuration creates a simple web page with basic status data which may look like as follows
該配置創建簡單的頁面用來顯示基本數據狀態，效果如下

Active connections: 291 
server accepts handled requests
 16630948 16630948 31070465 
Reading: 6 Writing: 179 Waiting: 106

stub_status

Syntax: stub_status;
Default: —
Context: server, location

The basic status information will be accessible from the surrounding location.
從附近的location讀取基本狀態信息。

Data（信息的數據段）

Active connections
The current number of active client connections including Waiting connections.
客戶端的實際活動連接數，包括等待連接。
accepts
The total number of accepted client connections.
客戶端的總連接數。
handled
The total number of handled connections. Generally, the parameter value is the same as accepts unless some resource limits have been reached (for example, the worker_connections limit).
完成的連接總數。通常的這個字段的值與總連接數相同，除非一些達到資源限制。（例如worker_connections限制）
requests
The total number of client requests.
請求的客戶端總數。
Reading
The current number of connections where nginx is reading the request header.
nginx讀取請求頭部的實際數量。
Writing
The current number of connections where nginx is writing the response back to the client.
nginx返回給客戶端響應報文的實際數量
Waiting
The current number of idle client connections waiting for a request.
等待請求連接的客戶端的實際數量

ngx_http_log_module

ngx_http_log_module module用指明的格式記錄日志
Example Configuration
配置樣例

log_format basic '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time';

access_log /spool/logs/nginx-access.log basic buffer=32k;

access_log

Sets the path, format, and configuration for a buffered log write. Several logs can be specified on the same level. Logging to syslog can be configured by specifying the “syslog:” prefix in the first parameter. The special value off cancels all access_log directives on the current level.
設定路徑、格式、日志緩沖區配置。多個日志可以配置在一個級別。記錄到syslog需要在第一個字段增加“syslog:”。特殊值off取消了當前級別上的所有訪問日志指令。
If either the buffer or gzip parameter is used, writes to log will be buffered.

The buffer size must not exceed the size of an atomic write to a disk file. For FreeBSD this size is unlimited.

When buffering is enabled, the data will be written to the file:

if the next log line does not fit into the buffer;
if the buffered data is older than specified by the flush parameter;
when a worker process is re-opening log files or is shutting down.

If the gzip parameter is used, then the buffered data will be compressed before writing to the file. The compression level can be set between 1 (fastest, less compression) and 9 (slowest, best compression). By default, the buffer size is equal to 64K bytes, and the compression level is set to 1. Since the data is compressed in atomic blocks, the log file can be decompressed or read by “zcat” at any time.
如果gzip字段啟用，緩沖的數據在寫入文件之前會被壓縮。壓縮級別可以設置從1（最快、壓縮率最低）至9（最慢、壓縮率最高）。默認的緩沖大小為64K，壓縮級別為1.因為數據被壓縮成為atomic block，日志文件可以被解壓，或通過zcat讀取。
Example:
例如

access_log /path/to/log.gz basic gzip flush=5m;

For gzip compression to work, nginx must be built with the zlib library.
為保證gzip壓縮工作，nginx必須同 zlib 庫一同安裝。
The file path can contain variables, but such logs have some constraints:
文件路徑可以是變量，但這樣的日志有一定的限制。

• the user whose credentials are used by worker processes should have permissions to create files in a directory with such logs;
• buffered writes do not work;
• the file is opened and closed for each log write. However, since the descriptors of frequently used files can be stored in a cache, writing to the old file can continue during the time specified by the open_log_file_cache directive’s valid parameter
  –
• worker進程的用戶應該在這樣日志的目錄中有創建文件的權限。
• 緩沖寫入將不能工作
• 每次文件寫入都要打開關閉文件。但是，由于經常使用的文件的描述符可以存儲在緩存中，可以在open_log_file_cache指定的時間中持續寫入就文件。

The if parameter enables conditional logging. A session will not be logged if the condition evaluates to “0” or an empty string.
日志中啟用if參數條件式，if中條件之為0或者為空字符串的繪畫將不被記錄日志。

log_format

Syntax: log_format name [escape=default|json] string ...;
Default: —
Context: stream

Specifies the log format, for example:
指明文件日志格式，例如

log_format proxy '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

The escape parameter (1.11.8) allows setting json or default characters escaping in variables, by default, default escaping is used.
escape字段允許設置json或default字符轉換成變量，默認情況下，default字符轉換被啟用。

open_log_file_cache

Syntax: open_log_file_cache max=N [inactive=time] [min_uses=N] [valid=time];
        open_log_file_cache off;
Default: open_log_file_cache off;
Context: stream, server

Defines a cache that stores the file descriptors of frequently used logs whose names contain variables. The directive has the following parameters:
定義一個緩存，用于存儲常用日志的文件描述符，這些日志的名稱包含變量：
The directive has the following parameters:
包含如下指令：
max
sets the maximum number of descriptors in a cache; if the cache becomes full the least recently used (LRU) descriptors are closed
設定緩存最大值，緩存滿后，使用LRU算法關閉描述符。
inactive
sets the time after which the cached descriptor is closed if there were no access during this time; by default, 10 seconds
設置在這段時間內沒有訪問時緩存的描述符關閉的時間;默認情況下是10秒
min_uses
sets the minimum number of file uses during the time defined by the inactive parameter to let the descriptor stay open in a cache; by default, 1
在inactive參數定義的時間內設置最小的文件使用數量，讓描述符在緩存中保持開放;默認情況下是1
valid
sets the time after which it should be checked that the file still exists with the same name; by default, 60 seconds
設置需要檢查的時間，該文件仍然以相同的名稱存在;默認情況下是60秒
off
disables caching
關閉緩存

ngx_http_gzip_module

The ngx_http_gzip_module module is a filter that compresses responses using the “gzip” method. This often helps to reduce the size of transmitted data by half or even more.
ngx_http_gzip_module模塊是一個用“gzip”方法壓縮響應的過濾器。這通常有助于將傳輸數據的大小減少一半甚至更多。
Example Configuration
配置樣例

gzip            on;
gzip_min_length 1000;
gzip_proxied    expired no-cache no-store private auth;
gzip_types      text/plain application/xml;

gzip

Syntax: gzip on | off;
Default: gzip off;
Context: http, server, location, if in location

Enables or disables gzipping of responses.
啟用或禁用gzipping響應。

gzip_buffers

Syntax: gzip_buffers number size;
Default: gzip_buffers 32 4k|16 8k;
Context: http, server, location

Sets the number and size of buffers used to compress a response. By default, the buffer size is equal to one memory page. This is either 4K or 8K, depending on a platform.
設定相應壓縮緩沖區數量和大小。默認緩沖大小等于一內存分頁。根據平臺為4k或8k。
Until version 0.7.28, four 4K or 8K buffers were used by default.
0.7.28之前，數量4 大小4K和8K是默認情況。

gzip_comp_level

Syntax: gzip_comp_level level;
Default: gzip_comp_level 1;
Context: http, server, location

Sets a gzip compression level of a response. Acceptable values are in the range from 1 to 9.
設定響應報文gzip壓縮等級。接收值從1到9。

gzip_disable

Syntax: gzip_disable regex ...;
Default: —
Context: http, server, location
This directive appeared in version 0.6.23.

Disables gzipping of responses for requests with “User-Agent” header fields matching any of the specified regular expressions.
“User-Agent” HEADER字段匹配到指定的正則表達式時禁用gzipping響應。
The special mask “msie6” (0.7.12) corresponds to the regular expression “MSIE [4-6].”, but works faster. Starting from version 0.8.11, “MSIE 6.0; … SV1” is excluded from this mask.
特殊的匹配碼“msie6”，相當于“MSIE [4-6].”，但是運行速度更快。0.8.11后，“MSIE 6.0;…SV1“被排除在這個掩碼之外。

gzip_min_length

Syntax: gzip_min_length length;
Default: gzip_min_length 20;
Context: http, server, location

Sets the minimum length of a response that will be gzipped. The length is determined only from the “Content-Length” response header field.
設定壓縮響應的最小長度。這個長度只根據 “Content-Length”響應HEARD字段。

gzip_http_version

Syntax: gzip_http_version 1.0 | 1.1;
Default: gzip_http_version 1.1;
Context: http, server, location

Sets the minimum HTTP version of a request required to compress a response.
設定壓縮報文的最低HTTP版本。

gzip_proxied

Syntax: gzip_proxied off | expired | no-cache | no-store | private | no_last_modified | no_etag | auth | any ...;
Default: gzip_proxied off;
Context: http, server, location

Enables or disables gzipping of responses for proxied requests depending on the request and response. The fact that the request is proxied is determined by the presence of the “Via” request header field. The directive accepts multiple parameters:
根據請求和響應，啟用或禁用代理請求的gzipping響應。請求被代理的事實是由“Via”請求頭字段的存在決定的。該條目接受多個字段：
off
disables compression for all proxied requests, ignoring other parameters;
所有代理請求禁用壓縮，拒絕其他字段。
expired
enables compression if a response header includes the “Expires” field with a value that disables caching;
如果響應頭包含“Expires”字段，并具有禁用緩存的值，則啟用壓縮;
no-cache
enables compression if a response header includes the “Cache-Control” field with the “no-cache” parameter;
如果響應頭包含帶有“no-cache”參數的“Cache-Control”字段，則啟用壓縮;
no-store
enables compression if a response header includes the “Cache-Control” field with the “no-store” parameter;
如果響應頭包含“no-store”參數的“Cache-Control”字段，則啟用壓縮;
private
enables compression if a response header includes the “Cache-Control” field with the “private” parameter;
如果響應頭包含帶有“private”參數的“Cache-Control”字段，則啟用壓縮;
no_last_modified
enables compression if a response header does not include the “Last-Modified” field;
如果響應標頭不包含“Last-Modified”字段，則啟用壓縮;
no_etag
enables compression if a response header does not include the “ETag” field;
如果響應頭不包含“ETag”字段，則啟用壓縮;
auth
enables compression if a request header includes the “Authorization” field;
如果請求頭包含“Authorization”字段，則啟用壓縮;
any
enables compression for all proxied requests.
為所有的proxied請求提供壓縮。

gzip_types

Syntax: gzip_types mime-type ...;
Default: gzip_types text/html;
Context: http, server, location

Enables gzipping of responses for the specified MIME types in addition to “text/html”. The special value “*” matches any MIME type (0.8.29). Responses with the “text/html” type are always compressed.
除了“文本/ html”之外，還允許對指定的MIME類型進行gzipping。特殊值“×”匹配任何MIME類型(0.8.29)。對“文本/ html”類型的響應總是被壓縮。

gzip_vary

Syntax: gzip_vary on | off;
Default: gzip_vary off;
Context: http, server, location

Enables or disables inserting the “Vary: Accept-Encoding” response header field if the directives gzip, gzip_static, or gunzip are active.
如果指令gzip、gzip_static或gunzip是活動的，則啟用或禁用插入“Vary: Accept-Encoding”響應頭字段。

ngx_http_ssl_module

ngx_http_ssl_module模塊為HTTPS提供了必要的支持。
Example Configuration
配置樣例
To reduce the processor load it is recommended to
為了減少處理器負載，建議配置。

• set the number of worker processes equal to the number of processors,
• enable keep-alive connections,
• enable the shared session cache,
• disable the built-in session cache,
• and possibly increase the session lifetime (by default, 5 minutes):
• 設置與處理器數量相等的工作進程數
• 啟用長連接
• 啟用共享會話緩存
• 禁用內置會話緩存
• 可能增加會話的生命周期（默認 5分鐘）

worker_processes auto;

http {

    ...

    server {
        listen              443 ssl;
        keepalive_timeout   70;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;

        ...
    }

ssl

Syntax: ssl on | off;
Default: ssl off;
Context: http, server

Enables the HTTPS protocol for the given virtual server.
虛擬主機中啟用HTTPS
It is recommended to use the ssl parameter of the listen directive instead of this directive.
建議使用listen指令的ssl參數而不是這個指令。

ssl_buffer_size

Syntax: ssl_buffer_size size;
Default: ssl_buffer_size 16k;
Context: http, server
This directive appeared in version 1.5.9.

Sets the size of the buffer used for sending data.
設定發送數據的緩沖大小。
By default, the buffer size is 16k, which corresponds to minimal overhead when sending big responses. To minimize Time To First Byte it may be beneficial to use smaller values, for example:
默認緩沖大小16K，當發送大的響應時，這相當于最小的開銷，為了將最小化Time To First Byte，可以使用較小的值，例如：

ssl_buffer_size 4k;

ssl_certificate

Syntax: ssl_certificate file;
Default: —
Context: http, server

Specifies a file with the certificate in the PEM format for the given virtual server. If intermediate certificates should be specified in addition to a primary certificate, they should be specified in the same file in the following order: the primary certificate comes first, then the intermediate certificates. A secret key in the PEM format may be placed in the same file.
指定給定虛擬服務器的PEM格式的文件。如果要在主證書之外指定中間證書，則應按照以下順序在同一文件中指定它們：首先是主證書，然后是中間證書。PEM格式的秘密密鑰可以放在同一個文件中。
Since version 1.11.0, this directive can be specified multiple times to load certificates of different types, for example, RSA and ECDSA:
由于版本1.11.0，這個指令可以多次指定，以加載不同類型的證書，例如RSA和ECDSA:

server {
    listen              443 ssl;
    server_name         example.com;

    ssl_certificate     example.com.rsa.crt;
    ssl_certificate_key example.com.rsa.key;

    ssl_certificate     example.com.ecdsa.crt;
    ssl_certificate_key example.com.ecdsa.key;

    ...
}

Only OpenSSL 1.0.2 or higher supports separate certificate chains for different certificates. With older versions, only one certificate chain can be used.
只有OpenSSL 1.0.2或更高版本支持單獨的證書鏈，以獲得不同的證書。使用舊版本時，只能使用一個證書鏈。
It should be kept in mind that due to the HTTPS protocol limitations virtual servers should listen on different IP addresses:
應該記住，由于HTTPS協議限制，虛擬服務器應該監聽不同的IP地址:

server {
    listen          192.168.1.1:443;
    server_name     one.example.com;
    ssl_certificate one.example.com.crt;
    ...
}

server {
    listen          192.168.1.2:443;
    server_name     two.example.com;
    ssl_certificate two.example.com.crt;
    ...
}

otherwise the first server’s certificate will be issued for the second site.
否則，第一個服務器的證書將被發布到第二個站點.

ssl_certificate_key

Syntax: ssl_certificate_key file;
Default: —
Context: http, server

Specifies a file with the secret key in the PEM format for the given virtual server.
指定給定虛擬服務器的PEM格式的私鑰文件。

ssl_ciphers ####非常用配置項

Syntax: ssl_ciphers ciphers;
Default: ssl_ciphers HIGH:!aNULL:!MD5;
Context: http, server

Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example:
指定啟用密文。密文被指明為OpenSSL庫理解的格式，例如：

ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

The full list can be viewed using the “openssl ciphers” command.
整個列表可以被“openssl ciphers”命令查看。
The previous versions of nginx used different ciphers by default.
之前版本的nginx加密方式默認不懂。

ssl_client_certificate ####非常用配置項

Syntax: ssl_client_certificate file;
Default: —
Context: http, server

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
如果啟用ssl_stapling，定義一個文件使用PEM格式的可信CA證書驗證客戶端證書和OCSP響應。
The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.
證書列表將被發送給客戶。如果不需要，可以使用ssl_trusted_certificate指令。

ssl_protocols

Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];
Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Context: http, server

Enables the specified protocols.
啟用指明的協議
The TLSv1.1 and TLSv1.2 parameters (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.
TLSv1.1（1.1.13）和TLSv1.2（1.0.12）只工作在使用的OpenSSL1.0.1級別以上時。
The TLSv1.3 parameter (1.13.0) works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.
TLSv1.3 (1.13.0)只工作在使用的OpenSSL1.1.1級別以上時。

ssl_session_cache

Syntax: ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
Default: ssl_session_cache none;
Context: http, server

Sets the types and sizes of caches that store session parameters. A cache can be of any of the following types:
設定存儲會話字段緩存文件的類型和大小。緩存可以使用如下配置
off
the use of a session cache is strictly prohibited: nginx explicitly tells a client that sessions may not be reused.
完全禁止會話緩存：nginx明確指明客戶端會話不能重用
none
the use of a session cache is gently disallowed: nginx tells a client that sessions may be reused, but does not actually store session parameters in the cache.
不允許使用會話緩存：nginx告訴客戶端會話可能重用，但實際上并沒有在緩存中存儲會話參數。
builtin
a cache built in OpenSSL; used by one worker process only. The cache size is specified in sessions. If size is not given, it is equal to 20480 sessions. Use of the built-in cache can cause memory fragmentation.
OpenSSL內置的緩存。只能用于一個worker進程。緩存大小由會話指明。如果沒有給出大小，默認為20480會話。使用內置緩存可以引起內存碎片
shared
a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.
在所有worker進程之間的緩存。緩存大小用bytes指明，一個兆字節可以存儲大約4000個會話。每個共享緩存應該具有任意名稱。具有相同名稱的緩存可以在多個虛擬服務器中使用。
Both cache types can be used simultaneously, for example:
所有緩存可同時使用，例如

ssl_session_cache builtin:1000 shared:SSL:10m;

but using only shared cache without the built-in cache should be more efficient.
但是只使用共享緩存，關閉內置緩存應該更高效。

ssl_session_timeout

Syntax: ssl_session_timeout time;
Default: ssl_session_timeout 5m;
Context: http, server

Specifies a time during which a client may reuse the session parameters.
指定一個客戶端可以重用會話參數的超時時間。

ngx_http_rewrite_module

The ngx_http_rewrite_module module is used to change request URI using PCRE regular expressions, return redirects, and conditionally select configurations.
ngx_http_rewrite_module模塊用于使用perl正則表達式改變請求URI，返回重定向，有條件地選擇配置。
The ngx_http_rewrite_module module directives are processed in the following order:
ngx_http_rewrite_module模塊指令工作于一下原則：

• the directives of this module specified on the server level are executed sequentially;
• repeatedly:
  • a location is searched based on a request URI;
  • the directives of this module specified inside the found location are executed sequentially;
  • the loop is repeated if a request URI was rewritten, but not more than 10 times.
    –
• 在虛擬主機各層級上的該模塊指令按順序執行。
• 重復性
  • 請求URI查詢一個location。
  • 該模塊指令在location中順序執行。
  • 如果URI被重寫持續上面的動作，但不超過10次。

rewrite

Syntax: rewrite regex replacement [flag];
Default: —
Context: server, location, if

If the specified regular expression matches a request URI, URI is changed as specified in the replacement string. The rewrite directives are executed sequentially in order of their appearance in the configuration file. It is possible to terminate further processing of the directives using flags. If a replacement string starts with “http://”, “https://”, or “$scheme”, the processing stops and the redirect is returned to a client.
如果一個請求URI匹配了指明的正則表達式，URI將會根據指明的replacement做出改變。重寫指令按他們在配置文件中出現的次序順序執行?？梢允褂胒lags終止更遠的指令運行。如果replacement字段中以 “http://”, “https://”, 或 “$scheme”開頭，處理終止，返回重定向給客戶端。
An optional flag parameter can be one of:
一個flag選項可以是如下之一
last
stops processing the current set of ngx_http_rewrite_module directives and starts a search for a new location matching the changed URI;
停止處理當前的ngx_http_rewrite_module指令集，并開始搜索匹配更改的URI的新位置;
break
stops processing the current set of ngx_http_rewrite_module directives as with the break directive;
停止處理當前的ngx_http_rewrite_module指令集，類似break指令。
redirect
returns a temporary redirect with the 302 code; used if a replacement string does not start with “http://”, “https://”, or “$scheme”;
返回臨時重定向，使用302狀態碼，replacement不能以“http://”, “https://”, “$scheme”開頭。
permanent
returns a permanent redirect with the 301 code.
返回永久重定向，使用狀態碼301。
The full redirect URL is formed according to the request scheme ($scheme) and the server_name_in_redirect and port_in_redirect directives.
URL全部重定向根據請求報文中的scheme($scheme)和server_name_in_redirect、port_in_redirect中的指令。
Example:
例如：

server {
    ...
    rewrite ^(/download/.*)/media/(.*)\..*$ $1/mp3/$2.mp3 last;
    rewrite ^(/download/.*)/audio/(.*)\..*$ $1/mp3/$2.ra  last;
    return  403;
    ...
}

But if these directives are put inside the “/download/” location, the last flag should be replaced by break, or otherwise nginx will make 10 cycles and return the 500 error:
但是這些字段如果放進“/download/”location中，結尾flag必須替換成為break，否則nginx將會循環10次然后返回500錯誤狀態碼。

location /download/ {
    rewrite ^(/download/.*)/media/(.*)\..*$ $1/mp3/$2.mp3 break;
    rewrite ^(/download/.*)/audio/(.*)\..*$ $1/mp3/$2.ra  break;
    return  403;
}

If a replacement string includes the new request arguments, the previous request arguments are appended after them. If this is undesired, putting a question mark at the end of a replacement string avoids having them appended, for example:
如果replacement字段包括新的請求參數，舊的請求參數將會附在后面。如果不希望這樣做，在replacement中后綴？，避免舊請求參數附加。例如

rewrite ^/users/(.*)$ /show?user=$1? last;

If a regular expression includes the “}” or “;” characters, the whole expressions should be enclosed in single or double quotes.
如果一個正則表達式包含“}”或者“;”，整個表達式應該用單引號或雙引號括起來。

return

Syntax: return code [text];
        return code URL;
        return URL;
Default: —
Context: server, location, if

Stops processing and returns the specified code to a client. The non-standard code 444 closes a connection without sending a response header.
停止處理，并給客戶端返回狀態碼。非標準狀態碼444，不發送響應頭部，直接關閉連接。
Starting from version 0.8.42, it is possible to specify either a redirect URL (for codes 301, 302, 303, 307, and 308) or the response body text (for other codes). A response body text and redirect URL can contain variables. As a special case, a redirect URL can be specified as a URI local to this server, in which case the full redirect URL is formed according to the request scheme ($scheme) and the server_name_in_redirect and port_in_redirect directives.
從0.8.42版本開始，可以指定重定向URL(用于狀態碼301、302、303、307和308)或響應主體text(其他代碼)。響應主體text可以使用變量。作為特例，可以將重定向URL指定為該服務器的URI，在這種情況下，完全重定向URL根據請求方案($scheme)和server_name_in_redirect和port_in_redirect指令來生成。
In addition, a URL for temporary redirect with the code 302 can be specified as the sole parameter. Such a parameter should start with the “http://”, “https://”, or “$scheme” string. A URL can contain variables.
此外，302是臨時重定向唯一狀態碼?？梢允褂胔ttp://”, “https://”, “$scheme”作為字段的開頭，URL可以使用變量。

• Only the following codes could be returned before version 0.7.51: 204, 400, 402 — 406, 408, 410, 411, 413, 416, and 500 — 504.
  以下代碼只可以在0.7.51版本之前返回:204、400、402 – 406、408、410、411、413、416和500 – 504。
• The code 307 was not treated as a redirect until versions 1.1.16 and 1.0.13.
  版本1.1.16和1.0.13之前不支持307狀態碼
• The code 308 was not treated as a redirect until version 1.13.0.
  1.13.0版本之前不支持308狀態碼

if

Syntax: if (condition) { ... }
Default: —
Context: server, location

The specified condition is evaluated. If true, this module directives specified inside the braces are executed, and the request is assigned the configuration inside the if directive. Configurations inside the if directives are inherited from the previous configuration level.
指明的condition將被評估。如果為真，該模塊中的大括號中的內容將會被執行，請求被分配到if指令中。if指令中的配置從上一個配置級別繼承。
A condition may be any of the following:
條件可以是如下情況：

• a variable name; false if the value of a variable is an empty string or “0”;

  • Before version 1.0.1, any string starting with “0” was considered a false value.

• comparison of a variable with a string using the “=” and “!=” operators;
  matching of a variable against a regular expression using the “~” (for case-sensitive matching) and “~×” (for case-insensitive matching) operators. Regular expressions can contain captures that are made available for later reuse in the $1..$9 variables. Negative operators “!~” and “!~×” are also available. If a regular expression includes the “}” or “;” characters, the whole expressions should be enclosed in single or double quotes.

• checking of a file existence with the “-f” and “!-f” operators;
• checking of a directory existence with the “-d” and “!-d” operators;
• checking of a file, directory, or symbolic link existence with the “-e” and “!-e” operators;
• checking for an executable file with the “-x” and “!-x” operators.
  • 1
• 一個變量名，如果變量值是一個空串或0，則為false
  • 1.0.1版本前，任何以0開頭的的字符串被認為是false
• 比較字符串可以使用“=”和“!=”符號。
• 變量匹配正則表達式使用“~”區分大小寫匹配，“~×”不區分大小匹配。正則表達式可以在之后使用$1..$9引用捕獲。取反匹配“!~”“!~×”也可以使用。如果正則表達式中間出現“}”“；”整個字符需要用單引號或雙引號括起來。
• 檢查文件存在性使用“-f”“!-f” 字段
• 檢查目錄存在性使用“-d” “!-d”字段
• 檢查文件、目錄、符號鏈接的存在性使用“-e”“！-e”字段
• 檢查文件的可執行使用“-x”“-x”字段

Examples:
例如

if ($http_user_agent ~ MSIE) {
    rewrite ^(.*)$ /msie/$1 break;
}

if ($http_cookie ~* "id=([^;]+)(?:;|$)") {
    set $id $1;
}

if ($request_method = POST) {
    return 405;
}

if ($slow) {
    limit_rate 10k;
}

if ($invalid_referer) {
    return 403;
}

A value of the $invalid_referer embedded variable is set by the valid_referers directive.
變量$invalid_referer的值由valid_referers指令設定。

set

Syntax: set $variable value;
Default: —
Context: server, location, if

Sets a value for the specified variable. The value can contain text, variables, and their combination.
設定指明變量的值。值可以是文本和變量，也可是文本結合變量。

ngx_http_referer_module

The ngx_http_referer_module module is used to block access to a site for requests with invalid values in the “Referer” header field. It should be kept in mind that fabricating a request with an appropriate “Referer” field value is quite easy, and so the intended purpose of this module is not to block such requests thoroughly but to block the mass flow of requests sent by regular browsers. It should also be taken into consideration that regular browsers may not send the “Referer” field even for valid requests.
The ngx_http_referer模塊被用于阻止某些請求接入網站，這些情求報文頭部“Referer”值無效。應該記住，使用適當的“引用器”字段值來制造一個請求是相當容易的，因此這個模塊的目的不是要徹底阻塞這些請求，而是阻止常規瀏覽器發送的大量請求。還應該考慮到，普通的瀏覽器可能不會發送“Referer”字段，即使是對有效的請求。
Example Configuration
配置樣例

valid_referers none blocked server_names
               *.example.com example.* www.example.org/galleries/
               ~\.google\.;

if ($invalid_referer) {
    return 403;
}

valid_referers

Syntax: valid_referers none | blocked | server_names | string ...;
Default: —
Context: server, location

Specifies the “Referer” request header field values that will cause the embedded $invalid_referer variable to be set to an empty string. Otherwise, the variable will be set to “1”. Search for a match is case-insensitive.
指明請求報文頭部的“Referer”值將使內置的變量$invalid_referer值為空字符串。否則，變量會被設置成為1。搜索匹配不區分大小寫。
Parameters can be as follows:
參數如下所示：

none
the “Referer” field is missing in the request header;
請求頭部中沒有“Referer”字段
blocked
the “Referer” field is present in the request header, but its value has been deleted by a firewall or proxy server; such values are strings that do not start with “http://” or “https://”;
請求頭部中有“Referer”字段但是被防火墻或者代理刪除，這些值和字符串不以“http://”“https://”開頭。
server_names
the “Referer” request header field contains one of the server names;
請求頭部中有“Referer”字段包含一個虛擬主機的名稱
arbitrary string通配符
defines a server name and an optional URI prefix. A server name can have an “×” at the beginning or end. During the checking, the server’s port in the “Referer” field is ignored;
定義一個服務器名稱和一個可選的URI前綴。服務器名在開始或結束時可以有“×”。在檢查期間，“Referer”字段中的服務器端口被忽略;
regular expression正則表達式
the first symbol should be a “~”. It should be noted that an expression will be matched against the text starting after the “http://” or “https://”.
第一個符號應該是“~”。應該注意，在 “http:// ”或“https:// ”之后，表達式將與文本匹配。
Example:
例如

valid_referers none blocked server_names
               *.example.com example.* www.example.org/galleries/
               ~\.google\.;