项目:https://github.com/0xJacky/nginx-ui
文档:https://nginxui.com/zh_CN/
系统:debian12
先安装nginx
# 1. 安装依赖
sudo apt update
sudo apt install curl gnupg2 ca-certificates lsb-release -y
# 2. 安全导入密钥(最小权限原则)
curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
# 3. 添加稳定版源(使用HTTPS)
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/debian $(lsb_release -cs) nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
# 4. 设置精确的优先级
echo -e "Package: nginx*\nPin: origin nginx.org\nPin-Priority: 900" | sudo tee /etc/apt/preferences.d/99-nginx >/dev/null
# 5. 安装
sudo apt update
sudo apt install -y nginx
启动并设置开机自启
sudo systemctl start nginx
sudo systemctl enable nginx
验证安装
sudo systemctl status nginx
常用命令
# 停止Nginx
sudo systemctl stop nginx
# 重启Nginx
sudo systemctl restart nginx
# 重新加载配置(不中断服务)
sudo systemctl reload nginx
# 检查配置文件语法
sudo nginx -t
目录结构
官方源的 Nginx 路径:
# 主配置文件
/etc/nginx/nginx.conf
# 网站配置
/etc/nginx/conf.d/
# 默认网站目录
/usr/share/nginx/html 或 /var/www/html
# 日志目录
/var/log/nginx/
# 二进制文件
/usr/sbin/nginx
/etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
禁止使用 IP 访问
先生成自签名证书
sudo mkdir -p /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 \
-keyout /etc/nginx/ssl/ip_block.key \
-out /etc/nginx/ssl/ip_block.crt \
-subj "/C=XX/ST=XX/L=XX/O=XX/CN=ip_block" 2>/dev/null
清空并创建新的 default 配置
sudo tee /etc/nginx/sites-available/default << 'EOF'
# HTTP 阻止 - 禁止IP访问
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
# HTTPS 阻止 - 禁止IP访问
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate /etc/nginx/ssl/ip_block.crt;
ssl_certificate_key /etc/nginx/ssl/ip_block.key;
return 444;
}
EOF
重载nginx
sudo systemctl reload nginx
安装Nginx UI
bash -c "$(curl -L https://cloud.nginxui.com/install.sh)" @ install -r https://cloud.nginxui.com/
文档:https://nginxui.com/zh_CN/guide/install-script-linux
常用命令:
systemctl start nginx-ui
systemctl stop nginx-ui
systemctl restart nginx-ui
systemctl status nginx-ui
systemctl enable nginx-ui
防火墙配置
如果需要外部访问 Nginx-UI
sudo ufw allow 9000/tcp
sudo ufw reload
放行80和443
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw reload
或者(推荐)
sudo ufw delete allow 80/tcp
sudo ufw delete allow 443/tcp
sudo ufw allow 'Nginx Full'
验证
sudo ufw status numbered
查看Nginx进程运行的用户
ps aux | grep nginx
查看缓存大小
du -sh /var/cache/nginx/proxy
查询爬虫
grep "ClaudeBot" /var/log/nginx/access.log
删除缓存
rm -rf /var/cache/nginx/proxy/*
调整日志时间
sudo timedatectl set-timezone Asia/Shanghai
timedatectl
重启 Nginx 服务来使更改生效
sudo systemctl restart nginx
nginx配置
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.local.log notice;
pid /run/nginx.pid;
worker_rlimit_nofile 65535;
thread_pool default threads=8 max_queue=65536;
events {
use epoll;
multi_accept on;
worker_connections 1024;
}
stream {
include /etc/nginx/streams-enabled/*;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Security
server_tokens off;
http2 on;
http2_max_concurrent_streams 512;
http2_recv_buffer_size 512k;
http2_body_preread_size 128k;
http2_chunk_size 16k;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1h;
ssl_certificate_cache max=2000 inactive=5m valid=20m;
ssl_buffer_size 4k;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
# 基础安全头
#add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Hash sizes
server_names_hash_max_size 1024;
server_names_hash_bucket_size 128;
types_hash_max_size 2048;
types_hash_bucket_size 128;
variables_hash_max_size 1024;
variables_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
# File caching
open_file_cache max=2000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Rate limiting
limit_req_zone $binary_remote_addr zone=example_zone:50m rate=200r/s;
limit_req zone=example_zone burst=300 nodelay;
limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=addr:20m;
limit_conn addr 100;
limit_conn_status 429;
# Proxy caching
proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=my_proxy_cache:50m max_size=5g inactive=12h use_temp_path=off;
proxy_cache_key "$scheme$host$request_uri";
proxy_cache_methods GET HEAD;
proxy_cache_valid 200 301 302 304 12h;
proxy_cache_valid 404 1m;
proxy_cache_valid 500 502 503 504 400 403 429 0;
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
proxy_cache_background_update on;
# Proxy buffering
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
proxy_socket_keepalive on;
proxy_intercept_errors on;
proxy_hide_header X-Powered-By;
# Logging
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=512k flush=10s;
# File transfer optimizations
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# gzip
gzip on;
gzip_static on;
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_buffers 8 256k;
gzip_types
text/plain
text/css
application/javascript
application/json
application/xml
image/svg+xml
font/woff
font/woff2
application/wasm;
# Connection & timeout
reset_timedout_connection on;
client_header_buffer_size 4k;
client_body_buffer_size 256k;
large_client_header_buffers 8 16k;
output_buffers 8 1024k;
client_body_timeout 60s;
client_header_timeout 60s;
send_timeout 60s;
keepalive_timeout 65s 60s;
keepalive_requests 5000;
proxy_connect_timeout 10s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Nginx 反向代理之负载均衡
# 判断 WebSocket
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# 检测是否为指定的爬虫/机器人
map $http_user_agent $is_bad_bot {
default 0;
~*(ClaudeBot|GPTBot|Amazonbot|meta-externalads|meta-externalagent|facebookexternalhit) 1;
}
# 定义后端服务器池 upstream,支持长连接和权重分配
upstream web3 {
keepalive 320;
keepalive_requests 1000;
keepalive_timeout 60s;
server 3.3.3.3:80 fail_timeout=10s max_fails=2 weight=3;
server 5.5.5.5:80 fail_timeout=10s max_fails=2 weight=1;
}
# HTTP 80 重定向到 HTTPS,并拦截恶意机器人
server {
listen 80;
listen [::]:80;
server_name tk.xxxx.cc;
if ($is_bad_bot) {
return 444;
}
return 301 https://$host$request_uri;
}
# HTTPS 443 配置,启用 HTTP/2
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name tk.xxxx.cc;
# 拦截恶意机器人
if ($is_bad_bot) {
return 444;
}
# SSL 证书路径配置
ssl_certificate /etc/nginx/ssl/tk.xxxx.cc/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/tk.xxxx.cc/private.key;
# 代理所有请求到 upstream
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://web3;
}
# 静态资源代理及缓存配置
location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
proxy_pass http://web3;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_http_version 1.1;
proxy_cache my_proxy_cache;
aio threads;
log_not_found off;
access_log off;
}
}
卸载方法
重装 Nginx 清理命令
sudo systemctl stop nginx
sudo apt remove --purge nginx nginx-common nginx-core -y
sudo rm -f /etc/apt/sources.list.d/nginx.list
sudo rm -f /usr/share/keyrings/nginx-archive-keyring.gpg
sudo rm -f /etc/apt/preferences.d/99-nginx
sudo apt autoremove -y
sudo apt update
彻底卸载
# 停止服务
sudo systemctl stop nginx
sudo systemctl disable nginx
# 卸载所有 Nginx 相关包
sudo apt remove --purge -y 'nginx*'
# 删除所有配置文件
sudo rm -rf /etc/nginx # 主配置目录
sudo rm -rf /var/log/nginx # 日志目录
sudo rm -rf /var/cache/nginx # 缓存目录
# 删除网站目录(谨慎!)
# sudo rm -rf /usr/share/nginx/html
# sudo rm -rf /var/www/html
# 删除你添加的源配置
sudo rm -f /etc/apt/sources.list.d/nginx.list
sudo rm -f /usr/share/keyrings/nginx-archive-keyring.gpg
sudo rm -f /etc/apt/preferences.d/99-nginx
# 清理残留
sudo apt autoremove -y
sudo apt autoclean
sudo apt update
# 验证清理
echo "验证清理结果:"
ls /etc/nginx 2>/dev/null && echo "⚠ /etc/nginx 仍存在" || echo "✓ /etc/nginx 已删除"
ls /etc/apt/sources.list.d/nginx.list 2>/dev/null && echo "⚠ nginx.list 仍存在" || echo "✓ nginx.list 已删除"
卸载Nginx UI
bash -c "$(curl -L https://cloud.nginxui.com/install.sh)" @ remove --purge