安装nginx脚本
带Brotli压缩模块
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/nginx-acme.sh && chmod +x nginx-acme.sh && ./nginx-acme.sh
静态处理
bulu
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/gzbr.sh && chmod +x gzbr.sh && ./gzbr.sh
8090
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/8090.sh && chmod +x 8090.sh && ./8090.sh
cat
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/cat.sh && chmod +x cat.sh && ./cat.sh
qk
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/qk.sh && chmod +x qk.sh && ./qk.sh
将静态处理成br格式
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/br.sh && chmod +x br.sh && ./br.sh
将静态处理成gz格式
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/gzip.sh && chmod +x gzip.sh && ./gzip.sh
创建预压缩存储目录
mkdir -p /var/www/cache/2345.cc
反向代理通用版
# ===== WebSocket 智能判断 =====
map $http_upgrade $connection_upgrade {
default "";
websocket "upgrade";
}
# ===== HTTP → HTTPS =====
server {
listen 80;
listen [::]:80;
server_name www.2345.cc;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# ===== HTTPS 443 =====
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.2345.cc;
access_log /var/log/nginx/www.2345.cc-access.log main buffer=64k flush=10s;
error_log /var/log/nginx/www.2345.cc-error.log warn;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
gzip on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml
application/rss+xml image/svg+xml;
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml
application/rss+xml image/svg+xml;
# ===== 静态资源 =====
location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
proxy_pass http://3.3.3.3:80;
# HTTP/1.1 持久连接
proxy_http_version 1.1;
proxy_set_header Connection "";
# 获取原始文件(禁用后端压缩)
proxy_set_header Accept-Encoding "";
#proxy_hide_header Vary;
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# 缓存配置
proxy_cache my_proxy_cache;
proxy_cache_valid 200 302 304 30d;
proxy_cache_valid 404 1m;
proxy_cache_valid any 10s;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
# 忽略后端缓存头
#proxy_ignore_headers Cache-Control Expires;
# 性能优化
expires 30d;
etag on;
sendfile on;
tcp_nopush on;
log_not_found off;
access_log off;
}
# ===== 动态内容 =====
location / {
proxy_pass http://3.3.3.3:80;
# WebSocket支持
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
负载均衡通用版
# ===== WebSocket 智能判断 =====
map $http_upgrade $connection_upgrade {
default "";
websocket "upgrade";
}
upstream www_2345_cc {
keepalive 320;
keepalive_requests 500;
keepalive_timeout 60s;
server 3.3.3.3:80;
server 5.5.5.5:80;
}
# ===== HTTP → HTTPS =====
server {
listen 80;
listen [::]:80;
server_name 2345.cc www.2345.cc;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# ===== HTTPS 443 =====
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name 2345.cc www.2345.cc;
access_log /var/log/nginx/www.2345.cc-access.log main buffer=64k flush=10s;
error_log /var/log/nginx/www.2345.cc-error.log warn;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
gzip on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml
application/rss+xml image/svg+xml;
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml
application/rss+xml image/svg+xml;
# ===== 静态资源 =====
location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
proxy_pass http://www_2345_cc;
# HTTP/1.1 持久连接
proxy_http_version 1.1;
proxy_set_header Connection "";
# 超时控制
proxy_connect_timeout 1s;
proxy_send_timeout 2s;
proxy_read_timeout 3s;
# 故障转移配置
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_timeout 5s;
proxy_next_upstream_tries 2;
# 获取原始文件(禁用后端压缩)
proxy_set_header Accept-Encoding "";
#proxy_hide_header Vary;
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# 缓存配置
proxy_cache my_proxy_cache;
proxy_cache_valid 200 302 304 30d;
proxy_cache_valid 404 1m;
proxy_cache_valid any 10s;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
# 忽略后端缓存头
#proxy_ignore_headers Cache-Control Expires;
# 性能优化
expires 30d;
etag on;
sendfile on;
tcp_nopush on;
log_not_found off;
access_log off;
}
# ===== 动态内容 =====
location / {
proxy_pass http://www_2345_cc;
# 超时控制(比静态稍长)
proxy_connect_timeout 2s;
proxy_send_timeout 5s;
proxy_read_timeout 8s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 2;
# WebSocket支持
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
负载均衡
处理预压缩的配置
# ===== WebSocket 智能判断 =====
map $http_upgrade $connection_upgrade {
default "";
websocket "upgrade";
}
upstream www_2345_cc {
keepalive 320;
keepalive_requests 500;
keepalive_timeout 60s;
server 3.3.3.3:80;
server 5.5.5.5:80;
}
# ===== HTTP → HTTPS =====
server {
listen 80;
listen [::]:80;
server_name 2345.cc www.2345.cc;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# ===== HTTPS 443 =====
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name 2345.cc www.2345.cc;
access_log /var/log/nginx/www.2345.cc-access.log main buffer=64k flush=10s;
error_log /var/log/nginx/www.2345.cc-error.log warn;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# 根域名跳转
if ($host = 2345.cc) {
return 301 https://www.2345.cc$request_uri;
}
# 关闭所有动态压缩
gzip off;
brotli off;
# 开启预压缩支持
gzip_static on;
brotli_static on;
# ===== 静态资源 =====
location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
root /var/www/cache/2345.cc;
# 智能查找:本地文件优先
try_files $uri @backend_fallback;
# 缓存策略
expires 30d;
etag on;
# 性能优化
aio threads;
sendfile on;
tcp_nopush on;
log_not_found off;
access_log off;
}
# ===== 静态文件回退 =====
location @backend_fallback {
proxy_pass http://www_2345_cc;
# 超时控制
proxy_connect_timeout 1s;
proxy_send_timeout 2s;
proxy_read_timeout 3s;
proxy_next_upstream error timeout invalid_header;
proxy_next_upstream_tries 2;
# 连接复用
proxy_http_version 1.1;
proxy_set_header Connection "";
# 压缩头透传
proxy_set_header Accept-Encoding $http_accept_encoding;
proxy_pass_header Content-Encoding;
proxy_pass_header Vary;
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# 缓存配置
proxy_cache my_proxy_cache;
proxy_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_cache_valid 200 302 304 12h;
proxy_cache_valid 404 1m;
proxy_cache_valid any 10s;
}
# ===== 动态内容 =====
location / {
proxy_pass http://www_2345_cc;
# 超时控制(比静态稍长)
proxy_connect_timeout 2s;
proxy_send_timeout 5s;
proxy_read_timeout 8s;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 2;
# 连接复用(支持WebSocket)
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
# 标准代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
反向代理
# ===== WebSocket 智能判断 =====
map $http_upgrade $connection_upgrade {
default "";
websocket "upgrade";
}
# ===== HTTP → HTTPS =====
server {
listen 80;
listen [::]:80;
server_name 2345.cc www.2345.cc;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# ===== HTTPS 443 =====
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name 2345.cc www.2345.cc;
access_log /var/log/nginx/www.2345.cc-access.log main buffer=64k flush=10s;
error_log /var/log/nginx/www.2345.cc-error.log warn;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# 根域名跳转
if ($host = 2345.cc) {
return 301 https://www.2345.cc$request_uri;
}
# 关闭所有动态压缩
gzip off;
brotli off;
# 开启预压缩支持
gzip_static on;
brotli_static on;
# ===== 静态资源 =====
location ~* \.(js|css|png|jpg|jpeg|gif|ico|bmp|swf|eot|svg|ttf|woff|woff2|webp)$ {
root /var/www/cache/2345.cc;
# 智能查找:本地文件优先
try_files $uri @backend_fallback;
# 缓存策略
expires 30d;
etag on;
# 性能优化
aio threads;
sendfile on;
tcp_nopush on;
log_not_found off;
access_log off;
}
# ===== 静态文件回退 =====
location @backend_fallback {
proxy_pass http://3.3.3.3:80;
# 压缩头透传
proxy_set_header Accept-Encoding $http_accept_encoding;
proxy_pass_header Content-Encoding;
proxy_pass_header Vary;
# 连接复用
proxy_http_version 1.1;
proxy_set_header Connection "";
# 代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# 缓存配置
proxy_cache my_proxy_cache;
proxy_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_cache_valid 200 302 304 12h;
proxy_cache_valid 404 1m;
proxy_cache_valid any 10s;
}
# ===== 动态内容 =====
location / {
proxy_pass http://3.3.3.3:80;
# 连接复用(支持WebSocket)
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
# 标准代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
nginx配置
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;
worker_rlimit_nofile 65535;
thread_pool default threads=8 max_queue=65536;
# ACME 模块
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
events {
use epoll;
multi_accept on;
worker_connections 1024;
}
stream {
include /etc/nginx/streams-enabled/*;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Security
server_tokens off;
http2 on;
http2_max_concurrent_streams 512;
http2_recv_buffer_size 512k;
http2_body_preread_size 128k;
http2_chunk_size 16k;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1h;
ssl_certificate_cache max=2000 inactive=5m valid=20m;
ssl_buffer_size 4k;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Hash sizes
server_names_hash_max_size 1024;
server_names_hash_bucket_size 128;
types_hash_max_size 2048;
types_hash_bucket_size 128;
variables_hash_max_size 1024;
variables_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
# File caching
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Rate limiting
limit_req_zone $binary_remote_addr zone=example_zone:50m rate=50r/s;
limit_req zone=example_zone burst=150 nodelay;
limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=addr:20m;
limit_conn addr 200;
limit_conn_status 429;
# Proxy caching
proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=my_proxy_cache:50m max_size=5g inactive=12h use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
add_header X-Cache-Status $upstream_cache_status;
add_header Vary Accept-Encoding;
proxy_cache_methods GET HEAD;
proxy_cache_valid 200 301 302 304 12h;
proxy_cache_valid 404 1m;
proxy_cache_valid 500 502 503 504 400 403 429 0;
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
proxy_cache_background_update on;
# Proxy buffering
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;
proxy_socket_keepalive on;
proxy_intercept_errors on;
proxy_hide_header X-Powered-By;
# Logging
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=64k flush=10s;
# File transfer optimizations
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# gzip
gzip off;
gzip_static on;
# brotli
brotli off;
brotli_static on;
# Connection & timeout
reset_timedout_connection on;
client_header_buffer_size 32k;
client_body_buffer_size 256k;
large_client_header_buffers 4 32k;
output_buffers 8 1024k;
client_body_timeout 60s;
client_header_timeout 60s;
send_timeout 60s;
keepalive_timeout 65s 60s;
keepalive_requests 5000;
proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# DNS resolver
resolver 8.8.8.8 1.1.1.1 valid=300s ipv6=off;
resolver_timeout 5s;
# 全局代理头
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
# ACME 配置
acme_shared_zone zone=acme_shared:2M;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact mailto:12345@qq.com;
state_path /etc/nginx/acme/letsencrypt;
accept_terms_of_service;
}
# HTTP → HTTPS 跳转(默认服务器块)
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}
# 禁止 IP 直接访问
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_reject_handshake on;
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}