一个完整的Nginx优化配置

```
worker_processes  4;# 优化 Nginx worker 进程数
worker_cpu_affinity 0001 0010 0100 1000; 
worker_rlimit_nofile 65535;# 这个指令是指当一个nginx进程打开的最多文件描述符数目
events {
    worker_connections 65535;# 单个进程允许客户端最大并发连接数 
    use epoll;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile on; # 开启文件的高效传输模式
    tcp_nopush on;# 激活 TCP_CORK socket 选择
    tcp_nodelay on;  # 数据在传输的过程中不进缓存

keepalive_timeout 60; # 客户端连接保持会话超时时间，超过这个时间，服务器断开这个链接。
    send_timeout 10;# 如果超过这个时间，客户端没有任何活动，nginx关闭连接。
    reset_timedout_connection on;# 告诉nginx关闭不响应的客户端连接。
    client_body_timeout 10; # 设置请求体的超时时间。
    client_header_timeout 15; # 设置请求头的超时时间。
    client_header_buffer_size 1k; # 客户端请求头部的缓冲区大小，这个可以根据你的系统分页大小来设置，一般一个请求头的大小不会超过 1k

open_file_cache max=65535 inactive=20s;
    open_file_cache_valid 30s; # 这个是指多长时间检查一次缓存的有效信息。
    open_file_cache_min_uses 1;

server_tokens off; # 隐藏版本号
    client_max_body_size 10m;# 上传文件大小限制。

# nginx与php之间FastCGI 相关参数调优
    # 时间超时设定
    fastcgi_connect_timeout 240;
    fastcgi_send_timeout 240;
    fastcgi_read_timeout 240;
    # 缓冲/缓存设置
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;
    fastcgi_temp_path /nginx/ngx_fcgi_tmp;
    fastcgi_cache_path /nginx/ngx_fcgi_cache levels=2:2 keys_zone=ngx_fcgi_cache:512m inactive=1d max_size=40g;
    # 这里取得原始用户的IP地址,跟下面json格式变量对应
    map $http_x_forwarded_for $clientRealIp {
        ""  $remote_addr;
        ~^(?P<firstAddr>[0-9\.]+),?.*$  $firstAddr;
    }
    map $host $resp_body {
         default "";
    }

map $host $loggable {
        default 1;
    }

map $host $request_body_sub {
        default "";
    }
##以上都是json格式变量

###########################日志格式

log_format json escape=json '{"@timestamp":"$time_iso8601",'
                              '"time":"$time_iso8601",'
                              '"realip":"$clientRealIp",'
                              '"host":"$http_host",'
                              '"request":"$request",'
                              '"status":$status,'
                              '"req_body":"$request_body",'
                              '"cookie":"$http_cookie",'
                              '"remote_addr":"$remote_addr",'
                              '"remote_user":"$remote_user",'
                              '"body_bytes_sent":"$body_bytes_sent",'
                              '"request_time":"$request_time",'
                              '"request_method":"$request_method",'
                              '"uri":"$uri",'
                              '"http_referrer":"$http_referer",'
                              '"xff":"$http_x_forwarded_for",'    
                              '"ups_status":"$upstream_status",'
                              '"ups_addr":"$upstream_addr",'
                              '"ups_time":"$upstream_response_time",'
                              '"http_user_agent":"$http_user_agent"'
                              '}';
############################gzip优化###############################
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 32k;
    gzip_http_version 1.1;
    gzip_comp_level 9;
    gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php;
    gzip_vary on;
    gzip_disable "MSIE [1-6]\.";

server {
        listen       80;
        server_name  www.kubernetes-devops.cn;         # 设置的域名解析，对应的就进入不同目录
        root   /usr/share/nginx/html;               # 相关主目录
        index  index.html index.php;   # 先找index.html 到不到就找index.php       
        error_log logs/error.log warn;
        access_log  logs/access.log  json_log;

# 安全优化
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header strict-transport-security "max-age=31536000; includeSubDomains";

fastcgi_hide_header X-Powered-By;

#只允许特定的METHOD
        if ($request_method !~ ^(GET|POST|HEAD|OPTION)$) {
            return 405;
        }

#禁止默认的命令行工具访问
        if ($http_user_agent ~* (pytho[n]?|curl|wget)) {
            return 403;
        }

# 防止外部直接thinkphp漏洞攻击
        #if ($request_uri ~* ^/index\.php) {
        #    return 405;
        #}
        #禁止所以点开头的访问
        #eg： /upload/../index.php
        location ~ /\. {
            deny all;
        }

#upload下php无运行权限，防止上传漏洞
        location ~* /upload[s]?/.*\.php$ {
            return 404;
        }

#静态文件就不需要记录在日志了
        location ~* \.(map|gif|jpg|png|css|js|ico|swf|pdf|apk|exe|eot|otf|ttf|woff|woff2)$ {
            try_files $uri =404;
            access_log off;
        }

location = /favicon.ico {
            try_files $uri =404;
            access_log off;
        }

location / {
        	if (!-e $request_filename){
        	rewrite  ^(.*)$  /index.php?s=$1  last;   break;
    	}
        # php配置优化
        location ~ .php(.*)$ {
            fastcgi_pass 127.0.0.1:9000;            
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_split_path_info ^(.+.php)(.*)$;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            include fastcgi_params;
            fastcgi_cache ngx_fcgi_cache;
            include fastcgi.conf;
            fastcgi_cache_valid 200 302 1h;
            fastcgi_cache_valid 301 1d;
            fastcgi_cache_valid any 1m;
            fastcgi_cache_min_uses 1;
            fastcgi_cache_use_stale error timeout invalid_header http_500;
            fastcgi_cache_key http://$host$request_uri; 
        }
      }
    }
```