常用容器命令
- 重载:docker exec nginx nginx -s reload
本地SSH燧道连数据库
- moba燧道功能:ssh登录服务器,点moba工具栏的tunnel添加燧道,点start
- ssh燧道功能:ssh -i "-rsa-ghost-nopsw" -N -L 3307:172.18.0.2:3306 -L 3306:172.18.0.5:3306 guest@xxx.xxx.com -v
- 这里的172是数据库容器的docker net ip
- sqlyog燧道功能:不支持ED25519算法证书,支持仅 RSA(2048/4096)、DSA、ECDSA(nistp256/384/521)
docker-compose.yml
services:
nginx:
container_name: "nginx"
image: nginx:1.29.4-alpine # 1.21.0 1.29.4-alpine
restart: unless-stopped
volumes:
- ./data/nginx.conf:/etc/nginx/nginx.conf:ro
- ./data/conf.d:/etc/nginx/conf.d:ro
- ./data/html:/usr/share/nginx/html:ro
- ./data/logs:/var/log/nginx
- /www/certbot/data/letsencrypt:/etc/letsencrypt:ro
ports:
- "0.0.0.0:80:80" # 修改点:强制 IPv4
- "0.0.0.0:443:443" # 修改点:强制 IPv4
- "0.0.0.0:3306:3306" # 修改点:强制 IPv4
- "0.0.0.0:3307:3307" # 修改点:强制 IPv4
networks:
- ghost_net
# 限制 Nginx 本身的资源,它很高效,64M 足够
deploy:
resources:
limits:
memory: 64M
networks:
ghost_net:
external: true
nginx.conf
user nginx;
# 优化1:自动使用所有CPU核心(性能翻倍)
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
# 优化2:提高并发连接数
worker_connections 10240;
# 高效网络模型
use epoll;
multi_accept on;
}
# TCP/UDP 代理模块
stream {
include /etc/nginx/conf.d/*.stream;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
# 优化3:内核级加速
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# 优化4:开启压缩(网页加载更快)
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/xml+rss text/javascript;
# 优化5:安全头部(必须加,防攻击)
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
# 包含站点配置
include /etc/nginx/conf.d/*.conf;
}
default.conf 挂载自己
# 80 端口:跳转
server {
listen 80;
server_name nginxarm.atibm.com nginx.atibm.com;
# Certbot 验证
location ^~ /.well-known/acme-challenge/ {
root /usr/share/nginx/html;
allow all;
}
location / {
return 301 https://$host$request_uri;
}
}
# 443 端口:服务
server {
listen 443 ssl; # 建议开启 http2,速度飞跃
http2 on; # 新版本写法:独立开启 http2
server_name nginxarm.atibm.com nginx.atibm.com;
ssl_certificate /etc/letsencrypt/live/ghost.atibm.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ghost.atibm.com/privkey.pem;
# SSL 增强
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; # 现代加密建议设为 off,让客户端协商
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
# 安全头部
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
# 如果是单页应用(SPA),建议加上这一行:
# try_files $uri $uri/ /index.html;
}
# 静态资源缓存优化
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 7d;
add_header Cache-Control "public, no-transform";
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}