Partial optimization and anti-theft chain configuration of in-depth learning of nginx

1, Hide version number

1.1 method of modifying configuration file

  • vim /usr/local/nginx/conf/nginx.conf
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;								#Add close version number command
    ......
}

  • systemctl restart nginx
  • curl -I http://192.168.253.33

1.2 modify the source file, recompile and install

  • vim /opt/nginx-1.12.2/src/core/nginx.h
#define NGINX_VERSION "1.1.1" 					#Modified version number
#define NGINX_VER "IIS" NGINX_VERSION 			#Modify server type

  • Recompile installation
cd /opt/nginx-1.12.0/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module

make && make install
  • Modify master profile
vim /usr/local/nginx/conf/nginx.conf
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens on;								# Open version number
	......
}
  • systemctl restart nginx
  • curl -I http://192.168.80.10

2, Modify users and groups

  • Modify master profile
vim /usr/local/nginx/conf/nginx.conf

user nginx nginx; 								#Cancel the comment and change the user to nginx and the group to nginx

  • systemctl restart nginx

  • ps aux | grep nginx

    • The main process is created by root and the sub process is created by nginx

3, Modify cache time

  • Modify master profile
vim /usr/local/nginx/conf/nginx.conf

http {
......
	server {
	...... 
		location / {
			root html;
			index index.html index.htm;
		}
		
		location ~ \.(gif|jpg|jepg|png|bmp|ico)$ { 		#Add a new location and take the picture as the cache object
			root html;
			expires 1d;									#Specify cache time, 1 day
		}
......
	}
}

  • systemctl restart nginx

  • visit http://192.168.253.33 , double-click the 200 response message to see that the response header contains cahce control: Max age = 86400, indicating that the cache time is 86400 seconds. That is, the time of caching for one day. Within one day, the browser accesses this page with the data in the cache without sending a new request to the Nginx server, which reduces the bandwidth used by the server

4, Log segmentation

4.1 create script

vi /opt/fenge.sh

#!/bin/bash
# Filename: fenge.sh

d=$(date -d "-1 day" "+%Y%m%d")								#Displays the time of the previous day
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p $logs_path 					#Create log file directory
mv /usr/local/nginx/logs/access.log ${logs_path}/cc.com-access.log-$d		#Move and rename log files
kill -USR1 $(cat $pid_path)									#Rebuild new log file
find $logs_path -mtime +30 -exec rm -rf {} \;				#Delete log files 30 days ago
#find $logs_path -mtime +30 |xargs rm -rf

4.2 use

  • chmod +x /opt/fenge.sh
  • Execute script

ls /var/log/nginx
ls/usr/local/nginx/logs/access.log

  • crontab -e
    • Add scheduled task
    • 0 1 * * * /opt/fenge.sh

5, Connection timeout

5.1 general

  • HTTP has a KeepAlive mode, which tells the web server to keep the TCP connection open after processing a request. If it receives other requests from the client, the server will use the unclosed connection without establishing another connection
  • KeepAlive remains open for a period of time, during which time they occupy resources. Too much occupation will affect performance

5.2 experiment

Edit Master profile

vim /usr/local/nginx/conf/nginx.conf
http {
...... 
    keepalive_timeout 65 180;
    client_header_timeout 80;
    client_body_timeout 80;
...... 
}

  • systemctl restart nginx

Noun interpretation

  • keepalive_timeout

    • Specify the timeout of KeepAlive
    • Specify the maximum time each TCP connection can last, after which the server will close the connection
    • The default value of Nginx is 65 seconds. Some browsers only hold it for 60 seconds at most, so it can be set to 60 seconds. If it is set to 0, keepalive connection is disabled
    • The second parameter (optional) specifies the time value in the response header keep alive: timeout = time. This header enables some browsers to actively close the connection, so that the server does not have to close the connection. Without this parameter, Nginx will not send a keep alive response header

  • client_header_timeout

    • The timeout for the client to send a complete request header to the server. If the client does not send a complete request header within the specified time, Nginx returns HTTP 408 (Request Timed Out)

  • client_body_timeout

    • Specify the timeout for sending request body after the client establishes a connection with the server. If the client does not send any content within the specified time, Nginx returns HTTP 408 (Request Timed Out)

6, Change the number of processes

  • View CPU cores

    • cat /proc/cpuinfo | grep -c "physical id"

  • See how many child processes are included in the nginx main process

    • ps aux | grep nginx

  • Edit Master profile

vim /usr/local/nginx/conf/nginx.conf

worker_processes  2;				#Change to the same or twice the number of cores
worker_cpu_affinity 01 10;			#Set each process to be processed by different CPUs. When the number of processes is set to 4, 0001 0010 0100 1000
  • systemctl restart nginx

7, Configure web page compression

  • Modify master profile
    vim /usr/local/nginx/conf/nginx.conf
http {
...... 
   gzip on;							#Uncomment and turn on gzip compression
   gzip_min_length 1k;      		#Minimum compressed file size
   gzip_buffers 4 16k;      		#Compression buffer, with the size of 4 16k buffers
   gzip_http_version 1.1;   		#Compressed version (default 1.1, if the front end is squid2.5, please use 1.0)
   gzip_comp_level 6;       		#compression ratio
   gzip_vary on;					#Support the front-end cache server to store compressed pages
   
   gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss image/jpg image/jpeg image/png image/gif application/x-httpd-php application/javascript application/json;		
   #Compression type, indicating which web documents enable compression
...... 
}

  • cd /usr/local/nginx/html

    • Don't forget to put pictures in the web directory

  • systemctl restart nginx

In Linux system, open Firefox browser and right-click to view elements
Select network - > select HTML, WS, other
visit http://192.168.80.10 , double-click the 200 response message to see that the response header contains content encoding: gzip

8, Set the anti-theft chain

8.1 configuration method

  • vim /usr/local/nginx/conf/nginx.conf
http {
......
	server {
	......
		location ~*\.(jpg|gif|swf)$ {
			valid_referers *.cc.com cc.com;
			if ( $invalid_referer ) {
				rewrite ^/ http://www.cc.com/111.png;
				#return 403;
            }
        }
	......
	}
}

explain

  • ~* .(jpg|gif|swf)$
    • This regular expression represents a match. It is not case sensitive and is expressed in jpg or gif or swf end file
  • valid_referers
    • Set up a trusted website, and you can use pictures normally
  • The following URL or domain name
    • The URL containing the relevant string in the referer
  • if statement
    • If the source domain name of the link is not valid_ In the list listed by referers, $invalid_ If the referer is 1, perform the following operations, that is, rewrite or return to page 403

8.2 source host settings

Web page preparation

  • cd /usr/local/nginx/html
    • Upload web page pictures and anti-theft chain pictures
  • vim index.html
<html>
<body>
<h1>
shut up
</h1>
<img src="111.jpg"/>
</body>
</html>

analysis

echo "192.168.253.33 www.cc.com" >> /etc/hosts

8.3 setting of chain stealing machine

  • cd /usr/local/nginx/html
    • vim index.html
<html>
<body>
<h1>
Hello
</h1>
<img src="http://www.cc.com/111.jpg"/>
</body>
</html>

analysis

echo "192.168.253.33 www.cc.com" >> /etc/hosts
echo "192.168.253.11 www.cc01.com" >> /etc/hosts

8.4 verification

Access source host

http://www.cc.com

Access chain stealing host

http://www.cc01.com

9, fpm parameter optimization

  • vim /usr/local/php/etc/php-fpm.conf
pid = run/php-fpm.pid

  • vim /usr/local/php/etc/php-fpm.d/www.conf
# Line 96
pm = dynamic				#fpm process startup mode, dynamic

# Line 107
pm.max_children=20			#Maximum number of processes started by fpm process

# Line 112
pm.start_servers = 5		#The number of processes started by default when starting in dynamic mode is between the minimum and maximum

# Line 117
pm.min_spare_servers = 2	#Minimum number of idle processes in dynamic mode

# Line 122
pm.max_spare_servers = 8	#Maximum number of idle processes in dynamic mode

kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`			#Restart PHP FPM
  • netstat -anpt | grep 9000

Keywords: Linux Operation & Maintenance CentOS Nginx lnmp

Added by acheoacheo on Mon, 31 Jan 2022 06:15:01 +0200

Popular Keywords

©2024 Programming VIP