Various optimizations and anti-theft chains necessary for the use of Nginux

preface

In the enterprise information application environment, the security and response speed of the server need to configure the response parameters according to the actual situation to achieve the optimal user experience. The default Nginx installation parameters can only provide the most basic services, and also need to reconcile the response parameters such as web page cache time, connection timeout, web page compression, etc. in order to play the maximum role of the server

1, Hide version number

1.1 operation steps for hiding version number

You can use Fiddler to grab packets and view the Nginx version,
You can also use the command curl - I in CentOS http://192.168.237.123 Display the header information of the response message.

curl -I http://192.168.237.123

Method 1: modify the configuration file mode

vim /usr/local/nginx/conf/nginx.conf

```handlebars
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;								#Add, close version number
    ......
}

systemctl restart nginx
curl -I http://192.168.237.10

Method 2: modify the source file and recompile the installation
vim /opt/nginx-1.12.0/src/core/nginx.h

 #define NGINX_VERSION "1.1.1" 					#Modified version number
 #define NGINX_VER "IIS" NGINX_VERSION 			#Modify server type
 
 cd /opt/nginx-1.12.0/ ./configure --prefix=/usr/local/nginx
 --user=nginx --group=nginx --with-http_stub_status_module make && make install
 
 vim /usr/local/nginx/conf/nginx.conf http {
     include       mime.types;
     default_type  application/octet-stream;
     server_tokens on; 	...... }

systemctl restart nginx
curl -I http://192.168.237.123

1.2 modifying users and groups

vim /usr/local/nginx/conf/nginx.conf

user nginx nginx; 								#Cancel the comment and change the user to nginx and the group to nginx

systemctl restart nginx

ps aux | grep nginx

The main process is created by root and the child process is created by nginx

Modify master profile

2, Cache time

2.1 operation steps of cache time

vim /usr/local/nginx/conf/nginx.conf

http {
......
	server {
	...... 
		location / {
			root html;
			index index.html index.htm;
		}
		
		location ~ \.(gif|jpg|jepg|png|bmp|ico)$ { 		#Add a new location and take the picture as the cache object
			root html;
			expires 1d;									#Specify cache time, 1 day
		}
......
	}
}

systemctl restart nginx

In Linux system, open Firefox browser and right-click to view elements
Select network - > select HTML, WS, other
visit http://192.168.237.10 , double-click the 200 response message to see that the response header contains cahce control: Max age = 86400, indicating that the cache time is 86400 seconds. That is, the time of caching for one day. The browser accesses this page within one day by using the data in the cache without sending a new request to the Nginx server, which reduces the bandwidth used by the server.

3, Log cutting

3.1 operation steps of log cutting

vim /opt/fenge.sh

#!/bin/bash
# Filename: fenge.sh
d=$(date -d "-1 day" "+%Y%m%d")												#Displays the time of the previous day
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p $logs_path 									#Create log file directory
mv /usr/local/nginx/logs/access.log ${logs_path}/kgc.com-access.log-$d		#Move and rename log files
kill -USR1 $(cat $pid_path)													#Rebuild new log file
find $logs_path -mtime +30 -exec rm -rf {} \;								#Delete log files 30 days ago
#find $logs_path -mtime +30 |xargs rm -rf 

chmod +x /opt/fenge.sh
/opt/fenge.sh
ls /var/log/nginx
ls/usr/local/nginx/logs/access.log 

crontab -e
0 1 * * * /opt/fenge.sh

Little knowledge
In the linux operating system, each file has many time parameters, of which three are more important: CTime, atime and mtime
ctime(status time): this time will be updated when the file permissions or attributes are modified. ctime is not createtime, but more like change time. This time will be updated only when the file attributes or permissions are updated, but the time will not be updated if the content is changed.
Atime (access time): this time is updated when this file is used.
mtime(modification time): when the content data of a file is modified, the time will be updated, but the permissions or attributes will not be changed. This is the difference between mtime and ctime.

4, Connection timeout and number of change processes

4.1 operation steps for connection timeout

vim /usr/local/nginx/conf/nginx.conf

http {
...... 
    keepalive_timeout 65 180;
    client_header_timeout 80;
    client_body_timeout 80;
...... 
}

systemctl restart nginx

4.3 operation steps for changing the number of processes

cat /proc/cpuinfo | grep -c "physical id"	#View cpu cores
ps aux | grep nginx							#See how many child processes are included in the nginx main process

vim /usr/local/nginx/conf/nginx.conf

worker_processes  2;				#Change to the same or twice the number of cores
worker_cpu_affinity 01 10;			#Set each process to be processed by different CPUs. When the number of processes is set to 4, 0001 0010 0100 1000

systemctl restart nginx

5, Configure web page compression

5.1 steps for configuring web page compression

vim /usr/local/nginx/conf/nginx.conf

http {
...... 
   gzip on;							#Uncomment and enable gzip compression
   gzip_min_length 1k;      		#Minimum compressed file size
   gzip_buffers 4 16k;      		#Compression buffer, with a size of 4 16k buffers
   gzip_http_version 1.1;   		#Compressed version (default: 1.1, if the front end is squid 2.5, please use 1.0)
   gzip_comp_level 6;       		#compression ratio
   gzip_vary on;					#Support the front-end cache server to store compressed pages
   gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss image/jpg image/jpeg image/png image/gif application/x-httpd-php application/javascript application/json;		#Compression type, indicating which web documents enable compression
...... 
}

cd /usr/local/nginx/html
 Put 1 first.jpg File transfer/usr/local/nginx/html Directory
vim index.html

...... 
<img src="1.jpg"/>				#Insert picture in web page
</body>
</html>

systemctl restart nginx

Test:
In Linux system, open Firefox browser and right-click to view elements
Select network - > select HTML, WS, other
visit http://192.168.237.10 , double-click the 200 response message to see that the response header contains content encoding: gzip

6, Configure anti-theft chain

6.1 configure anti-theft chain

vim /usr/local/nginx/conf/nginx.conf

http {
......
	server {
	......
		location ~*\.(jpg|gif|swf)$ {
			valid_referers *.jmqs.com jmqs.com;
			if ( $invalid_referer ) {
				rewrite ^/ http://www.jmqs.com/3.png;
				#return 403;								# You can return 403 without protecting against chain theft
            }
        }
	......
	}
}

~*(jpg|gif|swf) $: this regular expression indicates matching case insensitive files ending in. JPG or. GIF or. SWF;
valid_referers: set up trusted websites and use pictures normally;
The following URL or domain name: the URL containing the relevant string in the referer;
If statement: if the source domain name of the link is not valid_ In the list listed by referers, $invalid_ If the referer is 1, perform the following operations, that is, rewrite or return to page 403.

Web page preparation:
Web source host (192.168.237.123) configuration:

cd /usr/local/nginx/html

Transfer the game.jpg and error.png files to the / usr/local/nginx/html directory

vim index.html

...... 
<img src="1.jpg"/>
</body>
</html>

echo "192.168.237.123 www.jmqs.com" >> /etc/hosts

Stealing website host (192.168.237.124):

cd /var/www/html

vim index.html

...... 
<img src="http://www.jmqs.com/1.jpg"/>
</body>
</html>

echo "192.168.237.123 www.jmqs.com" >> /etc/hosts 
echo "192.168.237.124 www.bsym.com" >> /etc/hosts

Verify the browser on the host of the map stealing website
http://www.bsym.com

7, fpm parameter optimization

7.1 operation steps of FPM parameter optimization (Theory)

vim /usr/local/php/etc/php-fpm.conf 

pid = run/php-fpm.pid

vim /usr/local/php/etc/php-fpm.d/www.conf

--96 that 's ok--
pm = dynamic				#fpm process startup mode, dynamic
--107 that 's ok--
pm.max_children=20			#Maximum number of processes started by fpm process
--112 that 's ok--
pm.start_servers = 5		#The number of processes started by default when starting in dynamic mode is between the minimum and maximum
--117 that 's ok--
pm.min_spare_servers = 2	#Minimum number of idle processes in dynamic mode
--122 that 's ok--
pm.max_spare_servers = 8	#Maximum number of idle processes in dynamic mode

kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`			#Restart PHP FPM
netstat -anpt | grep 9000

summary

NG Optimization:
Anti theft chain
Hidden version - > ① configuration file ② source code - > need to be recompiled and installed
Modify users and groups
Cache time
Log segmentation
Web page compression - > gzip - > manage the compression ratio, the minimum size of compressed objects, the number and size of buffers saved by compression, and whether the front-end cache is saved - > permission adjustment of temporary cache files / directories
connection timed out
FPM

Keywords: Linux Operation & Maintenance Nginx

Added by jacinthe on Mon, 11 Oct 2021 22:19:23 +0300

Popular Keywords

©2024 Programming VIP