Nginx服务优化

Nginx服务优化

配置Nginx隐藏版本号

[root@localhost ~]# iptables -F
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel 
[root@localhost ~]# cd /opt
nginx-1.12.2.tar.gz 
[root@localhost opt]# tar zxvf nginx-1.12.2.tar.gz 
[root@localhost opt]# cd nginx-1.12.2/
[root@localhost nginx-1.12.2]# useradd -M -s /sbin/nologin nginx
[root@localhost nginx-1.12.2]# ./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module
[root@localhost nginx-1.12.2]# make && make install
[root@localhost nginx-1.12.2]# ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/
[root@localhost nginx-1.12.2]# vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 99 20
# description: Nginx Server Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
 start)
  $PROG
  ;;
 stop)
  kill -s QUIT $(cat $PIDF)
  ;;
 restart)
  $0 stop
  $0 start
  ;;
 reload)
  kill -s HUP $(cat $PIDF)
  ;;
 *)
   echo "Usage: $0 {start|stop|restart|reload}"
   exit 1
esac
exit 0
[root@localhost nginx-1.12.2]# chmod +x /etc/init.d/nginx 
[root@localhost nginx-1.12.2]# chkconfig --add nginx
[root@localhost nginx-1.12.2]# service nginx start
[root@localhost nginx-1.12.2]# netstat -ntap | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      19868/nginx: master 
[root@localhost nginx-1.12.2]# curl -I http://192.168.20.10
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Mon, 10 Aug 2020 07:13:30 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 10 Aug 2020 07:08:51 GMT
Connection: keep-alive
ETag: "5f30f283-264"
Accept-Ranges: bytes

[root@localhost nginx-1.12.2]# cd /usr/local/nginx/conf/
[root@localhost conf]# vim nginx.conf
 20     server_tokens off;

[root@localhost conf]# service nginx stop
[root@localhost conf]# service nginx start
[root@localhost conf]# curl -I http://192.168.20.10
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 Aug 2020 07:16:19 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 10 Aug 2020 07:08:51 GMT
Connection: keep-alive
ETag: "5f30f283-264"
Accept-Ranges: bytes

或
[root@localhost ~]# iptables -F
[root@localhost ~]# setenforce 0
[root@localhost ~]# cd /opt 
[root@localhost opt]# yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel 
nginx-1.12.2.tar.gz
[root@localhost opt]# tar xzvf nginx-1.12.2.tar.gz 
[root@localhost opt]# cd nginx-1.12.2/
[root@localhost nginx-1.12.2]# useradd -M -s /sbin/nologin nginx
[root@localhost opt]# cd nginx-1.12.2/src/core/
[root@localhost core]# vim nginx.h
 13 #define NGINX_VERSION      "1.1.1"

[root@localhost nginx-1.12.2]# cd /opt/nginx-1.12.2/
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
[root@localhost nginx-1.12.2]# make && make install
[root@localhost core]# ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/
[root@localhost nginx-1.12.2]# nginx 
[root@localhost nginx-1.12.2]# curl -I http://192.168.20.20
HTTP/1.1 200 OK
Server: nginx/1.1.1
Date: Mon, 10 Aug 2020 07:28:08 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 10 Aug 2020 07:08:51 GMT
Connection: keep-alive
ETag: "5f30f283-264"
Accept-Ranges: bytes

修改Nginx用户与组

Nginx运行时进程需要有用户与组的支持，以实现对网站文件读取时进行访问控制

Nginx默认使用 nobody用户账号与组账号，一般也要进行修改

修改的方法

编译安装时指定用户与组

修改配置文件时指定用户与组

[root@localhost conf]# id nobody
uid=99(nobody) gid=99(nobody) 组=99(nobody)
[root@localhost conf]# vim nginx.conf
  2 user  nginx nginx;



[root@localhost conf]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost conf]# ps aux | grep nginx
root      19946  0.0  0.0  20540   604 ?        Ss   15:16   0:00 nginx: master process /usr/local/nginx/sbin/nginx
nginx     19947  0.0  0.0  23068  1636 ?        S    15:16   0:00 nginx: worker process
root      20135  0.0  0.0 112724   988 pts/4    S+   15:33   0:00 grep --color=auto nginx

NGINX缓存

[root@localhost conf]# vim /usr/local/nginx/conf/nginx.conf
 48         location ~\.(gif|jpg|jpeg|png|ico)$ {
    
    
 49             root   html;
 50             expires 1d;
 51         }

[root@localhost conf]# cd ..
[root@localhost nginx]# cd html/
02.jpg

[root@localhost html]# vim index.html 
 15 <img src="02.jpg"/>

[root@localhost html]# service nginx stop
[root@localhost html]# service nginx start

Nginx日志分割

随着 Nginx运行时间增加，日志也会增加。为了方便掌握 Nginx运行状态，需要时刻关注Ngnx日志文件

太大的日志文件对监控是一个大灾难

定期进行日志文件的切割

Nginx自身不具备日志分割处理的功能，但可以通过Nginx信号控制功能的脚本实现日志的自动切割，并通过Lnux的计划任务周期性地进行日志切割

[root@localhost html]# date
2020年 08月 10日 星期一 16:54:31 CST
[root@localhost html]# date -d "-1 day" "+%Y%m%d"
20200809
[root@localhost html]# date -d "0 day" "+%Y%m%d"
20200810
[root@localhost html]# date -d "1 day" "+%Y%m%d"
20200811
[root@localhost html]# vim /opt/fenge.sh
#!/bin/bash
#Filename:fenge.sh
#设置日期名称
d=$(date -d "-1 day" "+%Y%m%d")
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
#自动创建日志目录
[ -d $logs_path ] || mkdir -p $logs_path
#分割日志
mv /usr/local/nginx/logs/access.log ${
    
    logs_path}/test.com-access.log-$d
#生成新日志
kill -HUP $(cat $pid_path)
#删除30天前的日志
find $logs_path -mtime +30 | xargs rm -rf
[root@localhost html]# cd /opt
[root@localhost opt]# ls
fenge.sh  nginx-1.12.2  nginx-1.12.2.tar.gz  rh
[root@localhost opt]# chmod +x fenge.sh 
[root@localhost opt]# ./fenge.sh 
[root@localhost opt]# ls /var/log/nginx/
test.com-access.log-20200809
[root@localhost opt]# crontab -e
0 1 * * * /opt/fenge.sh

配置Nginx实现连接超时

在企业网站中，为了避免同一个客户长时间占用连接，造成资源浪费，可设置相应的连接超时参数，实现控制连接访向问时间
使用 Fiddler工具查看 connection参数
超时参数讲解
    Keepalive_timeout
        设置连接保持超时时间，一般可只设置该参数，默认为75秒，可根据网站的情况设置，或者关闭，可在http段、 server段、或者 location段设置
    Client_header_timeout
        指定等待客户端发送请求的超时时间
    Client_body_timeout
        设置请求体读超时时间

[root@localhost opt]# vim /usr/local/nginx/conf/nginx.conf
 32     keepalive_timeout  100;
 33     client_header_timeout 80;
 34     client_body_timeout 80;

更改Nginx运行进程数

在高并发场景，需要启动更多的 Nginx进程以保证快速响应，以处理用户的请求，避免造成阻塞

可以使用 ps auxi命令查看Ngnx运行进程的个数

更改进程数的配置方法

修改配置文件，修改进程配置参数

修改配置文件的 worker_ processes参数

一般设为CPU的个数或者核数

在高并发情况下可设置为CPU个数或者核数的2倍

运行进程数多一些，响应访问请求时， Nginx就不会临时启动新的进程提供服务，减少了系统的开销，提升了服务速度

使用 ps aux查看运行进程数的变化情况

[root@localhost opt]# cat /proc/meminfo 
[root@localhost opt]# cat /proc/cpuinfo 
[root@localhost opt]# cat /proc/cpuinfo | grep -c "physical"
8
[root@localhost opt]# ps aux | grep nginx
root      75783  0.0  0.0  20676  1444 ?        Ss   15:58   0:00 nginx: master process /usr/local/nginx/sbin/nginx
nginx     76426  0.0  0.0  22988  1404 ?        S    17:04   0:00 nginx: worker process
root      76534  0.0  0.0 112724   984 pts/4    S+   17:11   0:00 grep --color=auto nginx
  
[root@localhost opt]# vim /usr/local/nginx/conf/nginx.conf
3 worker_processes  4;

[root@localhost opt]# service nginx stop
[root@localhost opt]# service nginx start
[root@localhost opt]# ps aux | grep nginx
root      76612  0.0  0.0  20544   612 ?        Ss   17:14   0:00 nginx: master process /usr/local/nginx/sbin/nginx
nginx     76613  0.0  0.0  23072  1388 ?        S    17:14   0:00 nginx: worker process
nginx     76614  0.0  0.0  23072  1388 ?        S    17:14   0:00 nginx: worker process
nginx     76615  0.0  0.0  23072  1388 ?        S    17:14   0:00 nginx: worker process
nginx     76616  0.0  0.0  23072  1388 ?        S    17:14   0:00 nginx: worker process
root      76618  0.0  0.0 112724   984 pts/4    S+   17:14   0:00 grep --color=auto nginx

Nginx网页压缩功能

Nginx的ngx_htto_gzip_ module压缩模块提供对文件内容压缩的功能
允许Nginx服务器将输出内容在发送客户端之前进行压缩，以节约网站带宽，提升用户的访问体验，默认已经安装
可在配置文件中加入相应的压缩功能参数对压缩性能进行优化

压缩功能参数

gzip on：开启gzip压缩输出g
zip_min_length 1k：用于设置允许压缩的页面最小字节数
gzip_buffers 4 16k：表示申请4个单位为16k的内存作为压缩结果流缓存，默认值是申请与原始数据大小相同的内存空间来存储gzip压缩结果(buffers:缓存区)
zip_http_version1.0：用于设置识别htt协议版本，默认是1.1，目前大部分浏览器已经支持gzip解压，但处理最慢，也比较消耗服务器CPU资源
gzip_comp_level2：用来指定gzp缩比，1压缩比最小，处理速度最快；9压缩比最大，传输速度快，但处理速度最慢，使用默认即可
gzip_types text/plain：压缩类型，是就对哪些网页文档启用压缩功能
gzip_vary on：选项可以让前端的缓存服务器缓存经过gzi压缩的页面
将以上的压缩功能参数加入到主配置文件httpd配置中
重启服务，并用 Fiddler工具查看开启结果

[root@localhost opt]# vim /usr/local/nginx/conf/nginx.conf

 36     gzip  on;
 37     gzip_min_length 1k;
 38     gzip_buffers 4 16k;
 39     gzip_http_version 1.1;
 40     gzip_comp_level 6;
 41     gzip_types text/plain application/x-javascript text/css image/jpg image/jpeg image/png image/gif application/xml text/javascript application/x-httpd-php application/javascript application/json
    ;
 42     gzip_disable "MSIE[1-6]\.";
 43     gzip_vary on;
[root@localhost opt]# service nginx stop
[root@localhost opt]# service nginx start

NGINX防盗链

[root@localhost ~]# iptables -F
[root@localhost ~]# setenforce 0
[root@localhost ~]# yum -y install gcc gcc-c++ pcre pcre-devel zlib-devel 
[root@localhost ~]# cd /opt
nginx-1.12.2.tar.gz 
[root@localhost opt]# tar zxvf nginx-1.12.2.tar.gz 
[root@localhost opt]# cd nginx-1.12.2/
[root@localhost nginx-1.12.2]# useradd -M -s /sbin/nologin nginx
[root@localhost nginx-1.12.2]# ./configure \
> --prefix=/usr/local/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_stub_status_module
[root@localhost nginx-1.12.2]# make && make install
[root@localhost nginx-1.12.2]# ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/
[root@localhost nginx-1.12.2]# vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 99 20
# description: Nginx Server Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
 start)
  $PROG
  ;;
 stop)
  kill -s QUIT $(cat $PIDF)
  ;;
 restart)
  $0 stop
  $0 start
  ;;
 reload)
  kill -s HUP $(cat $PIDF)
  ;;
 *)
   echo "Usage: $0 {start|stop|restart|reload}"
   exit 1
esac
exit 0
[root@localhost nginx-1.12.2]# chmod +x /etc/init.d/nginx 
[root@localhost nginx-1.12.2]# chkconfig --add nginx
[root@localhost nginx-1.12.2]# service nginx start
[root@localhost nginx-1.12.2]# cd /usr/local/nginx/html/
[root@localhost html]# ls
00.jpg  50x.html  index.html
[root@localhost html]# vim index.html 
 15 <img src="00.jpg"/>

[root@localhost html]# service nginx stop
[root@localhost html]# service nginx start

[root@localhost html]# yum -y install bind
 13         listen-on port 53 {
    
     any; };
 21         allow-query     {
    
     any; };

[root@localhost html]# vim /etc/named.rfc1912.zones 
 25 zone "hui.com" IN {
    
    
 26         type master;
 27         file "hui.com.zone";
 28         allow-update {
    
     none; };
 29 };

[root@localhost html]# cd /var/named/
[root@localhost named]# cp -p named.localhost hui.com.zone
[root@localhost named]# vim hui.com.zone 
 10 www IN  A       192.168.20.10

[root@localhost named]# systemctl start named

盗链网站

[root@localhost ~]# hostnamectl set-hostname daolian
[root@localhost ~]# su
[root@daolian ~]# yum -y install httpd
[root@daolian ~]# vim /etc/httpd/conf/httpd.conf 
 41 Listen 192.168.20.10:80
 42 #Listen 80

 95 ServerName www.fang.com:80

[root@daolian ~]# cd /var/www/html/
[root@daolian html]# vim index.html
<h1>this is fang</h1>
<img src="http://www.hui.com/00.jpg"/>

[root@daolian html]# echo "nameserver 192.168.20.10" > /etc/resolv.conf
[root@daolian html]# systemctl start httpd.service 
[root@daolian html]# systemctl stop firewalld.service 
[root@daolian html]# setenforce 0
[root@daolian html]# iptables -F

防盗链配置

[root@localhost named]# vim /usr/local/nginx/conf/nginx.conf
 47         location ~*\.(jpg|gif|swf)$ {
    
    
 48             valid_referers none blocked *.hui.com hui.com;
 49             if ( $invalid_referer) {
    
    
 50                rewrite ^/ http://www.hui.com/03.png;
 51             }
 52         }

[root@localhost named]# cd /usr/local/nginx/html/
[root@localhost html]# ls
00.jpg  03.png  50x.html  index.html
[root@localhost named]# service nginx stop
[root@localhost named]# service nginx start