table of Contents
Nginx basic security optimization
Nginx service performance optimization
Nginx log related optimization
Nginx pictures and directory anti-theft chain solution
CDN introduction
Nginx basic security optimization
1. Adjust the parameters to hide the Nginx software version information or software name
We can use some methods to see the Web server software and version number used by a website, such as the Linux curl command. This may provide criminals with an opportunity to attack websites. The types and version numbers of all hidden servers are very important. Below we introduce two ways to achieve hiding
(1) Adjust the parameters to hide the Nginx software version number information
The server_tokens parameter in the configuration file
######更改参数之前,使用curl查看本机搭建的服务器的信息
[root@www yum.repos.d]# curl -I 192.168.10.10
HTTP/1.1 200 OK
Server: nginx/1.16.1 ###可以看到使用的软件是Nginx,版本为1.16.1
Date: Sun, 17 Nov 2019 03:13:11 GMT
Content-Type: text/html
Content-Length: 14
Last-Modified: Sun, 17 Nov 2019 03:12:02 GMT
Connection: keep-alive
ETag: "5dd0ba82-e"
Accept-Ranges: bytes
###相关参数
涉及到的参数为server_tokens,该参数在配置文件中不存在,
但是默认他的状态是on的,我们要手动给他改成off,就不会显
示出版本信息了,server_tokens参数可以放在http模块中,可
以放在Server模块中,也可以放在location模块中
###这里我们把它放在http模块中
http{
...
server_tokens off; ###在原配置文件中添加这一句,其他配置这里就不给出了
...
}
###设置之后,重启Nginx服务
[root@www yum.repos.d]# kill -HUP 22814 #使用信号平滑重启
###再次查看
[root@www yum.repos.d]# curl -I 192.168.10.10
HTTP/1.1 200 OK
Server: nginx ###已经隐去了版本号信息
Date: Sun, 17 Nov 2019 03:29:19 GMT
Content-Type: text/html
Content-Length: 14
Last-Modified: Sun, 17 Nov 2019 03:12:02 GMT
Connection: keep-alive
ETag: "5dd0ba82-e"
Accept-Ranges: bytes
(2) Change the source code to hide the Nginx software name and version number.
To hide the software name under Nginx, you must operate the nginx source code.
We need to modify the three source files in sequence.
[root@localhost /]# curl -I 192.168.10.10
HTTP/1.1 200 OK
Server: nginx/1.17.5
Date: Mon, 18 Nov 2019 05:38:33 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 18 Nov 2019 05:31:23 GMT
Connection: keep-alive
ETag: "5dd22cab-264"
Accept-Ranges: bytes
第一个文件 nginx-1.17.5/src/core/nginx.h
修改前
#ifndef _NGINX_H_INCLUDED_
#define _NGINX_H_INCLUDED_
#define nginx_version 1017005
#define NGINX_VERSION "1.17.5" ###这一行和版本号有关
#define NGINX_VER "nginx/" NGINX_VERSION ###这一行修改nginx为fuxiangyu
#ifdef NGX_BUILD
#define NGINX_VER_BUILD NGINX_VER " (" NGX_BUILD ")"
#else
#define NGINX_VER_BUILD NGINX_VER
#endif
#define NGINX_VAR "NGINX" ###这一行将NGINX修改为fuxiangyu
#define NGX_OLDPID_EXT ".oldbin"
修改后
#ifndef _NGINX_H_INCLUDED_
#define _NGINX_H_INCLUDED_
#define nginx_version 1017005
#define NGINX_VERSION "1.17.5"
#define NGINX_VER "fuxiangyu/" NGINX_VERSION
#ifdef NGX_BUILD
#define NGINX_VER_BUILD NGINX_VER " (" NGX_BUILD ")"
#else
#define NGINX_VER_BUILD NGINX_VER
#endif
#define NGINX_VAR "fuxiangyu"
#define NGX_OLDPID_EXT ".oldbin"
第二个文件 nginx-1.17.5/src/httpngx_http_header_filter_module.c 的第49行
修改前
```python
static u_char ngx_http_server_string[] = "Server: nginx" CRLF; ###修改引号中的nginx
修改后
static u_char ngx_http_server_string[] = "Server: fuxiangyu" CRLF;
第三个文件 nginx-1.17.5/src/
修改前
#需要修改的位置在20行到30行之间
"<hr><center>" NGINX_VER "</center>" CRLF ###修改这一行
"</body>" CRLF
"</html>" CRLF
;
static u_char ngx_http_error_build_tail[] =
"<hr><center>" NGINX_VER_BUILD "</center>" CRLF ###修改这一行
修改后
"<hr><center>" NGINX_VER "(http://192.168.10.10)</center>" CRLF ###定义对外展示的内容
"</body>" CRLF
"</html>" CRLF
;
static u_char ngx_http_error_build_tail[] =
"<hr><center>fuxiangyu</center>" CRLF ###此行将对外展示的Nginx名字更改为fuxiangyu
三个文件都修改完成后,再对nginx进行重新编译,安装
下面来看下效果
[root@localhost /]# curl -I 192.168.10.10
HTTP/1.1 200 OK
Server: fuxiangyu/1.17.5 ###这里已经变成了fuxiangyu而不是nginx了
Date: Mon, 18 Nov 2019 06:01:29 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 18 Nov 2019 05:31:23 GMT
Connection: keep-alive
ETag: "5dd22cab-264"
Accept-Ranges: bytes
Optimize Nginx server performance based on parameters
1. Optimize the number of Nginx service worker processes
In high concurrency, high-visit web service scenarios, you need to start more Nginx processes in advance to ensure rapid response and handle a large number of concurrent user requests
Change principle: When setting
up the server, the initial setting of the number of worker processes can be equal to the number of CPU cores, and the number of worker processes should be more, so that when the service is initially provided, there will be no temporary start of new processes due to the rapid increase in access For the problem of providing services, in the case of high traffic and high concurrency, you can also consider increasing the number of processes to the number of CPU cores * 2, the specific situation should be selected according to the actual business, because in addition to matching this parameter with the number of CPU cores, It is related to the data stored in the hard disk and the load of the system. Setting it to the number of CPU cores is a good starting configuration
Related configuration parameters
work_processes <value> ###该参数一般放置在nginx的全局变量块中
放置位置:放在nginx的全局变量中
The default is auto in the configuration file, which is generally a CPU core number corresponding to a work-process process.
View the CPU core number method
第一种方法:
[root@www nginx-1.16.1]# grep processor /proc/cpuinfo|wc -l
2
第二种方法:
执行top之后,再按1可以看到CPU核数的信息
2. Bind different Nginx processes to different CPUs.
By default, multiple processes of Nginx may run on a certain CPU or a core of the CPU, resulting in uneven hardware resources used by the Nginx process. This section will introduce the purpose of Nginx how to allocate different processes to different CPU processing, to achieve full and effective use of hardware resources of the multi-core multi-CPU
configuration parameters related to
work_processes <value>
worker_cpu_affinity <cpu编号> <cpu编号>
参数放置位置为nginx全局变量块处
The configuration is as follows
#四核CPU的配置
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
第一个进程绑定到编号为0的CPU核上,第二个进程绑定到编号为1的CPU核上
第三个进程绑定到编号为2的CPU核上,第四个进程绑定到编号为3的CPU核上
worker_processes 2;
worker_cpu_affinity 0101 1010;
第一个进程绑定到编号为0和2的cpu核上,第二个进程绑定到编号为1和3的cpu核上
After stress testing, you can get the CPU usage rate is relatively average after such binding
3. Nginx event processing model optimizes
Nginx's connection processing mechanism. Different I / O models will be adopted in different operating systems. Under Linux, Nginx uses epoll's I / O multiplexing model and kqueue's I in Freebsd. / O multiplexing model, the I / O multiplexing model in / dev / poll mode is used in Solaris, and icop is used in Windows
The configuration of the nginx event processing model is in the event block
event {
...
use [kqueue|epoll|/dev/pollicop]
...
}
参数放置位置:event块中
4. Adjust
the value of the maximum number of client connections allowed by Nginx single process worker_connections to be specified according to the specific server performance and the memory usage of the program (the memory used by a process to start is determined by the program)
This option parameter is configured in the event
event {
...
worker_connections 20480;
...
}
参数放置位置:event块中
5. Configure the maximum number of open files for the Nginx worker process
worker_rlimit_nofile 65535;
参数放置位置:全局变量块中
6. Turn on efficient file transfer mode
The sendfile parameter is used to enable the efficient file transfer mode, and set the two commands tcp_nopush and tcp_nodelay to on at the same time, which can prevent network and disk I / O blocking and improve Nginx work efficiency
sendfile on|off
参数放置位置:http块,server块,location块
Parameter role: activate or deactivate the sendfile () function. sendfile () is a data copy function between two file descriptors. This copy operation is in the kernel and is called "zero copy". sendfile () is much more efficient than read and write functions, because read and The write function copies the data to the application layer and then operates
VII. Nginx connection optimization parameters, adjust the connection timeout
1. What is the connection timeout
simple talk. A group of connections has not undergone substantial data exchange for a period of time, then it can be considered that the existence of this connection is of little significance, occupying system resources, and exceeding the time threshold to actively disconnect this connection.
Time-out connection is a kind of self-management , Self-protection mechanism
2. The role
of connection timeout · Set the useless connection to timeout as soon as possible, which can protect the system resources of the server (CPU, memory, disk)
· When there are many connections, disconnect those that have been established in time Connections that do not do things for a long time to reduce the server resources they occupy, because the server maintains connections also consume resources.
To prevent DOS attacks, hackers initiate many useless connections to try to defeat the server
. In the LNMP environment, if the user requests dynamic services , Then Nginx will establish a connection, request FastCGI service and back-end MySQL service, at this time this Nginx connection must set a timeout, return data within the time tolerated by the user, or wait for a while for the back-end server to return data , Specific strategies should be analyzed according to specific business. Of course, FASTCGI service and MYSQL service also have timeout control corresponding to the connection
3. Setting of timeout parameters
(1) keepalive_timeout 60;
keepalive_timeout <vaule> ##单位为秒
参数放置位置:http块,server块,location块
Used to set the timeout period for the client to maintain the session for 60 seconds. After this time, the server will close the connection
parameter function: keep-alive can make the established connection between the client and the server always work without exiting, when the server has a continuous request When, keep-alive will use the established connection to provide services, so as to avoid the server from re-establishing the processing request.
This parameter sets a keep-alive (how long the client connection remains on the server before exiting), the unit is seconds
(2)tcp_nodelay on;
tcp_nodelay on|off ##单位为秒
参数放置位置:http块,server块,location块
Parameter role: By default, when data is sent, the kernel will not send it immediately, and may wait for more bytes to form a data packet, which can improve I / O performance. However, in a business scenario where only a few bytes are sent at a time, if this parameter is used, the client's waiting time will be longer
(3) send_timeout 25;
send_timeout <vaule> ##单位为秒
参数放置位置:http块,server块,location块
Parameter function: Used to specify the timeout time for responding to the client. This timeout is limited to the time between two connection activities. If this time is exceeded, the client has no activity, and Nginx will close the connection.
VIII. Configuring Ngxin expires cache performance optimization
1. Features
Simply speaking, the site Nginx expries function is for users to access a set time expired, when the first user to access the content, which will be stored in the user memory The browser is local, so that when the user continues to visit the website for the second time and later, the browser will check the content that has been cached in the user's browser, and will not go to the server to download until the cached content expires or is cleared
A deeper understanding: the function of expires is to allow HTTP "Expries" and "Cache-Control" response header content to be controlled through the Nginx configuration file, telling the client whether the browser can cache and how long to cache, these HTTP response headers want the client The end shows the validity and durability of the content. If the client has a content cache locally, the content can be read from the cache instead of from the server, and then the client will insist on the copy in the cache to see if it expires and expires to decide whether to re-acquire content updates from the server
2. Function introduction
In the development and operation of the website, there are less chances of changes to website elements such as videos, pictures, CSS, JS, especially pictures. At this time, it can be said that the picture is set in the client browser ’s local cache for 365 days, and CSS , JS, html and other codes are cached for 10 to 30 days, so that after the user opens the page for the first time, the corresponding content will be cached according to the expiration date in the local browser. The next time the user opens a similar page, the duplicate elements are not necessary. Downloaded to speed up user access. User access requests and data are reduced, and a large amount of server-side bandwidth can also be saved. This function is similar to Apache's expires function
. 3. Advantages
· expries can reduce the bandwidth of the website and save costs
· Accelerate the speed of users' access to the website and improve the user's access experience
· Reduced server visits, server pressure is reduced, server costs reduce
4. Disadvantages
When the cached page or data of the website is updated, the user may still see the old cached content at this time, which will affect the user experience, so how to solve this problem?
First, for images and other files that often need to be changed, the object cache time can be shortened. For example, the homepage images of Google and Baidu are often replaced with some holiday pictures according to different dates, so you can set this picture as the cache period. a day
second, when the website revision or updating, the cached object can be renamed (site code programs) in the server
-site for pictures, attachments, generally will not be directly modified by the user to modify the picture on the user level, in fact, It is re-transmitted to the server. Although the content is the same, it is a new image name
. Website revision and upgrade will modify JS, CSS and other elements. If these elements are renamed during revision, the front-end CDN and user will need to re-cache content
5. Parameter configuration
expires <value> ###可以指定时间 天,月等
参数放置位置:location块,通常匹配指定类型的文件
实例
location ~ .*\.(js|css)?$
{
exprires 30d;
}
###匹配后缀名为js或者css的文件,在客户端缓存30天
9. Configure Nginx gzip compression for performance optimization
1. Function introduction The
Nginx gzip compression module provides the content of compressed files. Before the content requested by the user is sent to the user client, the Nginx server will implement compression according to some specific strategies. In order to save the bandwidth of the website's exit and speed up the data transmission efficiency, to improve the user's access experience
2. Advantages
· Improve the user's website experience: the content sent to the user is smaller, the user access to the unit size of the page is accelerated
· Save website bandwidth costs: data is Compressed transmission, which saves the bandwidth and traffic costs of the website
3. Objects that need to be compressed and do not need to be compressed
· Plain text content has a high compression ratio. Therefore, it is best to compress plain text content, such as html, js, css, xml , shtml and other formats
, pictures, videos (streaming media) and other files should not be compressed as much as possible, because most of these files are compressed, if re-compressed, it may not be reduced or the effect is not obvious, so the cost-effective compression is not High
4. Specific configuration: no longer given here, interested students search by themselves
Log related optimization
When a user requests a software, most of the software will record the user's access, and the Nginx service is no exception. The Nginx software currently does not have the function of splitting logs similar to Apache, but we can use scripts, Nginx signal control function or reload reload to achieve automatic cutting of
logs 1. Configure the log cutting script
1. Implement the script
log_split
#!/bin/bash
cd /application/nginx/logs #进入nginx存放日志的目录下
/bin/mv www_access.log www_access_$(date +%F -d -1day).log
#配置前一天的日子
/application/nginx/sbin/nginx -s reload ##重新记载nginx使得触发重新生访问日志
2. Add the script to the scheduled task configuration, and let the script execute at 0:00 every day to implement the split function
[root@localhost /]# crontab -e
00 00 * * * /bin/bash /log_split ###添加这行内容
2. Do not record logs that do not need to be accessed
In actual work, logs for load balancer health node checks or certain specific files (such as pictures, JS, CSS) generally do not need to be recorded, because the statistics are based on PV Pages are calculated, and too many log writes will consume a lot of disk I / O, reducing server performance
location ~ .*\.(js|jpg|css)$ {
access_log off;
}
Nginx image and directory anti-theft chain solution
1. What is resource hotlinking?
Simply put, some unscrupulous websites use the resources of other websites illegally in their own website programs without permission, and then display these calling resources on their own websites to fill themselves. The effect of the website, this move not only wastes the network traffic of calling the resource website, but also causes the bandwidth and service pressure of other websites to be tight
. 2. The basic principle of implementing the anti-theft chain solution
(1) According to the HTTP referer to achieve anti-theft
in the HTTP protocol, There is a header field to referer, using URL format to indicate where the link is used for the resources of the current page. The referrer can detect the source webpage you visit. If it is a resource file, you can track the webpage address displaying it. Once the source is not the site, you can block or return to the specified page
. When the server sends a request, it usually brings a referer and tells the server which page I came from, and the server uses this to obtain some information for processing. Apache, nginx, Lightttpd all support anti-theft chain according to HTTP referer
(2) According to cookie anti-theft chain
For some special business data, such as some streaming media applications, they do not provide the referer header to the server. If the referer detection method is used, it will not play a good role. Especially for Flash, Windows Media video and other business data that takes up a lot of traffic, anti-theft chain is more difficult. At this time, Cookie technology can be used to solve the problem of streaming media
Use CDN for website acceleration
1. What is CDN
The full name of CDN is Content Delivery Network, which means content distribution network in Chinese. Simply, by adding a new network architecture to the existing Internet, the content of the website will be posted to the Cache server closest to the user. Through the intelligent DNS load balancing technology, the source of the user is determined, so that the user can use and Users of the same line bandwidth access the Cache server to obtain the required content. Operators generally provide CDN services
CDN is a set of national or global distributed cache clusters. The essence is to determine the user's source region and Internet access line through intelligent DNS, select a nearest Cache node for the user, and the same service node as the user Internet access line. The user is on the same line, so it will speed up the access speed and enhance the user's experience
2. Features of
CDN CDN is a distributed memory cache cluster with intelligent scheduling based on user area and line. It has the following characteristics
. Cache website data through server memory, which improves enterprise sites (especially sites that contain a lot of pictures and videos). Access speed, and improve the stability of enterprise sites
. Users automatically select the most suitable Cache server according to intelligent DNS technology, reducing the impact of interconnection bottlenecks between different operators, ensuring that users in different networks can get good Access quality
· Speed up the access speed, reduce the bandwidth
of the original site · Read data from the memory of the server when users access, share the network traffic, and reduce the load pressure on the original site
· Use CDN to share the network traffic of the source site, At the same time, it can reduce the load pressure of the original site, and reduce the impact of hacking and various DDOS attacks on the website to ensure that the website has a good service quality.
[root@localhost /]# curl -I www.4399.com
HTTP/1.1 200 OK
Date: Mon, 18 Nov 2019 07:30:11 GMT
Content-Type: text/html
Content-Length: 172976
Connection: keep-alive
Expires: Mon, 18 Nov 2019 07:33:39 GMT
Server: nginx
Last-Modified: Mon, 18 Nov 2019 01:14:14 GMT
ETag: "5dd1f066-2a3b0"
Cache-Control: max-age=1800
Accept-Ranges: bytes
Age: 1592
X-Via: 1.1 PShbsjzsxie214:4 (Cdn Cache Server V2.0), 1.1 bd37:3 (Cdn Cache Server V2.0), 1.1 PSsdzbwtxt63:12 (Cdn Cache Server V2.0)
###Cdn Cache Server V2.0 就说明这个站点使用了CDN加速
