Nginx optimization and anti-leech (detailed explanation of graphics and text!)
Article Directory
- Nginx optimization and anti-leech (detailed explanation of graphics and text!)
- One, hide the version number
- Two, modify users and groups
- Three, cache time
- Four, log cutting
- Five, connection timeout
- Six, change the number of processes
- Seven, configure web page compression
- Eight, configure anti-theft chain
- Nine, fpm parameter optimization
One, hide the version number
You can use the Fiddler tool to grab data packets and check the Nginx version, or you can use the command curl -I http://192.168.2.8 in CentOS to display the header information of the response message.
curl -I http://192.168.2.8
Method 1: Modify the configuration file method
vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens off; #添加,关闭版本号
......
}
systemctl restart nginx
curl -I http://192.168.2.8
Method 2: Modify the source file, recompile and install
vim /opt/nginx-1.12.0/src/core/nginx.h
#define NGINX_VERSION "1.0.0" #修改版本号
#define NGINX_VER "IIS/" NGINX_VERSION #修改服务器类型
cd /opt/nginx-1.12.0/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
make && make install
vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens on; #打开版本信息显示
......
}
systemctl restart nginx.service
curl -I http://192.168.2.8
Two, modify users and groups
Method 1: It can be specified when compiling and installing, and will not be demonstrated again. See my last blog.
cd /opt/nginx-1.12.0/
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module
make && make install
Owner of the nginx process
Method Two:
vim /usr/local/nginx/conf/nginx.conf
user nginx nginx; #取消注释,修改用户为 nginx ,组为 nginx
systemctl restart nginx
ps -ef | grep nginx 或ps aux | grep nginx
主进程由root创建,子进程由nginx创建
Three, cache time
vim /usr/local/nginx/conf/nginx.conf
http {
......
server {
......
location / {
root html;
index index.html index.htm;
}
#加入新的 location,以图片作为缓存对象
location ~ \.(gif|jpg|jepg|png|bmp|ico)$ {
root html;
#指定缓存时间,1天
expires 1d;
}
......
}
}
systemctl restart nginx.service
In the Linux system, open the Firefox browser, right-click and click to view the elements.
Select Network —> select HTML, WS, other
access http://192.168.2.8/, double-click the 304 response message to see that the response header contains Cahce-Control:max- age=86400 means that the cache time is 86400 seconds. That is to cache the time for a day, the browser accesses this page within a day, all use the data in the cache, without the need to re-issue a request to the Nginx server, which reduces the bandwidth used by the server.
Four, log cutting
Use scripts for log splitting
vim /opt/fenge.sh
#!/bin/bash
#设置变量
#设置显示前一天的时间的变量
d=$(date -d "-1 day" "+%F")
logs_path="/var/log/nginx"
pid_path=`cat /usr/local/nginx/logs/nginx.pid`
#创建日志文件目录
[ -d $logs_path ] || mkdir -p $logs_path
#移动并重命名日志文件
mv /usr/local/nginx/logs/access.log ${logs_path}/mhh.com-access.log-{$d}
#重建日志文件
kill -USR1 $pid_path
#删除30天前的日志文件
find $logs_path -mtime +30 -exec rm -rf {} \;
#find $logs_path -mtime +30 |xargs rm -rf
source fenge.sh
ls /var/log/nginx
ls /usr/local/nginx/logs/
crontab -e
0 1 * * * /opt/fenge.sh
Restart nginx service
systemctl restart nginx
There is a mistake in the picture, it is executed at 1 am every day
supplement:
In the linux operating system, each file has a lot of time parameters, of which three are more important, namely ctime, atime, mtime
ctime (status time):
When the file permissions or attributes are modified, this time will be updated. ctime is not create time, but more like change time.
This time will only be updated when the file attributes or permissions are updated. However, this time will not be updated if the content is changed.
atime(accesstime):
This time will be updated when this file is used.
mtime (modification time):
When the content data of the file is modified, this time will be updated, and if the permissions or attributes are changed, mtime will not change. This is the difference from ctime.
Five, connection timeout
HTTP has a KeepAlive mode, which tells the web server to keep the TCP connection open after processing a request. If it receives other requests from the client, the server will use this unclosed connection without having to establish another connection.
KeepAlive stays open for a period of time, and they will occupy resources during this period of time. Excessive use will affect performance.
vim /usr/local/nginx/conf/nginx.conf
http {
......
keepalive_timeout 65 180;
client_header_timeout 80;
client_body_timeout 80;
......
}
systemctl restart nginx
keepalive_timeout
specifies the timeout of KeepAlive. Specify how long each TCP connection can last, and the server will close the connection after this time. The default value of Nginx is 65 seconds. Some browsers only hold 60 seconds at most, so it can be set to 60 seconds. If it is set to 0, keepalive connection is prohibited.
The second parameter (optional) specifies the time value in the response header Keep-Alive:timeout=time. This header allows some browsers to actively close the connection so that the server does not have to close the connection. Without this parameter, Nginx will not send Keep-Alive response headers.
client_header_timeout
The timeout period for the client to send a complete request header to the server. If the client does not send a complete request header within the specified time, Nginx returns HTTP 408 (Request Timed Out).
client_body_timeout
specifies the timeout period for sending the request body after the client establishes a connection with the server. If the client does not send any content within the specified time, Nginx returns HTTP 408 (Request Timed Out).
Six, change the number of processes
cat /proc/cpuinfo | grep -c "physical id" #查看cpu核数
ps aux | grep nginx #查看nginx主进程中包含几个子进程
vim /usr/local/nginx/conf/nginx.conf
worker_processes 2; #修改为核数相同或者2倍
worker_cpu_affinity 01 10; #设置每个进程由不同cpu处理,进程数配2 4 6 8分别为0001 0010 0100 1000
systemctl restart nginx
Seven, configure web page compression
vim /usr/local/nginx/conf/nginx.conf
http {
......
gzip on; #取消注释,开启gzip压缩功能
gzip_min_length 1k; #最小压缩文件大小
gzip_buffers 4 16k; #压缩缓冲区,大小为4个16k缓冲区
gzip_http_version 1.1; #压缩版本(默认1.1,前端如果是squid2.5请使用1.0)
gzip_comp_level 6; #压缩比率
gzip_vary on; #支持前端缓存服务器存储压缩页面
gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss image/jpg image/jpeg image/png image/gif application/x-httpd-php application/javascript application/json; #压缩类型,表示哪些网页文档启用压缩功能
......
}
cd /usr/local/nginx/html
先将xlql.png文件传到/usr/local/nginx/html目录下
vim index.html
......
<img src="xlql.png"/> #网页中插入图片
</body>
</html>
systemctl restart nginx
echo "192.168.2.8 www.mhh.com" >> /etc/hosts #添加映射关系
在Linux系统中,打开火狐浏览器,右击点查看元素
选择 网络 ---> 选择 HTML、WS、其他
访问 http://www.mhh.com ,双击200响应消息查看响应头中包含 Content-Encoding: gzip
Eight, configure anti-theft chain
Web source host (192.168.2.8)
Anti-hotlink preparation:
vim /usr/local/nginx/conf/nginx.conf
http {
......
server {
......
location ~*\.(png|gif|swf)$ {
valid_referers *.mhh.com mhh.com;
if ( $invalid_referer ) {
rewrite ^/ http://www.mhh.com/error.jpg;
#return 403;
}
}
......
}
}
systemctl restart nginx
----------解释--------------------
~* .(jpg|gif|jepg|bmp|ico)$ :这段正则表达式表示匹配不区分大小写,以.jpg 或.gif 或.swf 结尾的文件;
valid_referers :设置信任的网站,可以正常使用图片;
后面的网址或者域名 :referer 中包含相关字符串的网址;
if语句:如果链接的来源域名不在valid_referers所列出的列表中,$invalid_referer为1,则执行后面的操作,即进行重写或返回 403 页面。
~* .(jpg|gif|jepg|bmp|ico)$: This regular expression indicates that the matching is case-insensitive, and files ending in .jpg or .gif or .swf;
valid_referers: set trusted websites, it can be normal Use pictures; the
following URL or domain name: the URL containing the relevant string in the referer;
if statement: if the source domain name of the link is not in the list of valid_referers, and $invalid_referer is 1, then the following operations will be performed, that is, rewriting Or return to the 403 page.
Web page preparation:
cd /usr/local/nginx/html
将xlql.png、error.jpg文件传到/usr/local/nginx/html目录下
vim index.html
......
<img src="xlql.png"/>
</body>
</html>
echo "192.168.2.8 www.mhh.com" >> /etc/hosts
echo "192.168.2.7 www.dao.com" >> /etc/hosts
Hotlink website host (192.168.2.7)
#先安装nginx服务
cd /usr/local/nginx/html
vim index.html
......
<img src="http://www.mhh.com/xlql.png"/>
</body>
</html>
echo "192.168.2.8 www.mhh.com" >> /etc/hosts
echo "192.168.2.7 www.dao.com" >> /etc/hosts
Perform browser verification on the host of the stolen image website
http://www.mhh.com
http://www.dao.com
Nine, fpm parameter optimization
cd /usr/local/php/etc/
cp php-fpm.conf.default php-fpm.conf
vim php-fpm.conf
pid = run/php-fpm.pid
vim /usr/local/php/etc/php-fpm.d/www.conf
#96行;fpm进程启动方式,动态的
pm = dynamic
#107行;fpm进程启动的最大进程数
pm.max_children=20
#112行;动态方式下启动时默认开启的进程数,在最小和最大之间
pm.start_servers = 5
#117行;动态方式下最小空闲进程数
pm.min_spare_servers = 2
#122行;动态方式下最大空闲进程数
pm.max_spare_servers = 8
#启动php-fpm,不可用于重启
/usr/local/php/sbin/php-fpm -c /usr/local/php/lib/php.ini
#执行第一个命令后,就可以使用下面这条命令查看pid号重启php-fpm
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
netstat -anpt | grep 9000