Nginx optimization and anti-leech related configuration

One, hide the Nginx version number

1. How to hide the Nginx version number and its necessity

(1) Why do you need to hide the Nginx version number: In a production environment, you need to hide the Nginx version number to avoid the leakage of security vulnerabilities.
(2) How to view the Nginx version number:
Use the fiddler tool to view the Nginx version number
on the Windows client In Centos system, use the "curl -I URL" command to view the Nginx version number
(3) How to hide the version number of nginx: modify the configuration file method and modify the source code method

2. Hide Nginx version number configuration command

Method 1:
Set the value of the server_tokens option in the Nginx configuration file to off

vim /usr/local/nginx/conf/nginx.conf 

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;	##添加，关闭版本号
}

systemctl restart nginx
curl -I http://192.168.177.11/  ##查看版本号

Method 2:
Modify the source file, recompile and install

vim /opt/nginx-1.12.0/src/core/nginx.h
#define nginx_version      1012000
#define NGINX_VERSION      "1.0.0"    #将原始的1.12.0修改为1.0.0
#define NGINX_VER          "IIS" NGINX_VERSION    #将原始的Nginx修改为IIS

#重新编译安装
cd /opt/nginx-1.12.0
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module

make && make install

#将方法一中关闭的版本号重新打开
vim /usr/local/nginx/conf/nginx.conf
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens on;   #打开

#重启服务
systemctl restart nginx.service 

#查看版本号是否隐藏
curl -I http://192.168.177.11/

Two, modify users and groups

vim /usr/local/nginx/conf/nginx.conf
user  nginx nginx;        #将前面的#注释掉，然后修改用户与组为nginx
worker_processes  1;

systemctl restart nginx.service
ps aux | grep nginx     #查看用户与组是否修改成功

Three, configure the cache time

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens on;
    ......
    location / {
        root   html;
        index  index.html index.htm;
    }

     location ~ \.(gif|jpg|jepg|bmp|ico)$ {    #复制上面4行并修改
         root   html;
         expires 1d;       #设置缓存时间为1天
     }

cd /usr/local/nginx/html/    #需要添加张图片在nginx首页中
[root@localhost html]#ls
50x.html   error.png.0  chuishi.jpg.0
error.png  chuishi.jpg     index.html

使用浏览器直接访问chuishi.jpg图片
http://192.168.177.11/chuishi.jpg

Four, log segmentation

vim /opt/fengge.sh
#!/bin/bash
#rizhi fengge
day=$(date -d "-1 day" "+%Y%m%d")    #显示前一天时间
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p $logs_path   #创建日志文件目录
mv /usr/local/nginx/logs/access.log ${logs_path}/yy.com-access.log-$day   #移动并重命名日志文件
kill -USR1 $(cat $pid_path)      #重建新日志文件
find $logs_path -mtime +30 | xargs rm -rf   #删除30天之前的日志文件

chmod +x /opt/fengge.sh 
/opt/fengge.sh 
ls /var/log/nginx/
ls /usr/local/nginx/logs/access.log

crontab -e      #设置定时任务进行日志的分割收集
0 1 * * * /opt/fengge.sh

Note: In the linux operating system, each file has many time parameters, of which three are more important, namely ctime, atime, mtime

1. ctime (status time):
When the file permissions or attributes are modified, this time will be updated. ctime is not create time, but more like change time. This is only updated when the file attributes or permissions are updated. Time, but this time will not be updated if the content is changed.
2. atime (accesstime):
This time will be updated when this file is used.
3. mtime (modification time):
When the content data of the file is modified, this time will be updated, and if the permissions or attributes are changed, mtime will not change. This is the difference from ctime.

Five, connection timeout

HTTP has a KeepAlive mode, which tells the web server to keep the TCP connection open after processing a request. If it receives other requests from the client, the server will use this unclosed connection without having to establish another connection.
KeepAlive stays open for a period of time, and they will occupy resources during this period of time. Excessive use will affect performance.

vim /usr/local/nginx/conf/nginx.conf
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens on;
    ......
    keepalive_timeout  65 180;
    client_header_timeout 80;
    client_body_timeout 80;

systemctl restart nginx.service 

keepalive timeout:
Specify the timeout of KeepAlive. Specify how long each TCP connection can last, and the server will close the connection after this time.
The default value of Nginx is 65 seconds, some browsers only hold 60 seconds at most, so it can be set to 60 seconds. If it is set to 0, keepalive connection is prohibited.
The second parameter (optional) specifies the time value in the response header Keep-Alive: timeout=time. This header allows some browsers to actively close the connection so that the server does not have to close the connection. Without this parameter, Nginx will not send the Keep-Alive response header.

client_header_timeout:
The timeout period for the client to send a complete request header to the server. If the client does not send a complete request header within the specified time, Nginx returns HTTP 408 (Request Timed out).

Six, change the number of processes

cat /proc/cpuinfo | grep -c "physical id"    #查看CPU核数
ps aux | grep nginx  #查看nginx主进程中包含几个子进程

vim /usr/local/nginx/conf/nginx.conf
user  nginx nginx;
worker_processes  2;    #修改为核数相同或者2倍
worker_cpu_affinity 01 10;   #设置每个进程由不同cpu处理，进程数配为2时为0001、0010、0100、1000

systemctl restart nginx.service

Seven, configure web page compression

vim /usr/local/nginx/conf/nginx.conf
    gzip  on;       #将改行注释取消掉开启gzip压缩功能，并添加下面内容
    gzip_min_length 1k;    #最小压缩文件大小
    gzip_buffers 4 64k;    #压缩缓冲区，大小为4个64k缓冲区
    gzip_http_version 1.1;   #压缩版本（默认为1.1，前端如果是squid2.5请使用1.0）
    gzip_comp_level 6;    #压缩比率
    gzip_types text/plain application/x-javascript text/css image/jpg image/jpeg image/png image/gif application/xml text/javascript application/x-httpd-php application/javascript application/json;   #压缩类型，表示哪些网页文档启用压缩功能
    gzip_vary on;   #支持前端缓存服务器存储压缩页面

cd /usr/local/nginx/html/     #提前将game.jpg图片上传到该目录下
vim index.html
<p><em>Thank you for using nginx.</em></p>
<img src="game.jpg">     #添加此行
</body>

systemctl restart nginx.service 

8. Anti-theft chain

Configure hotlink machine

yum install -y httpd

vim /var/www/html/index.html
<html><body><h1>IT WORKS!</h1>
<img src="http://www.yy.com/chuishi.jpg"/>
</body></html>

echo "192.168.177.8 www.accp.com" >> /etc/hosts
echo "192.168.177.11 www.yy.com" >> /etc/hosts

systemctl restart httpd

Configure anti-leech

vim /usr/local/nginx/conf/nginx.conf
location ~* \.(gif|jpg|jepg|bmp|ico)$ {
            valid_referers *.yy.com yy.com;
            if ( $invalid_referer ) 
            rewrite ^/ http://www.yy.com/error.png;
            }
        }

systemctl restart nginx

~* \. (jpglgiflswf)s :这段正则表达式表示匹配不区分大小写,以.jpg或.gif或.swf结尾的文件;
valid referers :设置信任的网站,可以正常使用图片;后面的网址或者域名: referer中包含相关字符串的网址;
语句:如果链接的来源域名不在valid referers所列出的列表中, sinvalid referer为1,则执行后面的操作,即进行重写或返回403页面。

Nine, fpm parameter optimization

vim /usr/local/php/etc/php-fpm.conf
pid = run/php-fpm.pid

vim /usr/local/php/etc/php-fpm.d/www.conf
-----96行------
pm = dynamic  #fpm进程启动方式,动态的
-----107行-----
pm.max children = 20  #fpm进程启动的最大进程数-
------112-------
pm.start_servers = 5   #动态方式下启动时默认开启的进程数,在最小和最大之间
------117行-------
pm.min_spare_servers = 2  #动态方式下最小空闲进程数
------122行-------
pm.max_spare_servers = 8   #动态方式下最大空闲进程数

kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`      #重启php-fpm
netstat -anpt | grep 9000