Nginx webpage and security optimization

Preface

• The so-called "study mathematics, physics and chemistry well, not afraid to travel all over the world".
• It's the same in the IT industry. Study hard and you can mix anywhere.
• Come on, everyone, the future is created by us! !

One, hide the version number

• You can use curl -I to view version information
  

Method 1: Modify the configuration file method

vim /usr/local/nginx/conf/nginx.conf
http {
    
    
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;		#添加，关闭版本号
}

systemctl restart nginx
curl -I http://192.168.184.70

Method 2: Modify the source file, recompile and install

vim /opt/nginx-1.12.0/src/core/nginx.h
#define NGINX_VERSION "1.1.1" 					#修改版本号
#define NGINX_VER "apache" NGINX_VERSION 			#修改服务器类型

cd /opt/nginx-1.12.0/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
make && make install

vim /usr/local/nginx/conf/nginx.conf
http {
    
    
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens on;
	......
}

systemctl restart nginx
curl -I http://192.168.184.70

Two, modify users and groups

vim /usr/local/nginx/conf/nginx.conf
user nginx nginx; 			#取消注释，修改用户为 nginx ,组为 nginx

systemctl restart nginx

ps aux | grep nginx

Three, web page caching

vim /usr/local/nginx/conf/nginx.conf
http {
    
    
......
	server {
    
    
	...... 
		location ~ \.(gif|jpg|jepg|png)$ {
    
     	#加入新的 location，以图片作为缓存对象
			root html;
			expires 1d;				#指定缓存时间，1天
		}
......
	}
}

Four, log segmentation

vim /root/fenge.sh
#!/bin/bash

day=$(date -d "-1 day" "+%Y%m%d")   #显示前一天的时间
#day=$(date -d "-1 day" "+%F")    
logs_path="/var/log/nginx"
pid_path=`cat /usr/local/nginx/logs/nginx.pid`

[ -d $logs_path ] || mkdir -p $logs_path        #创建日志文件目录

#移动并重命名日志文件
mv /usr/local/nginx/logs/access.log ${
    
    logs_path}/qiaodaer.com-access.log-{
    
    $day}

#重建日志文件
kill -USR1 $pid_path
#删除30天前的日志文件                   
find $logs_path -mtime +30 -exec rm -rf {
    
    } \;
#find $logs_path -mtime +30 | xargs rm -rf

• In the Linux operating system, each file has a lot of time parameters, of which three are more important, namely ctime, atime, mtime
• ctime(status time)：
  • When the file permissions or attributes are modified, this time will be updated. ctime is not create time, but more like change time. This time will only be updated when the file attributes or permissions are updated, but the content is not changed. Will update this time.
• atime(accesstime)：
  • This time will be updated when this file is used.
• mtime(modification time)：
  • When the content data of the file is modified, this time will be updated, and when the permissions or attributes are changed, mtime will not change. This is the difference from ctime.

Five, connection timeout

vim /usr/local/nginx/conf/nginx.conf
http {
    
    
...... 
    keepalive_timeout 65 180;
    client_header_timeout 80;
    client_body_timeout 80;
...... 
}

• HTTP has a KeepAlive mode, which tells the web server to keep the TCP connection open after processing a request. If it receives other requests from the client, the server will use this unclosed connection without having to establish another connection.
• KeepAlive stays open for a period of time, and they will occupy resources during this period of time. Excessive use will affect performance.
• keepalive_timeout
  • Specify the timeout of KeepAlive. Specify how long each TCP connection can last, and the server will close the connection after this time. The default value of Nginx is 65 seconds. Some browsers only hold 60 seconds at most, so it can be set to 60 seconds. If it is set to 0, keepalive connection is prohibited.
  • The second parameter (optional) specifies the time value in the response header Keep-Alive:timeout=time. This header allows some browsers to actively close the connection so that the server does not have to close the connection. Without this parameter, Nginx will not send Keep-Alive response headers.
• client_header_timeout
  • The timeout period for the client to send a complete request header to the server. If the client does not send a complete request header within the specified time, Nginx returns HTTP 408 (Request Timed Out).
• client_body_timeout
  • Specify the timeout period for sending the request body after the client has established a connection with the server. If the client does not send any content within the specified time, Nginx returns HTTP 408 (Request Timed Out).

Six, change the number of processes

cat /proc/cpuinfo | grep -c "physical id"	#查看cpu核数
ps aux | grep nginx							#查看nginx主进程中包含几个子进程

vim /usr/local/nginx/conf/nginx.conf
worker_processes  2;				#修改为核数相同或者2倍
worker_cpu_affinity 01 10;			#设置每个进程由不同cpu处理，进程数配2 4 6 8分别为0001 0010 0100 1000 

systemctl restart nginx

Seven, web page compression

vim /usr/local/nginx/conf/nginx.conf
http {
    
    
...... 
gzip on;       #取消注释，开启gzip压缩功能
   gzip_min_length 1k;        #最小压缩文件大小
   gzip_buffers 4 64k;        #压缩缓冲区，大小为4个64k缓冲区
   gzip_http_version 1.1;     #压缩版本（默认1.1，前端如果是squid2.5请使用1.0）
   gzip_comp_level 6;         #压缩比率
   gzip_vary on;     #支持前端缓存服务器存储压缩页面
   gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss image/jpg image/jpeg image/png image/gif application/x-httpd-php application/javascript application/json;  #压缩类型，表示哪些网页文档启用压缩功能
...... 
}

8. Anti-theft chain

vim /usr/local/nginx/conf/nginx.conf
http {
    
    
......
	server {
    
    
	......
		location ~* \.(jpg|gif|swf)$ {
    
    
			valid_referers none  blocked *.qiaodaer.com;
			if ( $invalid_referer ) {
    
    
				rewrite ^/ http://www.qiaodaer.com/error.png;
				#return 403;
            }
        }
	......
	}
}

• ~* .(jpg|gif|swf)$: This regular expression indicates that it matches case-insensitive files and ends with .jpg or .gif or .swf;
• valid_referers: Set up trusted websites, you can use pictures normally;
• none: Allow requests without http_refer to access resources (according to the definition of Referer, its function is to indicate where a request is linked from. If you directly enter the URL address of a resource in the address bar of the browser, then this kind of request is Will not include the Referer field), such as http://www.qiaodaer.com/asa.jpg
  we use http://www.qiaodaer.com to access the displayed picture, which can be understood as http://www.qiaodaer.com /game.jpg This request came from the link http://www.qiaodaer.com.
• blocked: Allow requests that do not start with http:// and without protocol to access resources;
• *.qaiodaer.com: Only requests from the specified domain name are allowed to access resources, such as http://www.qiaodaer.com
• if statement: If the source domain of the link is not in the list listed in valid_referers, and $invalid_referer is true, then perform the following operation, that is, rewrite or return to the 403 page.

Nine, fpm parameter optimization

cd /usr/local/php/etc/
cp php-fpm.conf.default php-fpm.conf
vim php-fpm.conf
pid = run/php-fpm.pid

vim /usr/local/php/etc/php-fpm.d/www.conf
#96行
pm = dynamic		#fpm进程启动方式，动态的
#107行
pm.max_children=20  #fpm进程启动的最大进程数
#112行
pm.start_servers = 5  #动态方式下启动时默认开启的进程数，在最小和最大之间
#117行
pm.min_spare_servers = 2  #动态方式下最小空闲进程数
#122行
pm.max_spare_servers = 8  #动态方式下最大空闲进程数

#启动php-fpm，不可用于重启
/usr/local/php/sbin/php-fpm  -c /usr/local/php/lib/php.ini
#执行第一个命令后，就可以使用下面这条命令查看pid号重启php-fpm
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
netstat -anpt | grep 9000