Build an efficient and secure Nginx web server (transfer)

1. Why choose Nginx to build a web server

Apache and Nginx are currently the two most popular web servers, and Apache appeared earlier than Nginx. Apache HTTP Server (Apache for short) is the world's number one Web server software, transliterated as Apache, is an open source Web server of the Apache Software Foundation, which can run almost all computer platforms, followed by open API interfaces, Any organization and individual can expand and add various required functions on it to achieve customized functions.

Nginx ("engine x") is a high-performance HTTP and reverse proxy server, as well as an IMAP/POP3/SMTP proxy server. Nginx was developed by Igor Sysoev for the second most visited Rambler.ru site in Russia, and the first public version 0.1.0 was released on October 4, 2004. It releases the source code under a BSD-like license and is known for its stability, rich feature set, sample configuration files, and low consumption of system resources.

In the early days of the Internet, the size of the website was not very large, and the number of visits was very light. The number of visits to a website was up to tens of thousands of IPs a day. At this time, Apache could fully meet the needs. People developed various modules for it, such as Rewrite modules, access control lists, cache modules, and more. However, with the rapid development of the Internet, the number of website visits has increased exponentially. In addition to increasing hardware investment for large-scale websites, the typical web server Apache is also powerless at this time; but Apache is not perfect, and it is no longer suitable for large-scale system.

Why? Because his process model, although simple and flexible, is not suitable for large scale especially when dealing with memory-intensive application code like PHP. So Nginx began to rise. The original design was designed by Russian engineers to solve high concurrency for large websites. So it is destined that high concurrency is its eternal advantage. The third is the reverse proxy. Now the large-scale websites have detailed division of labor. Which servers process data streams and which process static files, and who commands these, generally use nginx to reverse proxy to the intranet server, which plays a role in load balancing and offloading. Again, nginx is highly modular in design, and writing modules is relatively simple.

Nginx is a high-performance web and reverse proxy server with many excellent features:

As a Web server: Compared with Apache, Nginx uses less resources, supports more concurrent connections, and reflects higher efficiency, which makes Nginx especially popular with web hosting providers. Able to support responses up to 50,000 concurrent connections, thanks to Nginx for choosing epoll and kqueue as our development model.

As a load balancing server: Nginx can directly support Rails and PHP internally, and can also support external services as an HTTP proxy server. Nginx is written in C, which is much better than Perlbal in terms of system resource overhead and CPU usage efficiency.

Nginx installation is very simple, the configuration file is very concise (it can also support perl syntax), and the server with very few Bugs: Nginx is very easy to start, and can almost run 7*24 uninterrupted, even if it runs for several months, it does not need to be restarted start up. You can also perform software version upgrades without interruption of service.

2. Nginx installation

1. Installation instructions

System environment: CentOS-6.6
Software: nginx-1.8.0.tar.gz
Installation method: Source code compilation and installation
Installation location: /opt/program/nginx-1.8.0
Download address:http://nginx.org/en/download.html

2. Install the necessary software

# yum install gcc-c++
# yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel
#  find -name nginx
#./nginx
#./nginx/sbin/nginx
#./nginx-1.2.6/objs/nginx

Check the installed Nginx of the system:
uninstall the original Nginx

# yum remove nginx

3, installation and compilation

Upload the installation package file to /opt/software and perform the following operations:

# cd /opt/program
# mkdir nginx
# tar -zxvf ../software/nginx-1.8.0.tar.gz
# cd nginx-1.8.0
# ./configure --prefix=/opt/program/nginx

Note: Here is the installation directory of the specified Nginx, most users are accustomed to installing under /usr/local/nginx

# make                编译
# make install        安装

4. Configure service items

修改防火墙配置： 
# vi + /etc/sysconfig/iptables
添加配置项 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
重启防火墙 
# service iptables restart

5. Start

method 1

# /opt/program/nginx/sbin/nginx -c /opt/program/nginx/sbin/nginx/conf/nginx.conf

Method 2

# /opt/program/nginx/sbin/nginx   
查询nginx主进程号 
# ps -ef | grep nginx
强制停止 
# pkill -9 nginx
重启
# /opt/program/nginx/sbin/nginx -s reload
测试
# netstat –na|grep 80
#浏览器中测试 
http://ip:80

3. Configure Nginx to support high concurrency

1. Nginx general optimization

Edit nginx.conf and modify related parameters for optimization.

worker_processes 8;

The number of Nginx processes is recommended to be specified according to the number of CPUs, generally a multiple of it (for example, 2 quad-core CPUs are counted as 8).

worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 65535;

这个指令是指当一个Nginx 进程打开的最多文件描述符数目，理论值应该是最多打开文
件数（ulimit -n）与nginx 进程数相除，但是Nginx 分配请求并不是那么均匀，所以最好与ulimit -n 的值保持一致。现在在linux 2.6内核下开启文件打开数为65535，worker_rlimit_nofile就相应应该填写65535。

worker_connections 65535;

每个进程允许的最多连接数， 理论上每台nginx 服务器的最大连接数为worker_processes*worker_connections。keepalive_timeout 60;keepalive 超时时间。

client_header_buffer_size 4k;

客户端请求头部的缓冲区大小，这个可以根据你的系统分页大小来设置，一般一个请求头的大小不会超过1k，不过由于一般系统分页都要大于1k，所以这里设置为分页大小。

open_file_cache max=65535 inactive=60s;

这个将为打开文件指定缓存，默认是没有启用的，max 指定缓存数量，建议和打开文件数一致，inactive 是指经过多长时间文件没被请求后删除缓存。

open_file_cache_valid 80s;

这个是指多长时间检查一次缓存的有效信息。

open_file_cache_min_uses 1;
open_file_cache 指令中的inactive 

参数时间内文件的最少使用次数，如果超过这个数字，文件描述符一直是在缓存中打开的，如上例，如果有一个文件在inactive 时间内一次没被使用，它将被移除。

2、内核参数的优化

编辑sysctl.conf优化linux内核。

net.ipv4.tcp_max_tw_buckets = 6000

timewait 的数量，默认是180000。

net.ipv4.ip_local_port_range = 1024 65000

允许系统打开的端口范围。

net.ipv4.tcp_tw_recycle = 1

启用timewait 快速回收。

net.ipv4.tcp_tw_reuse = 1

开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接。

net.ipv4.tcp_syncookies = 1

开启SYN Cookies，当出现SYN 等待队列溢出时，启用cookies 来处理。

net.core.somaxconn = 262144

web 应用中listen 函数的backlog 默认会给我们内核参数的net.core.somaxconn 限制到128，而nginx 定义的NGX_LISTEN_BACKLOG 默认为511，所以有必要调整这个值。

net.core.netdev_max_backlog = 262144

每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目。

net.ipv4.tcp_max_orphans = 262144

系统中最多有多少个TCP 套接字不被关联到任何一个用户文件句柄上。如果超过这个数字，孤儿连接将即刻被复位并打印出警告信息。这个限制仅仅是为了防止简单的DoS 攻击，不能过分依靠它或者人为地减小这个值，更应该增加这个值(如果增加了内存之后)。

net.ipv4.tcp_max_syn_backlog = 262144

记录的那些尚未收到客户端确认信息的连接请求的最大值。对于有128M 内存的系统而言，缺省值是1024，小内存的系统则是128。

net.ipv4.tcp_timestamps = 0

时间戳可以避免序列号的卷绕。一个1Gbps 的链路肯定会遇到以前用过的序列号。时间戳能够让内核接受这种“异常”的数据包。这里需要将其关掉。

net.ipv4.tcp_synack_retries = 1

为了打开对端的连接，内核需要发送一个SYN 并附带一个回应前面一个SYN 的ACK。也就是所谓三次握手中的第二次握手。这个设置决定了内核放弃连接之前发送SYN+ACK 包的数量。

net.ipv4.tcp_syn_retries = 1

在内核放弃建立连接之前发送SYN 包的数量。

net.ipv4.tcp_fin_timeout = 1

如果套接字由本端要求关闭，这个参数决定了它保持在FIN-WAIT-2 状态的时间。对端可以出错并永远不关闭连接，甚至意外当机。缺省值是60 秒。2.2 内核的通常值是180 秒，3你可以按这个设置，但要记住的是，即使你的机器是一个轻载的WEB 服务器，也有因为大量的死套接字而内存溢出的风险，FIN- WAIT-2 的危险性比FIN-WAIT-1 要小，因为它最多只能吃掉1.5K 内存，但是它们的生存期长些。

net.ipv4.tcp_keepalive_time = 30

当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2小时。
经过以上优化后，Nginx可支持超过5万的并发量。

四、Nginx安全配置

网络上有太多关于Nginx安全配置的方法，本文根据自己的实际环境，选择适合自己的Nginx安全配置策略。

1、删除所有不需要的Nginx模块

直接通过编译Nginx源代码使模块数量最少化。通过限制只允许Web服务器访问模块把风险降到最低。例如，禁用SSL和autoindex模块你可以执行以下命令：

#./configure –without-http_autoindex_module –without-http_ssi_module
# make
# make install

通过以下命令来查看当编译Nginx服务器时哪个模块能开户或关闭：

#./configure –help | less

然后禁用你用不到的Nginx模块。

2、安装SELinux策略以强化Nginx Web服务器

默认的SELinux不会保护Nginx Web服务器，我这里安装和编译保护软件。
安装编译SELinux所需环境支持

# yum -y install selinux-policy-targeted selinux-policy-devel

下载SELinux策略以强化Nginx Web服务器。

# cd /opt
# wget ‘http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc’

解压文件

# tar -zxvf se-ngix_1_0_10.tar.gz

编译文件

# cd se-ngix_1_0_10/nginx
# make

将会输出如下：

Compiling targeted nginx module
/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.mod
Creating targeted nginx.pp policy package
# rm tmp/nginx.mod.fc tmp/nginx.mod

安装生成的nginx.pp SELinux模块：

# /usr/sbin/semodule -i nginx.pp

3、控制缓冲区溢出攻击

编辑nginx.conf，为所有客户端设置缓冲区的大小限制。

# vi /usr/local/nginx/conf/nginx.conf

编辑和设置所有客户端缓冲区的大小限制如下：

## Start: Size Limits & Buffer Overflows ##
client_body_buffer_size  1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
## END: Size Limits & Buffer Overflows ##

4、控制并发连接

使用NginxHttpLimitZone模块来限制指定的会话或者一个IP地址的特殊情况下的并发连接。编辑nginx.conf:

limit_zone slimits $binary_remote_addr 5m;
limit_conn slimits 5;

上面表示限制每个远程IP地址的客户端同时打开连接不能超过5个。

5、限制可用的请求方法

GET和POST是互联网上最常用的方法。 Web服务器的方法被定义在RFC 2616。如果Web服务器不要求启用所有可用的方法，它们应该被禁用。下面的指令将过滤只允许GET，HEAD和POST方法：

## Only allow these request methods ##
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
## Do not accept DELETE, SEARCH and other methods ##

6、拒绝一些User-Agents

你可以很容易地阻止User-Agents,如扫描器，机器人以及滥用你服务器的垃圾邮件发送者。

## Block download agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
##

阻止Soso和有道的机器人：

## Block some robots ##
if ($http_user_agent ~* Sosospider|YodaoBot) {
return 403;
}

7、防止图片盗链

图片或HTML盗链的意思是有人直接用你网站的图片地址来显示在他的网站上。最终的结果，你需要支付额外的宽带费用。需要封锁，并阻止盗链行为。

# Stop deep linking or hot linking
location /images/ {
valid_referers none blocked www.example.com example.com;
if ($invalid_referer) {
return   403;
}
}

8、在防火墙级限制每个IP的连接数

网络服务器必须监视连接和每秒连接限制。PF和Iptales都能够在进入你的Nginx服务器之前阻止最终用户的访问。
Linux Iptables:限制每次Nginx连接数
下面的例子会阻止来自一个IP的60秒钟内超过15个连接端口80的连接数。

# /sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –set
# sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –update –seconds 60  –hitcount 15 -j DROP
service iptables save

我设置同一个IP 60秒内只允许10个Nginx链接。

9：配置操作系统保护Web服务器

Nginx程序一般以用户nginx运行。但是根目录（/nginx或者/usr /local/nginx/html）不应该设置属于用户nginx或对用户nginx可写。找出错误权限的文件可以使用如下命令：

# find /nginx -user nginx
# find /usr/local/nginx/html -user nginx

确保你更所有权为root或其它用户，一个典型的权限设置

/usr/local/nginx/html/
ls -l /usr/local/nginx/html/

示例输出：

-rw-r–r– 1 root root 925 Jan  3 00:50 error4xx.html
-rw-r–r– 1 root root  52 Jan  3 10:00 error5xx.html
-rw-r–r– 1 root root 134 Jan  3 00:52 index.html

删除由vi或其它文本编辑器创建的备份文件：

# find /nginx -name ‘.?*’ -not -name .ht* -or -name ‘*~’ -or -name ‘*.bak*’ -or -name ‘*.old*’
# find /usr/local/nginx/html/ -name ‘.?*’ -not -name .ht* -or -name ‘*~’ -or -name ‘*.bak*’ -or -name ‘*.old*’

通过find命令的-delete选项来删除这些文件。

10、限制Nginx连接传出

黑客会使用工具如wget下载你服务器本地的文件。使用Iptables从nginx用户来阻止传出连接。ipt_owner模块试图匹配本地产生的数据包的创建者。下面的例子中只允许user用户在外面使用80连接。

# /sbin/iptables -A OUTPUT -o eth0 -m owner –uid-owner vivek -p tcp –dport 80 -m state –state NEW,ESTABLISHED  -j ACCEPT

五、小结

本文只是根据自己的需要来构建适合自己的Web服务器，希望对各位有所帮助。Nginx是一个好工具好转件，Nginx的功能绝不止限于构建Web服务器，它的更过功能还有待大家继续去开发，我期待Nginx能给我们带来更多惊喜。

 

 https://blog.csdn.net/luozhuwang/article/details/50827205