Nginx service performance and security optimization

Language 2023-07-28 18:56:20 views: null

Table of contents

1. Configure Nginx to hide version related information

1. Hiding the version number

2. Modify the version number and related information

​Edit​Edit

2. Modify the owner and group of Nginx runtime

3. Configure the Nginx web page cache time

4. Configure Nginx site log segmentation

5. Set Nginx long connection and timeout

6. Configure Nginx web page compression

Seven, configure Nginx anti-leech

1. Simulated hotlinking

2. Configure anti-leech and test

1. Configure Nginx to hide version related information

1. Hiding the version number

Modify the nginx.conf file, add fields in the http block, and reload the service

img

Obtain message information and view it (browser view or use command)

img

2. Modify the version number and related information

If you added server_tokens off in nginx.conf in the previous step, you need to comment it out! !

Modify source code information (you need to recompile and install after modification)

img

(The modification is only the information displayed, not the version and information)

img

Recompile and install

​
cd /opt/ngnginx-1.12.0/
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_stub_status_module
​
make && make install
​
systemctl restart nginx.service


​

Obtain message information and view

img

2. Modify the owner and group of Nginx runtime

Modify the nginx.conf file

img

View nginx running user changes (the default is nobody)

img

3. Configure the Nginx web page cache time

After Nginx returns the webpage data to the client, the cache time can be set to facilitate the direct return when the same content is requested in the future, avoiding repeated requests and speeding up the access speed;

Generally, it is set for static web pages, and the cache time is not set for dynamic web pages.

Modify nginx.conf file , add expires parameter in http block or server block or location block

 # ~ represents the use of regular expressions, followed by matching files ending with characters separated by | 
location ~ \.(gif|jpg|jpeg|png|mp4|mp3|txt)$ {        
            root html; 
            expires 1d; #represents cache time is 1 day 
}

img

img

Add pictures, visit test

img

Check the message information, 86400 represents 1 day, and the setting takes effect

 

 

4. Configure Nginx site log segmentation

Write a script (because it is executed in the early morning of the next day, so the date of the previous day is obtained)

img

execute and test

img

Join scheduled tasks

img

5. Set Nginx long connection and timeout

keepalive_timeout

Specify the timeout period (timeout) of KeepAlive. Specify how long each tcp connection can be kept at most, and the server will close the connection after this time.

The default value of Nginx is 65 seconds, and some browsers only keep 60 seconds at most, so it can be set to 60 seconds. If it is set to 0, keepalive connections are disabled. The second parameter (optional) specifies the time value in the response header keepalive_timeout. This header allows some browsers to actively close the connection so that the server doesn't have to close the connection. Without this parameter, Nginx will not send the Keep-Alive response header.

client_header_timeout The timeout for the client to send a complete request header to the server. If the client does not send a complete reqpuest header within the specified time, Nginx returns HTTP 408 (RequestTimed out).

client_body_timeout specifies the timeout period for sending the request body after the client establishes a connection with the server. If the client does not send any content within the specified time, Nginx returns HTT 408 (Request Timed out).

Modify the nginx.conf file

img

Check syntax and restart service

img

Access and view the request message (keep the connection, and the browser timeout is 50s)

img

6. Configure Nginx web page compression

Nginx's ngx http gzip module compression module provides the function of compressing file content. Allow the Nginx server to compress the output content before sending it to the client to save website bandwidth and improve the user's access experience. It has been installed by default, and the corresponding compression function parameters can be added to the configuration file to optimize the compression performance.

gzip on; Uncomment and enable gzip compression
gzip_min_length 1k; Minimum compressed file size 1k
gzip_buffers 4 64k; Compressed buffer with size of 4 64k buffers
gzip_http_version 1.1; Compressed version (default 1.1, if the front end is squid2.5, please use 1.0)
gzip_comp_level 6; Compression ratio (level 1~9)
gzip_vary on; Support front-end caching server to store compressed pages
gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss image/jpg image/jpeg image/png image/gif application/x-httpd-php application/javascript application/json; Compression type, indicating which web documents enable compression

img

Check syntax and restart service

img

Prepare the page and access the test

 

Seven, configure Nginx anti-leech

1. Simulated hotlinking

192.168.116.10 for www.abc.com ; 192.168.116.20 for www.def.com ;

www.def.com simulates the web page picture of www.abc.com ;

Use windows host to access two websites.

Configure domain name resolution (modify the /etc/hosts file here for convenience)

img

img

img

Add an image to the home page of www.def.com

 

Steal this site image on the homepage of www.abc.com

 

2. Configure anti-leech and test

Modify the nginx.conf file, if there is a cache configuration, you need to add it before the cache configuration

location ~* .(gif|jpg|jpeg|png|swf)$ { ... }

~ means to use regular expressions, * means to be case-insensitive (the format of the anti-leech image cannot be included in the location option)

vaild_referers ...

It means to set a trusted website, and the matched ones will not be anti-leech.

none

Allow requests without http_refer to access resources (according to the definition of Referer, its function is to indicate where a request is linked from, if you directly enter the URL address of a resource in the address bar of the browser, then this request will not Including the Referer field), such as http://www.def.com/error.webp . blocked

Allow requests that do not start with http:// and do not have a protocol to access resources.

$invalid_referer

It is the reverse of the site scope specified by vaild_referers , that is, non-trusted sites

If judges that when the address satisfies the range of $invalid_referer, then specify the statement in the condition,

Namely rewrite ^/ http://www.def.com/error.webp ; rewrite the accessed url to the specified url.

img

img

Upload the picture of anti-leech under www.def.com

img

Visit and test www.abc.com again , and it becomes the designated anti-leech picture

img

Guess you like

Origin blog.csdn.net/wlc1213812138/article/details/131384159
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com