nginx basic security optimization
Hide the version number
- Nginx.conf http modify the label
http {
.......
server_tokens off ;
.......
}
- Restart nginx
nginx -s reload
- an examination
[root@nginx1 conf]# curl -I localhost HTTP/1.1 200 OK Server: nginx #版本号已消失 Date: Mon, 24 Jun 2019 06:09:30 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Mon, 06 May 2019 07:58:22 GMT Connection: keep-alive ETag: "5ccfe91e-264" Accept-Ranges: bytes
Modify the software name
Here nginx need to modify the source code file 3
- Modify nginx-1.6.3 / src / core / nginx.h
#define NGINX_VER "nginx /" NGINX_VERSION the nginx here who want to modify the software name #define NGINX_VAR "NGINX" # NGINX here will want to modify the software name #define NGX_OLDPID_EXT ".oldbin"
- Modify the following results
#define NGINX_VER "test /" NGINX_VERSION modified for your desired result "test" #define NGINX_VAR was modified to their desired result #define NGX_OLDPID_EXT ".oldbin"
- Modify nginx-1.6.3 / src / http / ngx_http_header_filter_module.c line 49
char ngx_http_server_string static [] = "Server: nginx" CRLF; # nginx will be changed to the desired name
- The results modified
char ngx_http_server_string static [] = "Server: the Test" CRLF; # has been modified to the results you want
- 修改nginx-1.6.3/src/http/ngx_http_special_response.c
static u_char ngx_http_error_tail[] =
"<hr><center>nginx</center>" CRLF
"</body>" CRLF
"</html>" CRLF
- The results modified
static u_char ngx_http_error_tail[] =
"<hr><center>test</center>" CRLF
"</body>" CRLF
"</html>" CRLF
- Recompile nginx
./configure --prefix=/application/nginx --user=nginx --group=nginx
make&&make install
Change the default user nginx
At compile time can be used to specify the user -user and -group
./configure --user=nginx --group=nginx --prefix=/application/nginx
- It has been compiled to modify the default user
useradd nginx_test -s /sbin/nologin -M
- Edit nginx.conf
- Nginx restart the service
discovery has changed the default user
Nginx performance optimization service
The number of worker processes nginx optimization services
In high concurrency, high-traffic web service scenarios, we need to start more good nginx processes to ensure rapid response to a request handle a large number of concurrent users.
Like the hotel Opened need to recruit staff, if the low number of jobs, but a lot of traffic, serve customers in a timely manner, the situation will not occur, resulting in poor customer experience to eat. If the number of recruits too much, rarely lack of traffic, there will be very busy waiter, the situation is nothing to do, it will also lead to increase in the cost of the hotel. It is necessary to conduct traffic forecast in pre-opening, and then adjusted according to the best estimates of the number.
The nginx worker processes too, to make a reasonable prediction in the early on-line allows the user to have a good experience.
- Nginx process optimization settings
worker_processes 1 #<< 指定了nginx要开启的进程数,结尾的数字就是要开启进程的个数
nginx optimization of worker_processes related to the number of core cpu
- View audit of cpu
grep -c /proc/cpuinfo | wc -l
It represents a nucleus as a cpu
- View the total number of stars cpu
grep 'physical id' /proc/cpuinfo|sort|uniq|wc -l
De-emphasis on physical id, represents a cpu
will worker_processes number of modified audit is consistent with the cpu
- Restart View
worker_processes the number defined worker process, recommended to set the number of processes cpu number of nuclei or auditor * 2, specific circumstances should be selected according to the actual traffic, because this parameter, in addition to and cpu audit match, and disk storage load data and a system will be related to the number of cpu or audit is a good starting configuration
Nginx optimization bind different processes to different cpu
Multiple processes nginx default, it is possible to run on one or a moment cpu, resulting in uneven nginx process using hardware resources, the purpose of optimization is to allocate as much as possible nginx different processes to different cpu processing, to achieve full multi-purpose use of hardware resources of the multi-core cpu.
Here quad-core cpu, for example, the parameters as follows:
- Four quad-core cpu open process
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000; #<< worker_cpu_affinity就是配置nginx进程cpu亲和力的参数,即把不同的进程分给cpu不同的内核处理。这里的0001 0010 0100 1000是掩码,分别代表1、2、3、4核,由于worker_processes进程数为4,因此,上述配置会把每个进程分配给cpu的某一核处理,默认情况下不会绑定任何cpu。
- Quad-core cpu open two processes
worker_processes 4;
worker_cpu_affinity 0101 1010;
- Open eight eight-core cpu process
worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000
worker_processes up to open eight more than 8 performance will not be improved, and stability becomes lower, so the eight processes enough. Once configured, restart nginx.