(1) Hide nginx version number
Hide the version number can effectively prevent hackers according to nginx version information, look up the corresponding vulnerability to attack.
Download nginx source package ( http://nginx.org/en/download.html ) and upload, modify the appropriate configuration files before compiling the source code.
[youxi1 the root @ ~] # zxf the tar-1.16.0.tar.gz -C Nginx / usr / local / the src / [the root youxi1 @ ~] # CD /usr/local/src/nginx-1.16.0/ [the root @ youxi1 nginx-1.16.0] # vim src / core / nginx.h // modify the software version number #define NGINX_VERSION "7.0.0" // line 13 #define NGINX_VER "IIS /" NGINX_VERSION // line 14 / / modify connection field in the HTTP header information to prevent echo specific version number [root @ youxi1 nginx-1.16.0] # vim src / HTTP / ngx_http_header_filter_module.c static u_char ngx_http_server_string [] = "Server: IIS" CRLF; // line 49 // when you modify nginx reported 404 errors, echoing the version number, this step can also be used instead of a custom 404 page. [@ youxi1 Nginx the root-1.16.0] # Vim the src / HTTP / ngx_http_special_response.c "<HR> <Center> the IIS </ Center>" CRLF // line 36
After then it can compile properly installed.
//安装依赖包 [root@youxi1 nginx-1.16.0]# yum -y install gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre pcre-devel
[root@youxi1 nginx-1.16.0]# useradd -s /sbin/nologin -M nginx //创建一个nginx专属用户 [root@youxi1 nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_gzip_static_module --with-pcre [root@youxi1 nginx-1.16.0]# make && make install [root@youxi1 nginx-1.16.0]# echo $? 0
Dependent package:
gcc is a C compiler, gcc-c ++ is a C ++ language editor. autoconf and automake is a tool used to configure and make compiled. zlib and zlib-devel is nginx gzip module provides the necessary support. openssl and openssl ssl function is nginx provide the necessary support. pcre pcre-devel support and address rewriting (rewrite) function.
The mounting assembly instructions:
--user = nginx --group = nginx users and groups
--with-http_ssl_module support https (https)
--with-http_realip_module get real client IP addresses
--with-http_gzip_static_module allowed to transmit pre-compressed file with a file name extension .gz, instead of an ordinary file. (Page compression for tuning)
--with-pcre pcre library specified source location (source mounted pcre library address needs to be specified in detail)
More mounting assembly instructions can refer to: Nginx compiler installation parameters specified
Start nginx, to see whether to hide the version number.
[root@youxi1 nginx-1.16.0]# /usr/local/nginx/sbin/nginx [root@youxi1 nginx-1.16.0]# ps aux | grep nginx root 10639 0.0 0.1 45960 1120 ? Ss 15:03 0:00 nginx: master process /usr/local/nginx/sbin/nginx nginx 10640 0.0 0.1 46416 1884 ? S 15:03 0:00 nginx: worker process root 10642 0.0 0.0 112724 992 pts/0 R+ 15:03 0:00 grep --color=auto nginx [root@youxi1 nginx-1.16.0]# firewall-cmd --permanent --zone=public --add-port=80/tcp && firewall-cmd --reload success success [root@youxi1 nginx-1.16.0]# curl -I 192.168.5.101 HTTP/1.1 200 OK Server: IIS/7.0.0 //版本号 Date: Sun, 11 Aug 2019 07:04:31 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Sun, 11 Aug 2019 06:30:28 GMT Connection: keep-alive ETag: "5d4fb604-264" Accept-Ranges: bytes
Whether re-use is a modified return an error when viewing the Windows version number
(2) Modify the user to run nginx
If you have used when compiling --user = [username] --group = [groupname], you can not actually specified. If you do not specify both parameters at compile time, you can modify the configuration file to change the nginx user to run nginx's.
[root@youxi1 nginx-1.16.0]# vim /usr/local/nginx/conf/nginx.conf user nginx; //第2行 [root@youxi1 nginx-1.16.0]# /usr/local/nginx/sbin/nginx -s reload
(3) Set the number of child processes running nginx
Usually the number of child processes running nginx or auto set to be twice the number of CPU cores, the number of core (automatic acquisition), but also set to (-1 cores). If more than 8 CPU cores, then the process of setting up nginx number 8 on the same subject, the number of child processes over eight gap is not very big, of course, let the program automatically set auto acquisition is required.
View the number of CPU cores, the top command, and then press 1 to bring up the number of CPU cores, and I am here 4
The number of child processes run modify nginx
[root@youxi1 ~]# vim /usr/local/nginx/conf/nginx.conf worker_processes auto; //第3行 [root@youxi1 ~]# /usr/local/nginx/sbin/nginx -s reload [root@youxi1 ~]# ps aux | grep nginx root 1138 0.0 0.0 46092 1948 ? Ss 15:21 0:00 nginx: master process /usr/local/nginx/sbin/nginx nginx 1490 0.0 0.0 46532 2004 ? S 15:30 0:00 nginx: worker process nginx 1491 0.0 0.0 46532 2004 ? S 15:30 0:00 nginx: worker process nginx 1492 0.0 0.0 46532 2004 ? S 15:30 0:00 nginx: worker process nginx 1493 0.0 0.0 46532 2004 ? S 15:30 0:00 nginx: worker process root 1497 0.0 0.0 112724 992 pts/0 S+ 15:30 0:00 grep --color=auto nginx
Pstree view or use nginx parent and child relationship
[root@youxi1 ~]# yum -y install psmisc
[root@youxi1 ~]# pstree -p | grep nginx
|-nginx(1138)-+-nginx(1490)
| |-nginx(1491)
| |-nginx(1492)
| `-nginx(1493)
(4) Set the CPU affinity nginx
CPU affinity is to nginx each child process is bound to a fixed cpu, cpu thereby reducing overhead context switch caused.
For example, the number of sub-processes running nginx set to 2, CPU-bound and 0 2.
[youxi1 the root @ ~] # Vim /usr/local/nginx/conf/nginx.conf worker_processes 2; worker_cpu_affinity 0001 0100; 8 // if it will have eight core CPU 0. 0001 is here is CPU0,0100 CPU2 [root @ youxi1 ~] # / usr / local / nginx / sbin / nginx -s reload [root @ youxi1 ~] # PS the AUX | grep nginx root 1138 0.0 0.0 1968 46000 Ss 15? : 21 0:00 nginx: Master Process / usr / local / nginx / sbin / nginx nginx 1566 0.0 1920 0.0 46436 S 16:27 0:00 nginx:? Process worker nginx 1567 0.0 1920 0.0 46436 S 16:27 0?: Nginx 00: Process worker the root 1569 0.0 0.0 112 724 988 PTS / S + 16:27 0:00 0 = Auto grep --color Nginx [youxi1 the root @ ~] # 1566 the taskset -cp PID 1566 apos Affinity List Current: 0 [root@youxi1 ~]# taskset -cp 1567 pid 1567's current affinity list: 2
A production environment, if not extreme requirements generally unworthy CPU affinity values, or can be configured to auto. Because it may cause uneven distribution of resources.
(5) Set nginx each child the maximum number of open files
In theory, nginx child process should be opened up to the number of files (ulimit -n) number of child processes / nginx, but nginx allocation request is not uniform, so the child can open up to the value of the number of files with ulimit -n consistent .
[root @ youxi1 ~] # ulimit -n 1024 [root @ youxi1 ~] # vim /usr/local/nginx/conf/nginx.conf worker_rlimit_nofile 1024; // add below the number of child processes [root @ youxi1 ~] # / usr / local / nginx / sbin / nginx -s reload
As for the maximum number of permanent modifications to open the file, please see: Linux system tuning - disk I / O (c)
(6) .nginx event handling model
1) epoll event handling model
I / O multiplexing mechanism under select, poll, epoll are nginx. I / O multiplexing it through a mechanism, can monitor multiple descriptors, descriptor once a ready (ready generally read or write-ready), the program can be notified accordingly read and write operations. Epoll formally introduced Linux2.6 kernel, and select and poll similar, in fact, are I / O multiplexing.
Epoll advantages of: 1, Epoll no limit on the maximum concurrent connections, the upper limit is the maximum number of files that can be opened, this number is generally much larger than the 2048 general this is a big number and relationship of system memory, a specific number can cat / proc / sys / fs / file-max view. 2, to enhance efficiency, the biggest advantage is that it just you Epoll "active" connection, but nothing to do with the total number of connections, so in a real network environment, Epoll efficiency will be much higher than the select and poll. 3, Epoll use at this point of the "shared memory", cheaper memory and more efficient.
2) How to modify nginx event handling model
[root @ youxi1 ~] # vim /usr/local/nginx/conf/nginx.conf
events {// there is a events in the beginning of the file, add event handling model internally
use epoll; // nginx is the default epoll
worker_connections 1024; // this is the number of concurrent single subprocess
}
[youxi1 the root @ ~] # / usr / local / Nginx / sbin / -s reload Nginx
(7) Set the maximum amount of concurrent nginx
As with nginx set up event handling model position, which is a single child of worker_connections number of concurrent processes. Nginx want to set the maximum amount of concurrency is achieved by setting a single child process complicated by the number and the number of child processes. The maximum concurrency = single sub-process concurrency * The number of child processes.
[youxi1 the root @ ~] # Vim /usr/local/nginx/conf/nginx.conf
Events {
use the epoll;
worker_connections 1024; // modify the value of this parameter
}
[youxi1 the root @ ~] # / usr / local / Nginx / sbin / nginx -s reload
worker_connections refers to a single worker process can allow simultaneous establish the number of external connections. Whether the initiative to establish this connection is external, or internal established. After a worker process to establish a connection, the process will open a copy of a file . Therefore, this number is also limited, and the operating system ulimit values of nginx worker_rlimit_nofile set of -n. Under normal circumstances the system ulimit -n, worker_rlimit_nofile, the maximum amount is the same as three concurrent (three if not consistent, the process of using it to a minimum value of the application).
(8) .server_name Match
server_name is http {} in the server {} in a parameter, to provide a path for the virtual servers identified. For example, a server is configured with two virtual servers, the matching block to a specific server through server_name, or after the corresponding directory to the application server.
server_name matching method:
1, precise match: www.baidu.com
2, wildcard match:. * Baidu.com or www.baidu *.
3, the regular expression matching: ~ ^ * \ baidu \ .com $ (~ represents a case-sensitive match regular; ~ * represents a case-insensitive match regular).
4、default或default_server
5, IP address
Priority: exact match> Left wildcard matching (* .baidu.com)> Right wildcard match> regular expression matching> default or default_server (www.baidu *.). When the priority is the same, follow the standard top-down match.
Server_name localhost to modify the default
[root@youxi1 ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name default;
location / {
root html;
index index.html index.htm;
}
[root@youxi1 ~]# /usr/local/nginx/sbin/nginx -t //检测nginx配置文件是否正确
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
(9) .location {} Match
Grammar rule: location [= | ~ | ~ * | ^ ~] / url / {...}
Syntax: = exact matching (absolute match); ~ represents a case-sensitive regular matching; ~ * represents a case insensitive regular matching; ^ ~ a partial match the first half URL, does not detect a regular (for example: due nginx not url do coding, so the request is / static / 20% / aa, may be regularly ^ ~ / static / / aa to match (note the space)) and ;! ~! ~ * * ~ and ~ is the opposite meaning, represents a mismatch ; there is also a most particular, when only a /, the wildcard is, any requests are matched.
Example shows
[root @ youxi1 ~] # vim /usr/local/nginx/conf/nginx.conf
# location ~ \ .php $ {// this says that the end of the match to .php. \. Is the escape.
The root HTML #;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index the index.php;
# fastcgi_param SCRIPT_FILENAME / scripts $ fastcgi_script_name;
# the include fastcgi_params;
#}
(10). Efficient transmission mode is turned on
Efficient transfer mode is under the http {}, generally at the beginning.
[youxi1 the root @ ~] # Vim /usr/local/nginx/conf/nginx.conf
the include the mime.types; // media type, mime.types file conf directory
default_type application / octet-stream; // default media type
sendfile on; // open efficient transmission mode
tcp_nopush on; // sendfile must be effective in the on mode, to prevent network congestion, reducing the active number of network segments
nginx sendfile parameter specifies whether to call sendfile function to output files for common applications is set to on, use disk I / O heavy burden if the application used to download, etc. can be set to off.
(11) The connection timeout
The main purpose is to protect the server resources, CPU, memory, control the number of connections, because the connection is established also need to consume resources, TCP three-way handshake fourth wave, etc., we generally broken those things but does not establish a connection, that is, from the establishment of a link to begin, but no follow-up handshake, then our link in a waiting state, all broken. In addition, php short connection is recommended.
Connection timeout provided at http {} is generally in the beginning.
[root@youxi1 ~]# vim /usr/local/nginx/conf/nginx.conf
keepalive_timeout 65; //紧跟该行
tcp_nodelay on;
client_header_timeout 15;
client_body_timeout 15;
send_timeout 15;
Parameter Description:
keepalived_timeout client connections to maintain session timeout, over this time, the server disconnects the link.
tcp_nodelay also prevent network congestion, but to bear only valid in keepalived parameters.
client_header_timeout client request header read timeout period, if the time exceeds the set without any data transmission, Nginx returns request time out error.
client_body_timeout client request body timeout, more than this time did not send any data, same as above error.
send_timeout client response timeout time, the timeout time is limited to the time between two events, and if this time is exceeded, the client does not have any activity, Nginx close the connection.
(12) The file size upload limit
Add head http {}
[root@youxi1 ~]# vim /usr/local/nginx/conf/nginx.conf
http{
......
client_max_body_size 10m; //上限10M
......
}