Nginx web page optimization (a)
Hide Nginx configuration version number
-
In a production environment, we need to hide the
Nginx
version number, to avoid leakage security vulnerabilities -
Check method
- Use
fiddler
tools inWindows
the client viewNginx
the version number - In
CentOS
using the system"curl -I 网址”
command to view
- Use
- Nginx version number of the hidden method
- Modify the configuration file method
- Modify the source code law
Modify the configuration file method
Nginx
The profile ofserver_ tokens
the value of the option is set tooff
[root@www conf]# vi nginx.conf
.....
server_ tokens off; //关闭版本号
.....
[root@www conf]# nginx -t
- Restart the service, visit the Web site using the
curl -I
command detection
[root@www conf]# service nginx restart
[root@www conf]# curl -| http://192.168.9.209/
HTTP/1.1 200 OK
Server: nginx
- If the
php
configuration file to configure thefastcgi_param SERVER_ SOFTWARE
options. - Edit the
php-fpm
configuration file, thefastcgi_param SERVER_ SOFTWARE
value corresponding to modifyfastcgi_param SERVER_ SOFTWARE nginx
;
Configuration Example
[root@localhost nginx]# curl -I http://192.168.144.133/ //使用命令查看版本号
HTTP/1.1 200 OK
Server: nginx/1.12.2 //显示版本号
Date: Thu, 14 Nov 2019 06:52:14 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
[root@localhost nginx]# vim conf/nginx.conf //进入编辑配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens off; //添加条目关闭版本号
...//省略部分内容...
:wq
[root@localhost nginx]# systemctl restart nginx.service
[root@localhost nginx]# curl -I http://192.168.144.133
HTTP/1.1 200 OK
Server: nginx //版本号隐藏
Date: Thu, 14 Nov 2019 06:56:51 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
Modify the source code law
Nginx
Source file/usr/src/nginx-1.12.0/src/core/nginx.h
contains version information, you can freely set-
Recompile installation, hidden version information
-
Example:
#define NGINX_ VERSION“1.1.1" 修改版本号为1.1.1 #define NGINX VER "IIS/" 修改软件类型为IIS
- Restart the service, visit the Web site using the
curl -I
command detection
Configuration Example
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf //编辑nginx配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens on; //打开上面设置的隐藏版本号条目
...//省略部分内容...
:wq
[root@localhost ~]# cd /opt/nginx-1.12.2/src/core/ //到解压的源码包中更改版本号信息
[root@localhost core]# vim nginx.h
#define nginx_version 1012002
#define NGINX_VERSION "1.1.1" //更改版本号
#define NGINX_VER "nginx/" NGINX_VERSION
:wq
[root@localhost core]# cd /optnginx-1.12.2/
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module //重新配置nginx
checking for OS
+ Linux 3.10.0-693.el7.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
...//省略部分内容...
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
[root@localhost nginx-1.12.2]# make && make install //重新制作安装nginx
[root@localhost nginx-1.12.2]# systemctl restart nginx.service //重新启动nginx服务
[root@localhost nginx-1.12.2]# curl -I http://192.168.144.133 //查看版本号
HTTP/1.1 200 OK
Server: nginx/1.1.1 //版本号变更
Date: Thu, 14 Nov 2019 07:11:08 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
Nginx modify users and groups
Nginx
Runtime process needs the support of users and groups, in order to achieve access control to a Web site to read the fileNginx
Defaultnobody
user accounts and group accounts, generally have to be modified- Modified method
- Compiles the specified users and groups during installation
- Modify the configuration file to specify users and groups
Specified when compiling installation
-
Create user accounts and group accounts, such as
nginx
- When compiled and installed
--user
with--group
the specifiedNginx
service running user and group accounts
Modify the configuration file specifies the method
- New user accounts, such as
nginx
- Modifying the master configuration file
user
option specifies the user account - Restart
nginx
service configuration to take effect - Use
ps aux
the command to view thenginx
process information, to verify the effect of changing the user account running
[root@www conf]# vi nginx.conf
user nginx nginx;
[root@www conf]# service nginx restart
[root@www conf]# ps aux | grep nginx
root 130034 0.0 0.0 20220 620 ? Ss 19:41 0:00 nginx: master process
/usr/local/sbin/nginx
nginx 130035 0.0 0.0 20664 1512 ? S 19:41 0:00 nginx: worker process
Nginx web caching configuration time
- When
Nginx
the web page data is returned to the client, the cache may be provided time to facilitate future request directly return the same content, to avoid repeated requests faster access speed - Like setting for static pages, dynamic pages do not set the cache time
- You can
Windows
use the clientfiddler
to view the web page cache time
Setting method
- You can modify the configuration files, in a
http
section, orserver
sections, orlocation
section added to specific content Expiration
Examples
- Nginx modify configuration files, adding expires parameter in the location section
location ~\.(gif|ipg|jepg|png|bmp|ico)$ {
root html;
expires 1d;
}
Configuration Example
[root@localhost ~]# systemctl stop firewalld.service //关闭防火墙
[root@localhost ~]# setenforce 0 //关闭增强性安全功能
[root@localhost ~]# systemctl start nginx.service //启动nginx服务
[root@localhost ~]# netstat -ntap | grep 80 //查看服务端口是否开启
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1684/nginx: master
[root@localhost ~]# mkdir abc
[root@localhost ~]# mount.cifs //192.168.100.10/lamp-c7 abc/ //将宿主机图片文件夹挂载到abc目录
Password for root@//192.168.100.10/lamp-c7:
[root@localhost ~]# cd abc/ //进入abc目录
[root@localhost abc]# ls
apr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip miao.jpg
apr-util-1.6.0.tar.gz error.png mysql-5.6.26.tar.gz
awstats-7.6.tar.gz httpd-2.4.29.tar.bz2 nginx-1.12.0.tar.gz
cronolog-1.6.2-14.el7.x86_64.rpm LAMP-php5.6.txt php-5.6.11.tar.bz2
[root@localhost abc]# cp miao.jpg /usr/local/nginx/html/ //将图片复制到nginx服务站点
[root@localhost abc]# cd /usr/local/nginx/html/ //进入站点目录
[root@localhost html]# ls
50x.html index.html miao.jpg
[root@localhost html]# vim index.html //编辑网页内容
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<img src="miao.jpg"/> //添加图片
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
:wq
[root@localhost nginx]# vim conf/nginx.conf //编辑配置
..//省略部分内容...
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
..//省略部分内容...
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~\.(gif|jepg|jpg|ico|bmp|png)$ { //编辑缓存条目
root html;
expires 1d;
}
}
..//省略部分内容...
:wq
[root@localhost nginx]# systemctl restart nginx.service //重启nginx服务
- Visit a web page in the client, and use the time packet capture tool to view the cache is turned on
Configuring Nginx achieve connection timeout
- In corporate website in order to avoid prolonged occupation with a client connection, waste of resources, you can set the appropriate connection timeout parameters to achieve control connection access time
- Fiddler tool to use to view the connection parameters
Timeout parameters to explain
-
Keepalive_ timeout
- Set connection remains timeout - as can only set this parameter, the default is 75 seconds and can be set according to the situation of the site, or closed, at http segment, server segment, segment or location settings
-
Client header_ timeout
- Specifies the client sends a request to wait for the timeout header
- Client body _timeout
- Setting a read request body timeout
Configuration Example
[root@localhost nginx-1.12.2]# cd /usr/local/nginx/conf/ //进入nginx配置文件目录
[root@localhost conf]# vim nginx.conf //编辑配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens on;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65 180; //添加客户端超时时间180秒
client_header_timeout 80; //设置客户端头部超时时间
client_body_timeout 80; //设置客户端主题内容超时时间
#gzip on;
server {
listen 80;
server_name localhost;
...//省略部分内容...
:wq
[root@localhost conf]# systemctl restart nginx.service //重启服务