Nginx web page optimization (a)
Hide Nginx configuration version number
-
In a production environment, we need to hide the
Nginxversion number, to avoid leakage security vulnerabilities -
Check method
- Use
fiddlertools inWindowsthe client viewNginxthe version number - In
CentOSusing the system"curl -I 网址”command to view
- Use
- Nginx version number of the hidden method
- Modify the configuration file method
- Modify the source code law
Modify the configuration file method
NginxThe profile ofserver_ tokensthe value of the option is set tooff
[root@www conf]# vi nginx.conf
.....
server_ tokens off; //关闭版本号
.....
[root@www conf]# nginx -t- Restart the service, visit the Web site using the
curl -Icommand detection
[root@www conf]# service nginx restart
[root@www conf]# curl -| http://192.168.9.209/
HTTP/1.1 200 OK
Server: nginx- If the
phpconfiguration file to configure thefastcgi_param SERVER_ SOFTWAREoptions. - Edit the
php-fpmconfiguration file, thefastcgi_param SERVER_ SOFTWAREvalue corresponding to modifyfastcgi_param SERVER_ SOFTWARE nginx;
Configuration Example
[root@localhost nginx]# curl -I http://192.168.144.133/ //使用命令查看版本号
HTTP/1.1 200 OK
Server: nginx/1.12.2 //显示版本号
Date: Thu, 14 Nov 2019 06:52:14 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytes
[root@localhost nginx]# vim conf/nginx.conf //进入编辑配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens off; //添加条目关闭版本号
...//省略部分内容...
:wq
[root@localhost nginx]# systemctl restart nginx.service
[root@localhost nginx]# curl -I http://192.168.144.133
HTTP/1.1 200 OK
Server: nginx //版本号隐藏
Date: Thu, 14 Nov 2019 06:56:51 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytesModify the source code law
NginxSource file/usr/src/nginx-1.12.0/src/core/nginx.hcontains version information, you can freely set-
Recompile installation, hidden version information
-
Example:
#define NGINX_ VERSION“1.1.1" 修改版本号为1.1.1 #define NGINX VER "IIS/" 修改软件类型为IIS - Restart the service, visit the Web site using the
curl -Icommand detection
Configuration Example
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf //编辑nginx配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens on; //打开上面设置的隐藏版本号条目
...//省略部分内容...
:wq
[root@localhost ~]# cd /opt/nginx-1.12.2/src/core/ //到解压的源码包中更改版本号信息
[root@localhost core]# vim nginx.h
#define nginx_version 1012002
#define NGINX_VERSION "1.1.1" //更改版本号
#define NGINX_VER "nginx/" NGINX_VERSION
:wq
[root@localhost core]# cd /optnginx-1.12.2/
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module //重新配置nginx
checking for OS
+ Linux 3.10.0-693.el7.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
...//省略部分内容...
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"
[root@localhost nginx-1.12.2]# make && make install //重新制作安装nginx
[root@localhost nginx-1.12.2]# systemctl restart nginx.service //重新启动nginx服务
[root@localhost nginx-1.12.2]# curl -I http://192.168.144.133 //查看版本号
HTTP/1.1 200 OK
Server: nginx/1.1.1 //版本号变更
Date: Thu, 14 Nov 2019 07:11:08 GMT
Content-Type: text/html
Content-Length: 634
Last-Modified: Thu, 14 Nov 2019 06:24:32 GMT
Connection: keep-alive
ETag: "5dccf320-27a"
Accept-Ranges: bytesNginx modify users and groups
NginxRuntime process needs the support of users and groups, in order to achieve access control to a Web site to read the fileNginxDefaultnobodyuser accounts and group accounts, generally have to be modified- Modified method
- Compiles the specified users and groups during installation
- Modify the configuration file to specify users and groups
Specified when compiling installation
-
Create user accounts and group accounts, such as
nginx - When compiled and installed
--userwith--groupthe specifiedNginxservice running user and group accounts
Modify the configuration file specifies the method
- New user accounts, such as
nginx - Modifying the master configuration file
useroption specifies the user account - Restart
nginxservice configuration to take effect - Use
ps auxthe command to view thenginxprocess information, to verify the effect of changing the user account running
[root@www conf]# vi nginx.conf
user nginx nginx;
[root@www conf]# service nginx restart
[root@www conf]# ps aux | grep nginx
root 130034 0.0 0.0 20220 620 ? Ss 19:41 0:00 nginx: master process
/usr/local/sbin/nginx
nginx 130035 0.0 0.0 20664 1512 ? S 19:41 0:00 nginx: worker processNginx web caching configuration time
- When
Nginxthe web page data is returned to the client, the cache may be provided time to facilitate future request directly return the same content, to avoid repeated requests faster access speed - Like setting for static pages, dynamic pages do not set the cache time
- You can
Windowsuse the clientfiddlerto view the web page cache time
Setting method
- You can modify the configuration files, in a
httpsection, orserversections, orlocationsection added to specific content Expiration
Examples
- Nginx modify configuration files, adding expires parameter in the location section
location ~\.(gif|ipg|jepg|png|bmp|ico)$ {
root html;
expires 1d;
}Configuration Example
[root@localhost ~]# systemctl stop firewalld.service //关闭防火墙
[root@localhost ~]# setenforce 0 //关闭增强性安全功能
[root@localhost ~]# systemctl start nginx.service //启动nginx服务
[root@localhost ~]# netstat -ntap | grep 80 //查看服务端口是否开启
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1684/nginx: master
[root@localhost ~]# mkdir abc
[root@localhost ~]# mount.cifs //192.168.100.10/lamp-c7 abc/ //将宿主机图片文件夹挂载到abc目录
Password for root@//192.168.100.10/lamp-c7:
[root@localhost ~]# cd abc/ //进入abc目录
[root@localhost abc]# ls
apr-1.6.2.tar.gz Discuz_X2.5_SC_UTF8.zip miao.jpg
apr-util-1.6.0.tar.gz error.png mysql-5.6.26.tar.gz
awstats-7.6.tar.gz httpd-2.4.29.tar.bz2 nginx-1.12.0.tar.gz
cronolog-1.6.2-14.el7.x86_64.rpm LAMP-php5.6.txt php-5.6.11.tar.bz2
[root@localhost abc]# cp miao.jpg /usr/local/nginx/html/ //将图片复制到nginx服务站点
[root@localhost abc]# cd /usr/local/nginx/html/ //进入站点目录
[root@localhost html]# ls
50x.html index.html miao.jpg
[root@localhost html]# vim index.html //编辑网页内容
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<img src="miao.jpg"/> //添加图片
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
:wq
[root@localhost nginx]# vim conf/nginx.conf //编辑配置
..//省略部分内容...
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
..//省略部分内容...
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~\.(gif|jepg|jpg|ico|bmp|png)$ { //编辑缓存条目
root html;
expires 1d;
}
}
..//省略部分内容...
:wq
[root@localhost nginx]# systemctl restart nginx.service //重启nginx服务- Visit a web page in the client, and use the time packet capture tool to view the cache is turned on
Configuring Nginx achieve connection timeout
- In corporate website in order to avoid prolonged occupation with a client connection, waste of resources, you can set the appropriate connection timeout parameters to achieve control connection access time
- Fiddler tool to use to view the connection parameters
Timeout parameters to explain
-
Keepalive_ timeout
- Set connection remains timeout - as can only set this parameter, the default is 75 seconds and can be set according to the situation of the site, or closed, at http segment, server segment, segment or location settings
-
Client header_ timeout
- Specifies the client sends a request to wait for the timeout header
- Client body _timeout
- Setting a read request body timeout
Configuration Example
[root@localhost nginx-1.12.2]# cd /usr/local/nginx/conf/ //进入nginx配置文件目录
[root@localhost conf]# vim nginx.conf //编辑配置文件
...//省略部分内容...
http {
include mime.types;
default_type application/octet-stream;
server_tokens on;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65 180; //添加客户端超时时间180秒
client_header_timeout 80; //设置客户端头部超时时间
client_body_timeout 80; //设置客户端主题内容超时时间
#gzip on;
server {
listen 80;
server_name localhost;
...//省略部分内容...
:wq
[root@localhost conf]# systemctl restart nginx.service //重启服务