Nginx安全优化和nginx网页优化【隐藏版本信息、nginx压缩、nginx缓存、nginx日志分割、nginx时间超时设置、nginx进程优化、nginx防盗链设置、php-fpm参数优化】
nginx安全优化和nginx网页优化
文章目录
- nginx安全优化和nginx网页优化
- 一、nginx安全优化
- 【1】nginx访问统计
- 【2】nginx访问控制
- (1)安装httpd服务借用htpasswd
- (2)指定用户使用密码访问
- (3)拒绝某一主机或网段
- 【3】防盗链设置
- (1)首先配置盗链网站
- (2)配置正常的网站
- 二、nginx网页优化
- 【1】手工编译安装nginx服务
- 【2】隐藏版本信息
- 【3】nginx缓存
- 【4】nginx压缩
- 【5】nginx日志分割
- 【6】nginx客户端超时时间设置
- 【7】nginx进程优化
- 【8】fpm参数优化
一、nginx安全优化
【1】nginx访问统计
vim /etc/nginx.conf
location /status {
stub_status on;
access_log off;
}
service nginx restart
########在访问192.168.60.60/status##########
【2】nginx访问控制
(1)安装httpd服务借用htpasswd
yum install -y httpd
which htpasswd
htpasswd -c /usr/local/nginx/passwd.db tom
chown nginx /usr/local/nginx/passwd.db
chmod 400 /usr/local/nginx/passwd.db
(2)指定用户使用密码访问
vim /etc/nginx.conf
server {
listen 80;
server_name www.kgc.com;
location / {
auth_basic "secret";
auth_basic_user_file /usr/local/nginx/passwd_db;
root /var/www/html/kgc;
index index.html index.htm; }
}
service nginx restart
systemctl stop firewalld.service
setenforce 0
(3)拒绝某一主机或网段
vim /etc/nginx.conf
server {
listen 80;
server_name www.benet.com;
location / {
deny 192.168.60.11;
allow all;
root /var/www/html/benet;
index index.html index.htm; }
}
service nginx restart
systemctl stop firewalld.service
setenforce 0
【3】防盗链设置
盗链网站:192.168.60.10
正常网站:192.168.60.20
(1)首先配置盗链网站
yum install -y httpd
vim /var/www/html/index.html
this is daolian web
vim /etc/httpd/conf/httpd.conf
Listen 192.168.60.10:80
#Listen 80
ServerName www.test.com:80
echo "nameserver 192.168.60.20" >>/etc/resolv.conf
systemctl start httpd.service
(2)配置正常的网站
cd /usr/local/nginx/html/
vim index.html
Welcome to nginx!
mv esha.jpg error.png
yum install -y bind
vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
vim /etc/named.rfc1912.zones
zone "kgc.com" IN {
type master;
file "kgc.com.zone";
allow-update { none; };
};
cp -p /var/named/named.localhost /var/named/kgc.com.zone
vim /var/named/kgc.com.zone
www IN A 192.168.60.20
systemctl start named
vim /etc/nginx.conf
location ~*\.(gif|jpg|jepg|ico|bmp)$ {
valid_referers none blocked *.kgc.com kgc.com;
if ( $invalid_referer ) {
rewrite ^/ http://www.kgc.com/error.png;}
}
二、nginx网页优化
【1】手工编译安装nginx服务
cd /opt
mkdir nginx
cd nginx出
tar zxvf nginx-1.12.2.tar.gz
cd nginx-1.12.2
yum install -y gcc gcc-c++ pcre-devel zlib-devel
useradd -M -s /sbin/nologin nginx
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
make && make install
ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
ln -s /usr/local/nginx/conf/nginx.conf /etc/
nginx -t
vim /etc/init.d/nginx
chmod +x /etc/init.d/nginx
chkconfig --add nginx
【2】隐藏版本信息
方法一:(在Nginx编译之后修改配置文件隐藏版本号)
vim /etc/nginx.conf
server_tokens off;
curl -I http://192.168.60.20
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sun, 09 Aug 2020 20:43:50 GMT
service nginx start
curl -I http://192.168.60.20
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 Aug 2020 20:42:09 GMT
Content-Type: text/html
Content-Length: 635
Last-Modified: Sun, 09 Aug 2020 19:34:31 GMT
Connection: keep-alive
Keep-Alive: timeout=100
ETag: "5f304fc7-27b"
Accept-Ranges: bytes
方法二:(在nginx编译之前修改源码包nginx.h文件从而隐藏版本信息)
tar zxvf nginx-1.12.2.tar.gz
cd nginx-1.12.2/
vim src/core/nginx.h
#define NGINX_VERSION "1.1.2"(版本号)
yum install -y gcc gcc-c++ pcre-devel zlib-devel
useradd -M -s /sbin/nologin nginx
./configure \
--prefix=/usr/local/nginx \
--user=nginx --group=nginx \
--with-http_stub_status_module
make && make install
ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
ln -s /usr/local/nginx/conf/nginx.conf /etc/
nginx -t
vim /etc/init.d/nginx
chmod +x /etc/init.d/nginx
chkconfig --add nginx
【3】nginx缓存
vim /etc/nginx.conf
location ~\.(gif|jpg|jepg|ico|bmp|png)$ {
root html;
expires 1m;
}
service nginx restart
【4】nginx压缩
vim /etc/nginx.conf
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/css text/javascript
image/jpg image/jepg image/png image/gif
application/xml application/x-httpd-php application/javascript application/json;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
service nginx restart
【5】nginx日志分割
cd /opt
vim fenge.sh
#!/bin/bash
d=$(date -d "-1 day" "+%Y%m%d")
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p ${logs_path}
mv /usr/local/nginx/logs/access.log ${logs_path}/test.com-access.log-$d
kill -HUP $(cat $pid_path)
find $logs_path -mtime +30 | xargs rm -rf
chmod +x fenge.sh
./opt/fenge.sh
cd /var/log/nginx
date -s 08/11/20
./fenge.sh
cd /var/log/nginx/
ls
test.com-access.log-20200809 test.com-access.log-20200810
【6】nginx客户端超时时间设置
vim /etc/nginx.conf
keepalive_timeout 65(服务端) 100(客户端);
client_header_timeout 80;
client_body_timeout 80;
nginx -t
service nginx restart
【7】nginx进程优化
ps aux | grep nginx //只有一个worker process
cat /proc/cpuinfo |grep -c "physical" //查看CPU数量
vim /etc/nginx.conf
worker_processes 2;
worker_cpu_affinity 01 10;
events {
worker_connections 1024;
}
nginx -t
service nginx restart
ps aux |grep nginx
【8】fpm参数优化
vim php-fpm.conf
pid=run/php-fpm.pid
pm=dynamic
pm.max_children=20 //static模式下空闲进程数上限,大于下面的值
pm.start_servers=5 //动态方式下默认开启的进程数,在最小和最大之间
pm.min_spare_servers=2 //动态方式下最少的空闲进程数
pm.max_spare_servers=2 //动态方式下最大的空闲进程数