catalogue

introduction

1, Nginx optimization

1. Hide version number

2. Modify users and groups

3. Set cache time

4. Log separation

5. Connection timeout

6. Change the number of processes

7. Web page compression

2, Theft chain and anti-theft chain

1. Chain theft

2. Anti theft chain

3. fpm parameter optimization

summary

​​​​​​​

introduction

In the enterprise information application environment, the security and response speed of the server need to be configured according to the actual situation to achieve the optimal user experience.
The default nginx installation parameters can only provide the most basic services, and the corresponding parameters such as web page time, connection timeout and web page compression need to be adjusted to give full play to the server

1, Nginx optimization

1. Hide version number

Reason: in many production environments, a specific service version number has obvious security vulnerabilities, so we hide the version number to reduce the possibility of being attacked

View version number

curl -I http://192.168.255.180
 or
 In web pages F12 View developer tools - Select network-Refresh page - pick request - Select headlers-Look at the version number

Modify version number method

1,Modify profile

vim /usr/local/nginx/conf/nginx.conf
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;		#Add, close version number
}

systemctl restart nginx
curl -I http://192.168.184.70


2,Modify source code

vim /opt/nginx-1.12.0/src/core/nginx.h
#define NGINX_VERSION "1.1.1" 					#Modified version number
#define NGINX_VER "apache" NGINX_VERSION 			#Modify server type

cd /opt/nginx-1.12.2/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
make && make install

vim /usr/local/nginx/conf/nginx.conf
http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens on;
	......
}

systemctl restart nginx
curl -I http://192.168.255.180

2. Modify users and groups

1,Modify profile
vim /usr/local/nginx/conf/nginx.conf

user nginx nginx; 		 	#Cancel the comment and change the user to nginx and the group to nginx

systemctl restart nginx

ps aux | grep nginx

2,Specify users and groups when compiling and installing
cd nginx-1.12.0/
./configure \
--prefix=/usr/local/nginx \				#Specify the installation path of nginx
--user=nginx \							#Specify user name
--group=nginx \							#Specify group name
--with-http_stub_status_module			#Enable http_stub_status_module module to support status statistics

make && make install

3. Set cache time

When Nginx returns the web page data to the client, the cache time can be set to facilitate the direct return of requests for the same content in the future, so as to avoid repeated requests and speed up the access speed
Generally, for static web pages, the cache time is not set for dynamic web pages (because the data returned in dynamic requests is not suitable for caching)

vim /usr/local/nginx/conf/nginx.conf
http {
......
	server {
	...... 

        location / {
            root   html;
            index  index.html index.htm;
        }

		location ~ \.(gif|jpg|jepg|png|bmp|ico)$ { 	#Add a new location and take the picture as the cache object
			root html;
			expires 1d;				#The specified cache time is 1 day or 18h, and 1.5d cannot be used
		}
......
	}
}



cd /usr/local/nginx/html
vim index.html
<img src="dog.jpg"/>               #Insert picture


nginx -t
systemctl restart nginx

4. Log separation

vim /root/fenge.sh
#!/bin/bash

day=$(date -d "-1 day" "+%Y%m%d")   #Displays the time of the previous day    
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"

[ -d $logs_path ] || mkdir -p $logs_path        #Create log file directory

#Move and rename log files
mv /usr/local/nginx/logs/access.log ${logs_path}/test.com-access.log-{$day}

#Rebuild log file
kill -HUP $(cat $pid_path)
#Delete log files 30 days ago                   
find $logs_path -mtime +30 -exec rm -rf {} \;
#find $logs_path -mtime +30 | xargs rm -rf


chmod +x /opt/fenge.sh
crontab -e
0 1 * * * /opt/fenge.sh

systemctl restart nginx 
netstat -natp |grep nginx

5. Connection timeout

In order to prevent the same client from occupying the connection for a long time and causing waste of resources, the corresponding connection timeout parameters can be set to control the connection access time timeout parameters
Keepalive_timeout sets the connection hold timeout

Client_header_timeout
Specifies the timeout for waiting for the client to send the request header

Client_body_timeout
Set request body read timeout
 

vim /usr/local/nginx/conf/nginx.conf
http {
...... 
    keepalive_timeout 65;
    client_header_timeout 80; #The timeout of waiting for the client to send the request header. When the timeout occurs, 408 errors will be sent
    client_body_timeout 80;   #Timeout waiting for client to send request body
...... 
}

6. Change the number of processes

cat /proc/cpuinfo | grep -c "physical id"	#View cpu cores
ps aux | grep nginx							#See how many child processes are included in the nginx main process

vim /usr/local/nginx/conf/nginx.conf
worker_processes  2;				#Change to the same or twice the number of cores
worker_cpu_affinity 01 10;			#Set that each process is processed by different CPUs, and the number of processes is 0001 0010 0100 1000 


systemctl restart nginx

01 Indicates that the first is enabled cpu Kernel, 10 means to enable the second CPU kernel
worker cpu affinity 0110;Indicates that two processes are started. The first process corresponds to the first process CPU Kernel, the second process corresponds to the second CPU Kernel.
###2-core cpu, starting 4 processes
worker processes 4;
worker cpu affinity 01 10 01 10;
Ps:Four processes were started,They correspond to opening 2 CPU kernel
##4 CPUs, start 4 processes
worker processes 4;
worker cpu affinity 0001 0010 0100 1000;
Ps:0001 Indicates that the first is enabled cPu Kernel, 0010 indicates that the second kernel is enabled CPU Kernel, and so on

7. Web page compression

vim /usr/local/nginx/conf/nginx.conf
http {
...... 
gzip on;       #Uncomment and enable gzip compression
   gzip_min_length 1k;        #Minimum compressed file size
   gzip_buffers 4 64k;        #Compressed buffer with a size of 4 64k buffers
   gzip_http_version 1.1;     #Compressed version (default: 1.1, if the front end is squid 2.5, please use 1.0)
   gzip_comp_level 6;         #Compression ratio (generally select the middle value for easy adjustment. A small ratio corresponds to a small cpu pressure. For external 
                                (high network pressure)
   gzip_vary on;     #Support the front-end cache server to store compressed pages
   gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss image/jpg image/jpeg image/png image/gif application/x-httpd-php application/javascript application/json;  #Compression type, indicating which web documents enable compression
...... 
}


cd /usr/local/nginx/html
 upload dog.jpg
vim index.html

<img src="dog.jpg"/>

vim /etc/hosts
echo "192.168.255.180 www.ly.com" >> /etc/hosts
echo "192.168.255.170 www.kgc.com" >> /etc/hosts

Browser access http://www.dog.com

2, Theft chain and anti-theft chain

1. Chain theft

Normal server configuration

Client (chain stealing end)
echo "192.168.255.180 www.kgc.com" >> /etc/hosts    Server side ip And domain name

cd /usr/local/nginx/html

vim index.html
<title>Welcome to nginx!</title>
<img src="http://Www.kgc. COM / dog. JPG "> link server page address

The client browser accesses the local address
curl http://192.168.255.150

2. Anti theft chain

vim /usr/local/nginx/conf/nginx.conf
http {
......
	server {
	......
		location ~* \.(jpg|gif|swf)$ {
			valid_referers  kgc.com *.kgc.com;
			if ( $invalid_referer ) {
				rewrite ^/ http://www.kgc.com/error.png;
				#return 403;
            }
        }
	......
	}
}

3. fpm parameter optimization

cd /usr/local/php/etc/
cp php-fpm.conf.default php-fpm.conf
vim php-fpm.conf
pid = run/php-fpm.pid

vim /usr/local/php/etc/php-fpm.d/www.conf
#96 lines
pm = dynamic		#fpm process startup mode, dynamic
#107 lines
pm.max_children=20  #Maximum number of processes started by fpm process
#112 lines
pm.start_servers = 5  #The number of processes started by default when starting in dynamic mode is between the minimum and maximum
#117 lines
pm.min_spare_servers = 2  #Minimum number of idle processes in dynamic mode
#122 lines
pm.max_spare_servers = 8  #Maximum number of idle processes in dynamic mode

#Start PHP FPM, not available for restart
/usr/local/php/sbin/php-fpm  -c /usr/local/php/lib/php.ini
#After executing the first command, you can use the following command to view the pid number and restart PHP FPM
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
netstat -anpt | grep 9000

summary

Nginx is good at handling static request services. Theoretically, it can handle 30000 to 50000 concurrent requests. Affected by the cpu and the maximum number of files opened, it is only about 30000 normally. It is welcomed by many companies. The main reason is open source and some charges. However, one defect is that it does not support clustering

The main modules in Nginx are global configuration, http configuration, server configuration, and URL and path of location configuration. The main modules are status, rewrite, FPM, virtual_host, virtual host, gzip, tokens off

In daily optimization, we can start from the anti-theft chain, hidden Version (configuration file or source code, modifying users and groups, cache time, log separation, web page compression (gzip management compression ratio, minimum compressed object size, number and size of compressed and saved buffers, whether the front-end cache is saved, and permission adjustment of temporary cache files / directories) , connection timeout, FPM, work worker process resource allocation, virtual host (IP / port / domain name)