Nginx optimized small operation
1, Hidden version
In the production environment, the version number of Nginx needs to be hidden to avoid security vulnerability disclosure.
Because each version has its own defects to avoid defect exposure and attack.
1. How to view version number:
1. Local: curl -I http://192.168.65.129
2. Browser: directly on the browser (F12), developer tools - > Network - > reload page - > select request - > select headers
---->View version
2. How to hide version numbers:
① Modify profile
② Modify source code
2.1 modify the configuration file:
1. Enter the main configuration file (vim /usr/local/nginx/conf/nginx.conf)
http { include mime.types; default_type application/octet-stream; server_tokens off; //Insert, close version number
2. Restart and view
2.2 modify the source code:
Note: / src: put the source code. There is a / core, which is the core module.
1. Modify file
vim /opt/nginx-1.12.0/src/core/nginx.h #define nginx_version 1015009 #define NGINX_ Version "1.15.9" --------------- > modification #define NGINX_ VER "nginx/" NGINX_ Version -------- > Modify
2. Recompile
./configure \ --prefix=/usr/local/nginx \ --user=nginx \ --group=nginx \ --with-http_stub_status_module make && make install
3. Open version number (server_tokens on)
4. Restart and view
Note: there may be work subprocesses in nginx that cannot be closed cleanly and need to be sanded out manually.
2, Modify users and groups
Note: if the user is not created before installation, nobody is used by default in this service
vim /usr/local/nginx/conf/nginx.conf user nginx nginx ; //Remove the # comments above and change nobody to nginx chown Given to the main group systemctl restart nginx.service ps aux | grep nginx //Check whether the user and group have been modified successfully
3, Set the cache time (avoid repeated requests and speed up access) for static pages
1. Modify master profile:
vim /usr/local/nginx/conf/nginx.conf << stay http{server{location{Add next << location ~ \.(gif|jpg|jepg|bmp|ico)$ { //Matches that end in these formats #Add picture recognition root html; expires 1d; #Set the cache time to 1 day } ---->wq
2. Upload pictures to directory:
cd /usr/local/nginx/html //Upload pictures to this directory vim index.html <h1>Welcome to nginx!</h1> <img src="1.jpg"/> //Add picture information systemctl restart nginx //Restart service
3. Test:
192.168.65.129 192.168.65.129/1.jpg
or curl -I test
4, Log segmentation
As Nginx runs longer, so do logs. In order to easily grasp the running status of Nginx, you need to pay attention to the log file.
Significance of segmentation: avoid too large log files that cannot be monitored. (fixed point - > timestamp)
Methods: through the script of Nginx signal control function
Plan tasks, cycle split.
1. Writing shell scripts
Script editing ideas:
Set the time variable, set the path to save the log, rename the current log file, rebuild a new log file, delete the log file that takes too long
Set cron to perform automatic segmentation regularly.
vim /opt/fenge.sh << #!/bin/bash #Filename:fenge.sh d=$(date -d "-1 day" "+%Y%m%d") logs_path="/var/log/nginx" pid_path="/usr/local/nginx/logs/nginx.pid" [ -d $logs_path ] || mkdir -p $logs_path mv /usr/local/nginx/logs/access.log ${logs_path}/test.com-access.log-$d kill -HUP $(cat $pid_path) find $logs_path -mtime +30 | xargs rm -rf ---->wq chmod +x /opt/fenge.sh //Give permission
Note: date -d "-1 day" "+%Y%m%d":Uniqueness distinction -d----modify -1 day----The day before + ----Connector %Y%m%d----specific date kill -QUIT end -HUP Smooth overload similar reload -USR1 Log segmentation -USR2 Smooth upgrade
2. Set cron: (cut when business is closed)
crontab -l 0 1 * * * /opt/fenge.sh systemctl restart nginx netstat -natp | grep nginx
3. Execute view
bash -x fenge.sh ls /var/log/nginx/ date -s 20210627 ./fenge.sh ls /var/log/nginx/ date
Note: important time parameter of Linux: ctime atime mtime
Three time attributes of windows files: creation time, modification time and access time
There are also three kinds of files under Linux: access time (atime) is used last, command script, modification time (mtime) vi editing, state modification time (ctime) inode and block content change time
Permission, group owner, number of links, etc.
5, Realize connection timeout: (to prevent the same client from occupying the connection for a long time and causing a waste of resources, you can set the corresponding connection timeout parameters to control the connection access time)
It can be divided into three categories: timeout of connection retention; The timeout of waiting for the client to send the request header; Request body read timeout.
Specify how long each TCP link can last at most. Nginx defaults to 65s and some browsers to 60s.
If it is 0, keepalive links are prohibited.
vim /usr/local/nginx/conf/nginx.conf << 32 #keepalive_timeout 0; 33 keepalive_timeout 100; 34 client_header_timeout 80; //Timeout waiting for client to send request header 408 35 client_body_timeout 80; //Request body timeout ----->wq nginx -t
6, Change the number of processes: (in high concurrency scenarios, more processes need to be started to ensure fast response)
cat /proc/cpuinfo | grep -c "physical" ps aux | grep nginx vim /usr/local/nginx/conf/nginx.conf << 2 #user nobody; 3 worker_processes 2; 4 worker_cpu_affinity 01 10; ---->wq
7, Web page compression: improve user access experience and save bandwidth
vim /usr/local/nginx/conf/nginx.conf << 37 #gzip on; 38 gzip on; 39 gzip_min_length 1k; 40 gzip_buffers 4 16k; 41 #gzip_http_version 1.1; 42 gzip_comp_level 6; 43 gzip_types text/plain application/x-javascript text/css image/jpg image/jpeg image/png image/gif application/xml text/javascript application/x-httpd-php appli cation/javascript application/json; 44 gzip_disable "MSIE [1-6]\."; 45 gzip_vary on; ----->wq cd /usr/local/nginx/html vim index.html systemctl restart nginx
8, FPM module parameter optimization
Parameter optimization of FPM module
If the PHP parsing function of Nginx is handled by FPM (fastcgi process manager), in order to improve the processing speed of PHP. Parameter jump can be performed on FPM module
Ngingx is PHP called through FPM
FPM optimization parameters:
Which method pm # uses to start the fpm process can be described as static and dynamic. The former will generate a fixed number of fpm processes, and the latter will generate fpm processes in a dynamic manner.
pm. max_ Number of fpm processes started in children #static mode (static / dynamic)
pm. start_ Number of initial fpm processes in server # dynamic mode (dynamic)
pm. min_ spare_ Minimum number of fpm idle processes in servers # dynamic mode (dynamic)
pm. max_ spare_ Maximum number of fpm idle processes in servers # dynamic mode (dynamic)
vim php-fpm.conf << pid = run/php-fpm.pid pm = dynamic pm.max_children=20 ##The maximum number of idle processes in static mode is greater than the following value pm.start_servers = 5 ##The number of processes opened by default in dynamic mode is between the minimum and maximum pm.min_spare_servers = 2 ##Minimum number of idle processes in dynamic mode pm.max_spare_servers = 8 ##Maximum number of idle processes in dynamic mode
9, Theft chain
1. Environment:
Stealing end: nginx service 192.168.226.134
Server: nginx service 192.168.226.132
win10: point to server DNS / modify HOSTS 192.168.226.160
2. Chain theft:
1, Add mapping per host
1. Server
vim /etc/hosts <<
192.168.226.132 www.dog.com
2. Chain stealing end:
vim /etc/hosts <<
192.168.226.132 www.dog.com
192.168.226.134 daolian
3,win10:
Location:
C:\WINDOWS\System32\drivers\etc----hosts. Double click Notepad to open it
Note: permission needs to be added for the first modification
Property – security – advanced – changed to full control
192.168.226.132 www.dog. Com --- Ctrl + s save
2, Turn off firewall and protection
3, Configure source host (192.168.226.132)DNS Service
4, Add picture
cd /usr/local/nginx/html/ //Upload pictures in this directory
5, Modify index html
14 <h1>Welcome to nginx!</h1> 15 <img src="http://www.dog.com/dog.jpg"/>
6, win10 access server
http://www.dog.com/dog.jpg ----Right click to view the source, record it, and set the theft chain.
7, Set theft chain
vim index.html << <img src="http://www.dog.com/dog.jpg"> --->wq systemctl start nginx
8, win10 access stolen chain end
3. Anti theft chain:
1, Modify the nginx configuration file of the server host
vim nginx.conf << 56 location / { 57 root html; 58 index index.html index.htm; 59 } 60 location ~*\.(jpg|gif|swf)$ { 61 valid_referers none blocked *.dog.com dog.com; 62 if ( $invalid_referer ) { 63 rewrite ^/ http://www.dog.com/1.jpg; 64 } 65 } ---------->wq nginx -t systemctl restart nginx