Nginx安全优化和nginx网页优化【隐藏版本信息、nginx压缩、nginx缓存、nginx日志分割、nginx时间超时设置、nginx进程优化、nginx防盗链设置、php-fpm参数优化】_welcome to nginx隐藏

nginx安全优化和nginx网页优化

一、nginx安全优化

【1】nginx访问统计

vim /etc/nginx.conf
location /status {
             stub_status on;
             access_log  off;
        }
service nginx restart
########在访问192.168.60.60/status##########
1
2
3
4
5
6
7

【2】nginx访问控制

（1）安装httpd服务借用htpasswd

yum install -y httpd
which htpasswd
htpasswd -c /usr/local/nginx/passwd.db tom
chown nginx /usr/local/nginx/passwd.db 
chmod 400 /usr/local/nginx/passwd.db
1
2
3
4
5

（2）指定用户使用密码访问

vim /etc/nginx.conf
server {
      listen 80;
      server_name www.kgc.com;
      location / {
        auth_basic "secret";
        auth_basic_user_file /usr/local/nginx/passwd_db;
        root /var/www/html/kgc;
        index  index.html index.htm; }
}
service nginx restart
systemctl stop firewalld.service 
setenforce 0 
1
2
3
4
5
6
7
8
9
10
11
12
13

（3）拒绝某一主机或网段

vim /etc/nginx.conf
    server {
      listen 80;
      server_name www.benet.com;
      location / {
        deny 192.168.60.11;
        allow all;
        root /var/www/html/benet;
         index  index.html index.htm; }
}
service nginx restart
systemctl stop firewalld.service 
setenforce 0 
1
2
3
4
5
6
7
8
9
10
11
12
13

【3】防盗链设置

盗链网站：192.168.60.10
正常网站：192.168.60.20

（1）首先配置盗链网站

yum install -y httpd
vim /var/www/html/index.html
<h1>this is daolian web</h1>
<img src="http://www.kgc.com/meinv.jpg" />
vim /etc/httpd/conf/httpd.conf
Listen 192.168.60.10:80
#Listen 80
ServerName www.test.com:80
echo "nameserver 192.168.60.20" >>/etc/resolv.conf
systemctl start httpd.service
1
2
3
4
5
6
7
8
9
10

（2）配置正常的网站

cd /usr/local/nginx/html/
vim index.html
<h1>Welcome to nginx!</h1>
<img src="meinv.jpg" />
mv esha.jpg error.png

yum install -y bind
vim /etc/named.conf
listen-on port 53 { any; };
allow-query     { any; };
vim /etc/named.rfc1912.zones
zone "kgc.com" IN {
        type master;
        file "kgc.com.zone";
        allow-update { none; };
};
cp -p /var/named/named.localhost /var/named/kgc.com.zone
vim /var/named/kgc.com.zone
www IN  A       192.168.60.20
systemctl start named

vim /etc/nginx.conf
 location ~*\.(gif|jpg|jepg|ico|bmp)$ {
          valid_referers none blocked *.kgc.com kgc.com;
          if ( $invalid_referer ) {
              rewrite ^/ http://www.kgc.com/error.png;}
        }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

二、nginx网页优化

【1】手工编译安装nginx服务

cd /opt
mkdir nginx
cd nginx出 
tar zxvf nginx-1.12.2.tar.gz 
cd nginx-1.12.2
yum install -y gcc gcc-c++ pcre-devel zlib-devel
useradd -M -s /sbin/nologin nginx
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
make && make install
ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
ln -s /usr/local/nginx/conf/nginx.conf /etc/
nginx -t
vim /etc/init.d/nginx
chmod +x /etc/init.d/nginx 
chkconfig --add nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

【2】隐藏版本信息

方法一：（在Nginx编译之后修改配置文件隐藏版本号）

 vim /etc/nginx.conf 
  server_tokens off;

curl -I http://192.168.60.20
   HTTP/1.1 200 OK
   Server: nginx/1.12.2
   Date: Sun, 09 Aug 2020 20:43:50 GMT

service nginx start

curl -I http://192.168.60.20
   HTTP/1.1 200 OK
   Server: nginx
   Date: Sun, 09 Aug 2020 20:42:09 GMT
   Content-Type: text/html
   Content-Length: 635
   Last-Modified: Sun, 09 Aug 2020 19:34:31 GMT
   Connection: keep-alive
   Keep-Alive: timeout=100
   ETag: "5f304fc7-27b"
   Accept-Ranges: bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

方法二：（在nginx编译之前修改源码包nginx.h文件从而隐藏版本信息）

tar zxvf nginx-1.12.2.tar.gz
cd nginx-1.12.2/
vim src/core/nginx.h
#define NGINX_VERSION      "1.1.2"(版本号)
yum install -y gcc gcc-c++ pcre-devel zlib-devel
useradd -M -s /sbin/nologin nginx
./configure \
--prefix=/usr/local/nginx \
--user=nginx --group=nginx \
--with-http_stub_status_module
make && make install
ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
ln -s /usr/local/nginx/conf/nginx.conf /etc/
nginx -t
vim /etc/init.d/nginx
chmod +x /etc/init.d/nginx 
chkconfig --add nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

【3】nginx缓存

vim /etc/nginx.conf 
 location ~\.(gif|jpg|jepg|ico|bmp|png)$ {
            root   html;
            expires 1m;
        }
service nginx restart
1
2
3
4
5
6

【4】nginx压缩

vim /etc/nginx.conf 
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types text/plain text/css text/javascript
    image/jpg image/jepg image/png image/gif 
    application/xml application/x-httpd-php application/javascript application/json;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
service nginx restart
1
2
3
4
5
6
7
8
9
10
11
12

【5】nginx日志分割

cd /opt
vim fenge.sh

#!/bin/bash
d=$(date -d "-1 day" "+%Y%m%d")
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p ${logs_path}
mv /usr/local/nginx/logs/access.log ${logs_path}/test.com-access.log-$d
kill -HUP $(cat $pid_path)
find $logs_path -mtime +30 | xargs rm -rf

chmod +x fenge.sh 
./opt/fenge.sh 
cd /var/log/nginx
date -s 08/11/20
./fenge.sh 
cd /var/log/nginx/
ls
test.com-access.log-20200809  test.com-access.log-20200810
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

【6】nginx客户端超时时间设置

vim /etc/nginx.conf
    keepalive_timeout  65（服务端） 100（客户端）;
    client_header_timeout 80;
    client_body_timeout 80;
nginx -t
service nginx restart
1
2
3
4
5
6

【7】nginx进程优化

ps aux | grep nginx //只有一个worker process
cat /proc/cpuinfo |grep -c "physical" //查看CPU数量
vim /etc/nginx.conf
worker_processes 2;
worker_cpu_affinity 01 10;
events {
    worker_connections  1024;
}
nginx -t
service nginx restart
ps aux |grep nginx
1
2
3
4
5
6
7
8
9
10
11

【8】fpm参数优化

vim php-fpm.conf
pid=run/php-fpm.pid
pm=dynamic
pm.max_children=20     //static模式下空闲进程数上限，大于下面的值
pm.start_servers=5   //动态方式下默认开启的进程数，在最小和最大之间
pm.min_spare_servers=2  //动态方式下最少的空闲进程数
pm.max_spare_servers=2 //动态方式下最大的空闲进程数
1
2
3
4
5
6
7