实验环境:
虚拟机
CentOS 6.8
Nginx基本安全优化
1.调整参数隐藏Nginx软件版本号信息
http
{
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens off; 为关闭状态,不显示具体版本号
include extra/www.conf;
include extra/bbs.conf;
include extra/blog.conf;
}
2.更改源码隐藏Nginx软件名称及版本号
先修改以下几个文件:
/home/skyboy/tools/nginx-1.10.2/src/core/nginx.h
/home/skyboy/tools/nginx-1.10.2/src/http/ngx_http_header_filter_module.c
/home/skyboy/tools/nginx-1.10.2/src/http/ngx_http_special_response.c
修改后编译软件,使其生效。
3.更改Nginx服务的默认用户
[[email protected] conf]# grep ‘#user‘ nginx.conf.default
#user nobody;
(1)为Nginx服务建立新用户
[[email protected] conf]# useradd nginx -s /sbin/nologin -M
useradd:用户“nginx”已存在
(2)使用刚刚建立的nginx用户
第一种方法:直接更改配置文件参数
User nginx nginx;
第二种方法:在编译软件时指定用户名和用户组
(3)检查更改用户的效果
[[email protected] conf]# ps -ef|grep nginx|grep -v grep
root 1574 1 0 23:07 ? 00:00:00 nginx: master process /application/nginx/sbin/nginx -c /application/nginx/conf/nginx.conf
nginx 1674 1673 0 23:13 ? 00:00:00 php-fpm: pool www
nginx 1675 1673 0 23:13 ? 00:00:00 php-fpm: pool www
nginx 1832 1574 0 23:36 ? 00:00:00 nginx: worker process
根据参数优化Nginx服务性能
优化Nginx服务的worker进程个数
建议,根据cpu的个数来配置进程个数。
Worker_processes 1; #默认是1个进程数
调整Nginx单个进程允许的客户端最大连接数
events {
worker_connections 1024; #默认是1024
}
Worker_connections的值要根据具体服务器性能和程序的内存使用量来指定。
#vi nginx
user nginx nginx;
worker_processes 1;
events
{
use epoll; #事件处理模型优化,没有进行任何设置,nginx会自动选择最优方法
worker_connections 2000;
}
http
{
include mime.types;
default_type application/octet-stream;
sendfile on; #用开启文件的高效传输模式
keepalive_timeout 25; #连接超时的参数设置
server_tokens off;
tcp_nopush on; #减少网络报文段的数量
tcp_nodelay on; #提高I/O性能
client_header_timeout 15s; #读取客户端请求头数据的超时时间
client_body_timeout 60s;
send_timeout 25s; #响应客户端的超时时间
client_max_body_size 8M; #调整上传文件的大小
include extra/www.conf;
include extra/bbs.conf;
include extra/blog.conf;
}
FastCGI相关参数调优
user nginx nginx;
worker_processes 1;
worker_rlimit_nofile 65535;
events
{
use epoll;
worker_connections 2000;
}
http
{
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens off;
fastcgi_connect_timeout 240;
fastcgi_send_timeout 240;
fastcgi_read_timeout 240;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
#fastcgi_temp_path data/ngx_fcgi_tmp;
fastcgi_cache_path data/ngx_fcgi_cache levels=2:2 keys_zone=ngx_fcgi_cache:512m inactive=1d max_size=40g;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 15s;
client_body_timeout 60s;
send_timeout 25s;
client_max_body_size 8M;
include extra/www.conf;
include extra/bbs.conf;
include extra/blog.conf;
}
server {
listen 80;
server_name blog.etiantian.org;
location / {
root html/blog;
index index.php index.html index.htm;
}
location ~.*\.(php|php5)?$ {
root html/blog;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_cache ngx_fcgi_cache;
fastcgi_cache_valid 200 302 2h;
fastcgi_cache_valid 301 2d;
fastcgi_cache_valid and 2m;
fastcgi_cache_min_uses 2;
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_key http://$host$request_uri;
}
配置Nginx gzip压缩实现性能优化
[[email protected] conf]# vi mime.types
#文件末尾添加如下内容:
gzip on;
gzip_mim_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/css text/xml application/javascript;
# gzip_vary on;