Build an efficient and secure Nginx Web server

Source: Internet
Author: User
Tags ack nginx server nginx reverse proxy

摘要:Web服务是在互联网上暴露最多的服务。选择合适的软件搭建Web服务器,让自己的Web服务器支持高并发服务和抵御外部攻击的能力,是提供互联网服务所需要长期面对的问题。本文作者根据自己在实践中的经验,构建了一套高效安全的Nginx Web服务器。

First, nginx build why choose Nginx to build a Web server

How to build nginx
Apache and Nginx are currently using the two most popular web servers, Apache appeared earlier than Nginx. Apache HTTP Server (Apache) is the world's top-ranked Web server software, transliteration, Apache, is an open source web server of the Software Foundation, can run almost all computer platforms, followed by Open API interface, Any organization or individual can expand on it and add a variety of functions needed to achieve their own customized functions.

Nginx ("Engine X") is a high-performance HTTP and reverse proxy server, also a IMAP/POP3/SMTP proxy server. Nginx was developed by Igor Sysoev for the second site of Russian traffic, and the first public version 0.1.0 was released on October 4, 2004. It publishes the source code in the form of a BSD license, which is known for its stability, rich feature set, sample configuration files, and consumption of low system resources.

In the early days of the internet, the size of the site is not very large, the traffic is very light, a site to visit a maximum of tens of thousands of IPs a day, this time Apache can fully meet the needs, people are more for it to develop a variety of modules, such as rewrite modules, access control lists, cache modules and so on. But with the rapid development of the Internet, the website I visit to increase exponentially, large-scale web site in addition to increasing hardware input, the typical Web server Apache this time is also inadequate, but Apache is not perfect, and no longer suitable for large-scale systems.

Why? Because his process pattern is simple and flexible, it is not suitable for large-scale applications, especially when it takes a lot of memory application code like PHP to handle. So Nginx began to rise, the original design is the Russian engineers for large sites to solve high concurrency design. So the doomed high concurrency is its eternal advantage. Again is the reverse proxy, now a large web site division of detail, which server processing data flow, which processing static files, these who command, usually with Nginx reverse proxy to the intranet server, so that the role of load balanced shunt. Again Nginx highly modular design, the writing module is relatively simple.

Nginx is a high-performance Web and reverse proxy server, it has a lot of very advantageous features:

as a WEB server: using fewer resources compared to Apache,nginx, supporting more concurrent connections and increasing efficiency, this makes Nginx particularly popular with virtual hosting providers. Capable of supporting up to 50,000 concurrent connections, thanks to Nginx for choosing Epoll and Kqueue as the development model.

as a Load balancer server: Nginx can support both Rails and PHP internally, as well as HTTP proxy servers for external service. Nginx written in C, whether it is the system resource overhead or CPU use efficiency is much better than Perlbal.

Nginx installation is very simple, the configuration file is very concise (also can support Perl syntax), Bugs very few servers: Nginx boot is particularly easy, and can be almost uninterrupted operation, even if the operation for several months do not need to restart. You will also be able to upgrade your software version in the event of uninterrupted service.

Second, Nginx installation 1, installation instructions

System Environment: CentOS-6.6
Software: nginx-1.8.0.tar.gz
installation Method: source code compiled and installed
installation Location: /opt/program/nginx-1.8.0

2, the installation must be software
# yum install gcc-c++# yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel#  find -name nginx#./nginx#./nginx/sbin/nginx#./nginx-1.2.6/objs/nginx

Check that the system has been installed Nginx:
Uninstall the original Nginx

# yum remove nginx

3. Installation and compilation

Upload the installation package file to/opt/software to do the following:

# cd /opt/program# mkdir nginx# tar -zxvf ../software/nginx-1.8.0.tar.gz# cd nginx-1.8.0# ./configure --prefix=/opt/program/nginx

Note: This is the specified Nginx installation directory, most users are accustomed to install under the/usr/local/nginx

# make                编译# make install        安装

4. Configure Service Items
修改防火墙配置: # vi + /etc/sysconfig/iptables添加配置项 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT重启防火墙 # service iptables restart

5. Start

Method 1

# /opt/program/nginx/sbin/nginx -c /opt/program/nginx/sbin/nginx/conf/nginx.conf

Method 2

# /opt/program/nginx/sbin/nginx   查询nginx主进程号 # ps -ef | grep nginx强制停止 # pkill -9 nginx重启# /opt/program/nginx/sbin/nginx -s reload测试# netstat –na|grep 80#浏览器中测试 http://ip:80

Three, the configuration nginx support high Concurrency 1, nginx general optimization

Edit the nginx.conf, modify the relevant parameters to optimize.

worker_processes 8;

The number of Nginx processes is recommended according to the number of CPUs, usually a multiple of it (for example, 2 four-core CPU counts as 8).

worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;worker_rlimit_nofile 65535;

This instruction refers to the maximum number of file descriptors opened by an nginx process, and the theoretical value should be the most open
The number of pieces (ulimit-n) is divided by the number of nginx processes, but the Nginx allocation request is not uniform, so it is best to keep the value of ulimit-n consistent. Now the number of open files opened in the Linux 2.6 kernel is 65535,worker_rlimit_nofile 65535 should be filled accordingly.

worker_connections 65535;

The maximum number of connections allowed per process is theoretically worker_processes*worker_connections per nginx server. Keepalive_timeout 60;keepalive time-out period.

client_header_buffer_size 4k;

Client request the buffer size of the head, this can be set according to your system paging size, generally a request header size will not exceed 1k, but because the general system paging is greater than 1k, so this is set to paging size.

open_file_cache max=65535 inactive=60s;

This will specify the cache for the open file, which is not enabled by default, max Specifies the number of caches, the recommended and the number of open files, and inactive refers to how long the file has not been requested to delete the cache.

open_file_cache_valid 80s;

This refers to how long it takes to check the cache for valid information.

The minimum number of times a file is used in a parameter time, and if this number is exceeded, the file descriptor is always opened in the cache, as in the previous example, if a file is not used once within inactive time, it will be removed.

2. Optimization of kernel parameters

Edit sysctl.conf to optimize the Linux kernel.

net.ipv4.tcp_max_tw_buckets = 6000

The number of timewait, by default, is 180000.

net.ipv4.ip_local_port_range = 1024 65000

Allows the system to open a range of ports.

net.ipv4.tcp_tw_recycle = 1

Enable Timewait Quick Recycle.

net.ipv4.tcp_tw_reuse = 1

Turn on reuse. Allows time-wait sockets to be re-used for new TCP connections.

net.ipv4.tcp_syncookies = 1

Turn on SYN cookies to enable cookies to be processed when a SYN wait queue overflow occurs.

net.core.somaxconn = 262144

The BACKLOG of LISTEN functions in Web applications restricts the net.core.somaxconn of our kernel parameters to 128, and the Nginx-defined ngx_listen_backlog defaults to 511, so it is necessary to adjust this value.

net.core.netdev_max_backlog = 262144

The maximum number of packets that are allowed to be sent to the queue when each network interface receives a packet at a rate that is faster than the rate at which the kernel processes these packets.

net.ipv4.tcp_max_orphans = 262144

The maximum number of TCP sockets in the system are not associated with any one of the user file handles. If this number is exceeded, the orphan connection is immediately reset and a warning message is printed. This limitation is only to prevent a simple Dos attack, not to rely too much on it or artificially reduce the value, but should increase this value (if the memory is increased).

net.ipv4.tcp_max_syn_backlog = 262144

Record the maximum number of connection requests that have not received the client acknowledgment information. For systems with 128M of memory, the default value is 1024, and the small memory system is 128.

net.ipv4.tcp_timestamps = 0

Timestamps can prevent the winding of serial numbers. A 1Gbps link will definitely encounter a previously used serial number. Timestamps allow the kernel to accept this "exception" packet. You need to turn it off here.

net.ipv4.tcp_synack_retries = 1

In order to open the connection to the end, the kernel sends a SYN and comes with an ACK that responds to the previous syn. The second handshake in the so-called three-time handshake. This setting determines the number of Syn+ack packets sent before the kernel abandons the connection.

net.ipv4.tcp_syn_retries = 1

The number of SYN packets sent before the kernel abandons the connection.

net.ipv4.tcp_fin_timeout = 1

If the socket is closed by the local side, this parameter determines how long it remains in the fin-wait-2 state. The peer can make an error and never shut down the connection, or even accidentally become a machine. The default value is 60 seconds. 2.2 The normal value of the kernel is 180 seconds, 3 You can press this setting, but remember that even if your machine is a light-load Web server, there is a large number of dead sockets and memory overflow risk, fin-wait-2 is less dangerous than fin-wait-1, Because it can only eat up to 1.5K of memory, but they have a longer lifetime.

net.ipv4.tcp_keepalive_time = 30

When KeepAlive is employed, the frequency at which TCP sends keepalive messages. The default is 2 hours.
After the above optimization, Nginx can support more than 50,000 of concurrent volume.

Four, nginx Security configuration

There are too many methods about Nginx security configuration on the network, this article chooses the Nginx Security Configuration policy which is suitable for oneself according to own actual environment.

1. Delete all unwanted nginx modules

The number of modules is minimized by compiling Nginx source code directly. Minimize risk by restricting only the Web server access module. For example, to disable the SSL and AutoIndex modules you can execute the following command:

#./configure –without-http_autoindex_module –without-http_ssi_module# make# make install

Use the following command to see which module will open or close when compiling the Nginx server:

#./configure –help | less

Then disable the Nginx module that you cannot use.

2. Install SELinux policy to strengthen Nginx Web server

The default SELinux does not protect the Nginx Web server, I install and compile protection software here.
Install the required environment support for the compilation of SELinux

# yum -y install selinux-policy-targeted selinux-policy-devel

Download the SELinux policy to harden the Nginx Web server.

# cd /opt# wget ‘’

Unzip the file

# tar -zxvf se-ngix_1_0_10.tar.gz

Compiling files

# cd se-ngix_1_0_10/nginx# make

The output will be as follows:

Compiling targeted nginx module/usr/bin/checkmodule: loading policy configuration from tmp/nginx.tmp/usr/bin/checkmodule: policy configuration loaded/usr/bin/checkmodule: writing binary representation (version 6) to tmp/nginx.modCreating targeted nginx.pp policy package# rm tmp/nginx.mod.fc tmp/nginx.mod

Install the generated nginx.pp SELinux module:

# /usr/sbin/semodule -i nginx.pp

3. Control buffer Overflow Attack

Edit nginx.conf to set the buffer size limit for all clients.

# vi /usr/local/nginx/conf/nginx.conf

The size limit for editing and setting all client buffers is as follows:

## Start: Size Limits & Buffer Overflows ##client_body_buffer_size  1K;client_header_buffer_size 1k;client_max_body_size 1k;large_client_header_buffers 2 1k;## END: Size Limits & Buffer Overflows ##

4, control the concurrent connection

Use the Nginxhttplimitzone module to restrict concurrent connections to a specified session or to an IP address under special circumstances. Edit nginx.conf:

limit_zone slimits $binary_remote_addr 5m;limit_conn slimits 5;

The above indicates that the client that restricts each remote IP address can open a connection no more than 5 simultaneously.

5. Limit the available Request methods

Get and post are the most commonly used methods on the Internet. The methods of the Web server are defined in RFC 2616. If the Web server does not require all available methods to be enabled, they should be disabled. The following instruction will filter only allow Get,head and post methods:

## Only allow these request methods ##if ($request_method !~ ^(GET|HEAD|POST)$ ) {return 444;}## Do not accept DELETE, SEARCH and other methods ##

6. Reject some user-agents

You can easily block user-agents, such as scanners, bots, and spammers who misuse your servers.

## Block download agents ##if ($http_user_agent ~* LWP::Simple|BBBike|wget) {return 403;}##

A robot that blocks Soso and Youdao:

## Block some robots ##if ($http_user_agent ~* Sosospider|YodaoBot) {return 403;}

7, prevent the picture hotlinking

A picture or HTML hotlinking means someone is directly using your website's image address to display it on his website. As a result, you will need to pay extra broadband fees. Need to block and prevent hotlinking behavior.

# Stop deep linking or hot linkinglocation /images/ {valid_referers none blocked;if ($invalid_referer) {return   403;}}

8. Limit the number of connections per IP at the firewall level

The network server must monitor connections and connection limits per second. Both PF and iptales can block end-user access before entering your Nginx server.
Linux Iptables: Limit the number of nginx connections per connection
The following example blocks the number of connections from more than 15 connections to port 80 from an IP within 60 seconds.

# /sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –set# sbin/iptables -A INPUT -p tcp –dport 80 -i eth0 -m state –state NEW -m recent –update –seconds 60  –hitcount 15 -j DROPservice iptables save

I set the same IP to allow only 10 Nginx links in 60 seconds.

9: Configure the operating system to protect the Web server

Nginx program is generally run with user nginx. However, the root directory (/nginx or/usr/local/nginx/html) should not be set to user nginx or user nginx writable. To locate the wrong permission file, you can use the following command:

# find /nginx -user nginx# find /usr/local/nginx/html -user nginx

Make sure you have more ownership of root or other users, a typical permission setting

/usr/local/nginx/html/ls -l /usr/local/nginx/html/

Example output:

-rw-r–r– 1 root root 925 Jan  3 00:50 error4xx.html-rw-r–r– 1 root root  52 Jan  3 10:00 error5xx.html-rw-r–r– 1 root root 134 Jan  3 00:52 index.html

To delete a backup file created by vi or another text editor:

# find /nginx -name ‘.?*’ -not -name .ht* -or -name ‘*~’ -or -name ‘*.bak*’ -or -name ‘*.old*’# find /usr/local/nginx/html/ -name ‘.?*’ -not -name .ht* -or -name ‘*~’ -or -name ‘*.bak*’ -or -name ‘*.old*’

Delete these files by using the-delete option of the Find command.

10, limit the Nginx connection outgoing

Hackers will use tools such as wget to download your server's local files. Use Iptables to block outgoing connections from Nginx users. The Ipt_owner module attempts to match the creator of the locally generated packet. In the example below, only user users are allowed to use the 80 connection outside.

# /sbin/iptables -A OUTPUT -o eth0 -m owner –uid-owner vivek -p tcp –dport 80 -m state –state NEW,ESTABLISHED  -j ACCEPT

V. Summary

This article just according to their own needs to build a suitable Web server, I hope to help you. Nginx is a good tool to improve the pieces, Nginx function is not limited to building a Web server, its more features have yet to continue to develop, I look forward to the nginx can bring us more surprises.

Build an efficient and secure Nginx Web server

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.