CentOS Installation nginx-1.6.2+ Security Configuration

Note: All of the following operations are done under the CentOS 6.5 x86_64 bit system.

#准备工作 #

Before installing Nginx, make sure that you have installed basic components such as pcre with Yum, as described in the basic components of the CentOS installation LNMP environment.

Then create a user group and user for WWW, and do not allow logon permissions:

ID www ID  -G www-s/sbin/ID  wwwuid=501(WWW) gid=501(www) group =501 (WWW)

#Nginx的安装 #

Start downloading Nginx and compiling the installation:

# cd/usr/local/src#wgethttp//nginx.org/download/nginx-1.6.2.tar.gz#TarZXF nginx-1.6.2.Tar. gz# CD Nginx-1.6.2# ./configure--prefix=/usr/local/nginx-1.6.2--group=www--user=www--with-http_ssl_module--with-pcre--with-http_stub_status_module--with-http_gzip_static_moduleconfiguration Summary+using System PCRE Library+using System OpenSSL Library+md5:using OpenSSL Library+sha1:using OpenSSL Library+using System zlib library nginx path prefix:"/usr/local/nginx-1.6.2"nginx binaryfile:"/usr/local/nginx-1.6.2/sbin/nginx"nginx configuration prefix:"/usr/local/nginx-1.6.2/conf"nginx Configurationfile:"/usr/local/nginx-1.6.2/conf/nginx.conf"nginx PIDfile:"/usr/local/nginx-1.6.2/logs/nginx.pid"nginx error Logfile:"/usr/local/nginx-1.6.2/logs/error.log"nginx HTTP access logfile:"/usr/local/nginx-1.6.2/logs/access.log"nginx HTTP client request body temporary files:"client_body_temp"nginx HTTP proxy temporary files:"proxy_temp"nginx http fastcgi temporary files:"fastcgi_temp"nginx http Uwsgi temporary files:"uwsgi_temp"nginx http scgi temporary files:"scgi_temp"#  Make&& Make Install# LN-s/usr/local/nginx-1.6.2//usr/local/nginx#Chown-R www:www/usr/local/nginx#Chown-R www:www/usr/local/nginx-1.6.2

Add the Nginx sbin directory to the path:

# vim/etc/profileexport PATH= $PATH:/usr/local/mysql/bin: $JAVA _home/bin:/usr/local/nginx// Etc/profile

View Nginx version information and verify that the previous step was successful:

# Nginx-Vnginx version:nginx/1.6. 2  gcc4.4. 7 20120313 4.4. 7-4--prefix=/usr/local/nginx-1.6. 2 --group=www--user=www--with-http_ssl_module--with-pcre--with-http_stub_status_module

At this point, Nginx has been installed.

#Nginx的启动/restart/close #

Configure the relevant path for Nginx WebApp (this is for the convenience of operation and maintenance management, you can put different Web projects into this directory):

mkdir -p/data/www

Simply modify the following configuration file:

# vim/usr/local/nginx/conf/nginx.confuser  www;worker_processes  1; events {    Worker_connections  ;} HTTP {    include       mime.types;    Default_type  application/octet-stream;    Sendfile on      ;    Keepalive_timeout  ;     gzip On   ;    server {        Listen       ;        server_name  localhost;         / {            root   html;            Index  index.html index.htm;     }}}

Start Nginx:

# Nginx

This time open the browser access address http://youripaddress should be able to see:

At this point, Nginx has started successfully.

In general, when the nginx.conf configuration file is modified, it can be restarted directly for the configuration to take effect, before restarting the general detection of the correct configuration file:

# Nginx-file /usr/local/nginx-1.6. 2/conf/file /usr/local/nginx-1.6. 2/conf/-S Reload

In addition, the restart can be signaled by the way:

kill -hup ${master_pid}

The commands to close are as follows:

# Nginx--S stop

Note: Quit indicates that when the request is closed, stop closes immediately.

It can also be switched off by signaling:

 kill -kill -kill -9 ${nginx_master}

Note:-quit means to stop gracefully, and then close the process after all requests have been completed; The term means to close the process immediately;-9 means force shutdown.

For later management convenience, we write a startup script here, can be started with service command, as follows:

# vim/etc/init.d/nginxd#!/bin/SH# Chkconfig:2345  -  the# Description:nginx Servernginx_home=/usr/local/nginx-1.6.2Nginx_sbin= $NGINX _home/sbin/nginxnginx_conf= $NGINX _home/conf/Nginx.confnginx_pid= $NGINX _home/logs/Nginx.pidnginx_name="Nginx". /etc/rc.d/init.d/functionsif[ ! -F $NGINX _sbin] Then    Echo "$NGINX _name Startup: $NGINX _sbin not exists!"Exitfistart () {$NGINX _sbin-c $NGINX _conf ret=$?if[$ret-eq0]; ThenAction $"starting $NGINX _name:"/bin/true    ElseAction $"starting $NGINX _name:"/bin/false    fi}stop () {Kill`Cat$NGINX _pid ' ret=$?if[$ret-eq0]; ThenAction $"stopping $NGINX _name:"/bin/true    ElseAction $"stopping $NGINX _name:"/bin/false    fi}restart () {Stop Start}check () {$NGINX _sbin-C $NGINX _conf-t}reload () {Kill-hup 'Cat$NGINX _pid ' &&Echo "Reload success!"}relog () {Kill-USR1 'Cat$NGINX _pid ' &&Echo "relog success!"} Case " $" inchstart) Start;    stop) stop;;    restart) restart;; Check|chk) check;; Status) Status-p $NGINX _pid;;    reload) reload;;    relog) relog;; *)        Echo$"Usage: $ {Start|stop|restart|reload|status|check|relog}"Exit1Esac# chmod+x/etc/init.d/nginxd# chkconfig nginxd on

This way you can start with the service:

# service Nginxd Start

#Nginx的安全配置 #

1, first set does not allow directory browsing, the default configuration is not allowed.

AutoIndex off

2, open the Access log, nginx default has been turned on, here we follow for operation and maintenance of the convenience of management is best to put the log alone in the/data directory.

Access_log/data/www/logs/localhost.access.log

3, to ensure the security of the directory, because Nginx uses the WWW user to start, the hacker invasion server will be successful after the WWW user's rights, so need to ensure that the site Web directory and the owner of the file is different from the start user, to prevent malicious tampering and deletion of the website. Site Web directory and the owner of the file can be set to root, where the Web directory permissions are set to 755,web file permissions unified set to 644. Only directories such as the upload directory can be set to 777, in order to prevent hackers to upload Trojan horse to 777 permissions directory, you must also ensure that the 777 permissions of the directory does not execute script permissions. Here are two things to deal with:

1) for Business using PHP, configure the following:

Location ~* ^/data/www/logs/.*\. (php| php5) $ {    deny all;}

Note: The safest thing to do is to whitelist the PHP executable directory, which we'll cover in more detail in the installation section of PHP.

2) for non-PHP-used businesses (such as Python, CGI, etc.), you need to prohibit external access to the 777 directory, configured as follows:

Location ~ ^/data/www/logs/ {    deny all;}

4, for the management directory, you need to restrict access to the IP address, such as restricting access to Nginx state:

server {    /nginx-Admin {        stub_status on;        Access_log logs/nginx-admin.log;         11.12. 23.0/+;        Deny all;    }     /Admin {        ...    }}

Note: The 11.12.23.0/24 configured above refers to the IP address segment of the current OPS client.

To enter an address on a machine that allows IP, you should see:

The non-permitted user access should not be possible and a 403 error will be displayed, such as:

5, the Nginx default homepage and other pages to delete, using the business of their own home page to replace.

6, do not allow IP direct access to the server, the advantage is that when the IP address leaked out, the person used another domain name to point to the IP address, you can set it to return 500 and other error codes. Like what:

server {    Listen        -  default;      - ;} server {    Listen        ;    server_name   www.tencent.com tencent.com;    Root          /data/www/Tencent;    Access_log    /data/logs/nginx/tencent.access.log;    Error_log     /data/logs/nginx/tencent.error.log;}

Note: The above configuration indicates that there will be an error when using the IP address directly, while using the domain name access (such as request tencent.com is normal).

CentOS Installation nginx-1.6.2+ Security Configuration