Website acceleration and Linux Server Protection

Website acceleration and Linux Server Protection

Website Acceleration

1. Configure gzip compression for Nginx

After nginx gzip compression is enabled, the size of static resources such as web pages, css, and js will be greatly reduced, which can save a lot of bandwidth, improve transmission efficiency, and give users a quick experience. Although it will consume cpu resources, it is worthwhile to provide a better user experience.

Gzip on; # enable gzipgzip_min_length 1 k; # Do not compress resources smaller than 1 kb in gzip_comp_level 3; # compression level [1-9]. The higher the compression rate, the more cpu resources are consumed, we recommend that you set it to around 4. Gzip_types text/plain application/javascript application/x-javascript text/xml text/css; # resources of which response types need to be compressed, separated by spaces. It is not recommended to compress the image. The following describes why. Gzip_disable "MSIE [1-6] \."; # disable the gzip condition and support regular expressions. This indicates that gzip is not enabled for ie6 and earlier versions (because earlier versions of ie are not supported) gzip_vary on; # whether to add the "Vary: Accept-Encoding" Response Header

Put the preceding configuration in the http {...} node of nginx. conf. Save and restart nginx to refresh the page (Force refresh to avoid caching. Take Google's browser as an example to view the request response header Through F12.

2. Enable Baidu cloud Acceleration

Many websites have begun to use domestic free CDN, that is, cloud acceleration, such as Baidu cloud acceleration, 360 website guard, security Bao, jiasule and yundun.

Baidu cloud acceleration deploys a large number of nodes and bandwidth resources on the national backbone network, and integrates Baidu's own CDN technology and anti-Attack System to provide acceleration, cache, page optimization, and other functions for the majority of websites, this significantly improves Website access speeds and significantly saves website resources.
At the same time, when the traffic passes through the cloud acceleration node, malicious hacker attacks and DDoS/CC attacks are also blocked and filtered by cloud acceleration, effectively ensuring the security and stability of the website.

Please refer to the Tutorial: https://jingyan.baidu.com/article/f00622280f97d3fbd2f0c858.html this open

Linux Server Security Protection

1. Linux restricts remote logon by users or IP addresses

Linux Remote logon uses the SSH protocol. To restrict IP logon, modify the configuration file associated with the sshd service.

1. allow only the specified user to log on (whitelist): Set the AllowUsers option in the/etc/ssh/sshd_config configuration file. The format is as follows: allowUsers aliyun test@192.168.1.1 # allows aliyun and the test account logged on from 192.168.1.1 to log on to the system through SSH. 2. deny logon only to specified users (blacklist): Set the DenyUsers option in the/etc/ssh/sshd_config configuration file. The format is as follows: denyUsers zhangsan aliyun # Linux System Account # reject zhangsan and aliyun accounts from logging on to the system through SSH

3. only IP 192.168.0.1 and 192.168.0.10 allowed to log on to other hosts (1) vim/etc/hosts. allow // Add the following content: sshd: 192.168.0.1, 192.168.0.10 (2) vim/etc/hosts. add the following content to the deny // sshd: ALL4.IP blacklist: only access to 192.168.0.1 is allowed, and all others are allowed to vim/etc/hosts. deny // Add the following content: sshd: 192.168.0.1

　　

2. Install the cloud lock security software

Note: If you have downloaded the cloud lock installation package, delete the old Cloud lock installation package and installation directory (rm-rf yunsuo _ *) before installing the package. Quick installation x86: wget http://download.yunsuo.com.cn/v3/yunsuo_agent_32bit.tar.gz & tar xvzf yunsuo_agent_32bit.tar.gz & chmod + x yunsuo_install/install & yunsuo_install/installx64: wget http://download.yunsuo.com.cn/v3/yunsuo_agent_64bit.tar.gz & tar xvzf yunsuo_agent_64bit.tar.gz & chmod + x yunsuo_install/install & yunsuo_install/install step-by-step installation 1. download the cloud lock installation package. X86: wget http://download.yunsuo.com.cn/v3/yunsuo_agent_32bit.tar.gzx64:wget Connector. X86: tar zxvf yunsuo_agent_32bit.tar.gzx64: tar zxvf yunsuo_agent_64bit.tar.gz3. Grant the executable permission to the cloud lock Installation File. Chmod + x yunsuo_install/install4. run the installation in the current path until the prompt "Install Yunsuo Success." is installed successfully. Yunsuo_install/install5. Add the server to the cloud center. /Usr/local/yunsuo_agent/yunsuo_smart_tool.sh-u cloud_name-p cloud_passwd remarks: cloud_name: cloud Center account name; cloud_passwd: cloud center logon password 6. After the installation is complete, manage it on the PC. Check whether the cloud lock runs ps-ef | grep yunsuo_agent cloud lock service related commands cloud lock start/stop/restart/running status service yunsuo start/stop/restart/status/etc/init. d/yunsuo start/stop/restart/status unmount the cloud lock/usr/local/yunsuo_agent/uninstall

3. ssh 22DefaultPort change

First, modify the configuration file vi/etc/ssh/sshd_config to find # Port 22, which indicates that Port 22 is used by default and changed to the following: port 22 Port 50000 and save and run/etc/init. SSH ports such as d/sshd restart will work on both 22 and 50000. Now, edit the firewall configuration: vi/etc/sysconfig/iptables to enable port 50000. Run/etc/init. d/iptables restart. now use the ssh tool to connect to port 50000 to test whether the restart is successful. If the connection is successful, edit the settings of sshd_config again and delete Port22. The reason for setting two ports first and then disabling one after the test is successful is to prevent unknown situations such as disconnection, network disconnection, and misoperation during the conf modification process,
You can also connect to the debugging through another port to avoid the need to send people to the data center if the connection fails, making the problem more complicated and troublesome.

　4. Enable Firewall

1) It takes effect permanently. It will not be enabled after restart: chkconfig iptables on Disabled: chkconfig iptables off2) it will take effect immediately. After restart, it will be enabled: service iptables start disabled: service iptables stop

　　5. Lock important folders

A file is locked in the linux system. After the file is locked, no user, including the root user, can delete the file chattr + I a.txt found a.txt to unlock the chattr-I a.txt file.

To protect data privacy, lock the/downloads folder under the file server. Chmod 0000/downloadsroot users can still access it, while ls and cd commands do not work. To restore it, use chmod 0755/downloads.

6. website directory folder permission settings. Recommended folder 750, page file 640, cache directory 770 read/write

Modify the permissions of all files in a directory. If you want to modify the permissions of files in the subdirectory, use the-R parameter to start recursive processing. Set the/home/user directory permission to rwxrwxrwx, excluding subdirectories: [root @ localhost ~] # Chmod 777/home/user sets the/home/user directory permission to rwxrwxrwx, including sub-directories: [root @ localhost ~] # Chmod-R 777/home/user

　Others

Update patches for various software in a timely manner

Mount backup hard disks and regularly back up data

Independent database server, access and interaction through Intranet

Disable redundant services

Disable password and log on with a key