Linux OPS Engineer Pen test tenth set

1, how to achieve high concurrency of nginx?

After the service Nginx start, and then enter #ps-ef|grep Nginx, you will find Nginx has a master process and several worker processes, these worker processes are equal, are the master fork. In master, first create a socket (LISTENFD) that requires listen, and then fork out multiple worker processes. When the user enters the Nginx service, each worker's listenfd becomes readable, and these workers will rob a thing called Accept_mutex, Accept_mutex is mutually exclusive, a worker gets, The other workers took a break from the dish. And the Accept_mutex worker starts "read request-parse request-process request", after the data is completely returned to the client (the target webpage appears on the computer screen), the event is completely finished.

Nginx Use this method is the bottom of the worker process squatting user requirements, and with "asynchronous non-blocking" way to achieve high concurrency.

"Comment" in nginx.conf the second line is work_process, there is the default is 4, you can also change to auto, this value is not as large as possible, to the actual server CPU situation, the general CPU has a few, the working process there are several.

2, write an nginx access module, require permission to 192.168.3.29/24 machine access, allow 10.1.20.6/16 this network segment of all machine access, allow 34.26.157.0/24 this network segment access, in addition to the machine does not allow access.

location/{

Access 192.168.3.29/24;

Access 10.1.20.6/16;

Access 34.26.157.0/24;

Deny all;

}

"Comment" Firewall is layer-deep, can be implemented from the hardware ACL (access control list), if there is no money to buy a firewall, then you can also set iptables on Linux, if the iptables is not set, can also be set on Nginx.

Nginx itself works very little, the internal modules are actually involved in the work, module English information: http://nginx.org/en/docs/


3, to Favicon.ico and robots.txt set expiration time; Here is favicon.ico for 99 days, robots.txt for 7 days does not log 404 error logs

Location ~ (favicon.ico) {
Log_not_found off;
Expires 99d;
Break
}

Location ~ (robots.txt) {
Log_not_found off;
Expires 7d;
Break
}


4. Set the browser cache expiration time for a file; This is 600 seconds and does not log access logs
Location ^~/html/scripts/loadhead_1.js {
Access_log off;
Expires 600;
Break
}


5, only allow fixed IP access to the site, and add a password
printf "james:$ (OpenSSL passwd-crypt 123456) \ n" >>/usr/local/nginx/conf/passwd
The Setup account is James, the password is 123456.
Location \ {
Allow 22.27.164.25; #允许的ipd
Deny all;
Auth_basic "KEY"; #登陆该网页的时候, there will be a "KEY" hint, hints can only be in English, Chinese is not recognized.
AUTH_BASIC_USER_FILE/CONF/HTPASSWD;
}

This article from "Life is waiting for Gordo" blog, reprint please contact the author!

Linux OPS Engineer Pen test tenth set