Original address: http://blog.csdn.net/qq_23598037/article/details/79505398
optimization of Nginx
1. gzip compression Optimization
2. The expires cache is still
3. Network IO Event model optimization
4. hide the software name and version number
5. anti-theft chain Optimization
6. prohibit malicious domain name resolution
7. prohibit access to Web sites by IP address
8. HTTP request method optimization
9. anti-dos attack single IP concurrent connection control, and connection rate control
. Strictly set permissions on the Web site Directory one by one
. Run the Nginx process and the site in prison mode
. Through the robot protocol and Http_user_agent Crawler optimization
. The configuration error page specifies the page feedback to the user based on the error code
. Nginx log-related optimization Access log cutting polling, do not record the specified element log, minimize log directory permissions
. Restrictions uploaded to the Resource directory program is accessed to prevent Trojan intrusion system damage file
. FastCGI parameter buffer and cache configuration file optimization
. Optimization of php.ini and php-fpm.conf configuration files
. Deep optimizations for the Linux kernel aspects of Web services (network connectivity, IO, memory, and so on)
. Nginx Encryption Transfer Optimization (SSL)
. Web server disk mount and network File system optimization
. Using Nginx Cache
1. Basic Security Optimization
1.1 Hidden version information
In general, software vulnerabilities are related to versioning, so we want to hide or eliminate the various sensitive information that Web services display to access users.
1 [root@db01 rpm]# curl-i 10.0.0.8
2 http/1.1 401 Unauthorized
3 Server:nginx #隐藏版 This number
4 Date:thu, June 2016 03:23:38 GMT
5 content-type:text/html
6 content-length:188
7 Connection:kee P-alive
8 www-authenticate:basic realm= "Oldboy Training"
9 process:
vim/application/nginx/conf/nginx.conf
11 Add under HTTP Module:
server_tokens off;
13/application/nginx/sbin/nginx-t
14/application/nginx/sbin/nginx-s Reload
1.2 Hide Nginx To modify the source code
To modify the path of the content:
First path:
1/home/oldboy/tools/nginx-1.6.3/src/core/nginx.h 14th, 16 lines
2 #define nginx_version "1.6.2" modified to the desired version number such as 2.4.3
3 #define Nginx_ver "nginx/" nginx_version changes NGINX to the name of the software you want to modify, such as Apache.
Second path
1/home/oldboy/tools/nginx-1.6.3/src/http/ngx_http_header_filter_module.c 49th Line
2 grep ' Server:nginx ' ngx_http_ Header_filter_module.cstatic
3 sed-i ' s#server:nginx#server:apache#g ' ngx_http_header_filter_module.c
Third Path
/HOME/OLDBOY/TOOLS/NGINX-1.6.3/SRC/HTTP/NGX_HTTP_SPECIAL_RESPONSE.C 21st, 30 line
"
Then recompile 1.3 Change the default user for the Nginx service
The first method:
Change the configuration file Nginx.conf.default parameter directly, the default #user nobody, and change to user Nginx.nginx;
The second method:
Specify user and user group commands directly when compiling Nginx:
./configure--prefix=/application/nginx-1.6.3--user=nginx--group=nginx--with-http_ssl_module--with-http_stub_ Status_module 1.4 Down right start nginx
1 Useradd Inca
2 cd/home/inca/
3 mkdir conf logs www
4 echo inca >www/index.html
5 chown-r Inca.inca *
6 ln-s/application/nginx/conf/mime.types conf/mime.types #mime. Types Media Type File
Egrep-v "#|^$"/application/nginx/conf/nginx.conf.default >conf/nginx.conf
nginx.conf configuration file
Worker_processes 1;
Error_log /home/inca/logs/error.log;
Pid/home/inca/logs/nginx.pid;
Events {
worker_connections 1024;
}
HTTP {
include mime.types;
Log_format main ' $remote _addr-$remote _user [$time _local] "$request" "
$status $body _bytes_sent" $ "Http_referer" "
$http _user_agent" "$http _x_forwarded_for";
Default_type Application/octet-stream;
Sendfile on ;
Keepalive_timeout ;
server {
listen 8080;
server_name localhost;
Location/{
root /home/inca/www;
Index index.html index.htm;
}
Access_log/home/inca/logs/access.log main;
}
Su-inca-c "/application/nginx/sbin/nginx-c/home/inca/conf/nginx.conf" #启动nginx服务
Emphasis is placed on:
The relevant paths in the 1.nginx.conf are to be changed
2. Common user's port question 2, according to the parameter optimization Nginx service ability 2.1 optimizes Nginx process number the strategy
In a highly concurrent, highly accessed Web service scenario, more nginx processes need to be started in advance to ensure rapid response and processing of a large number of concurrent user requests.
Worker_processes 1; typically adjusted to the same number as the CPU (for example, 2 four cores with 8 CPUs)
(1) View Linux to see the number of CPUs and the total number of cores
grep processor/proc/cpuinfo|wc-l
(2) View the total number of CPUs
grep ' physical ID '/proc/cpuinfo|sort|uniq|wc-l
(3) All CPU cores can be displayed by executing the top command and then by the number 1
Top Press the 1 key to display the first message
Cpu0 : 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0% Si, 0.0
2.2 Optimizing binding of different nginx processes to different CPUs
By default, Nginx processes run on one core of a CPU or CPU, causing nginx processes to use hardware with uneven resources, and this section is optimized for different nginx processes to handle different CPUs, Fully and effectively utilize the effective hardware resources