12 configuring Nginx gzip compression for performance optimization
100k----1s 90k
100k----5s 10k
gzip on;
Gzip_min_length 1k;
Gzip_buffers 4 16k;
Gzip_http_version 1.1;
Gzip_comp_level 7;
Gzip_types text/css Text/xml application/javascripts;
Gzip_vary on;
Syntax:gzip_buffers number size;
Default:
Gzip_buffers 4k|16 8k;
Context:http, Server, location
Syntax:gzip_comp_level level;
Default:
Gzip_comp_level 1;
Context:http, Server, location
Syntax:gzip_types Mime-type ...;
Default:
Gzip_types text/html;
Context:http, Server, location
Syntax:gzip_vary on | Off
Default:
Gzip_vary off;
Context:http, Server, location
Syntax:gzip_min_length length;
Default:
Gzip_min_length 20;
Context:http, Server, location
Syntax:gzip_http_version 1.0 | 1.1;
Default:
Gzip_http_version 1.1;
Context:http, Server, location
13 configuring Nginx expires to enable clients to cache data
Example 1: Caching all pictures of a Web site
Location ~. *. (gif|jpg|jpeg|png|bmp|swf) $ oldboy.jpg
{
Expires 30d;
}
Example 2: Caching a Web site program code file locally
Location ~. *. (JS|CSS) $
{
Expires 30d;
}
Precautions:
- The time to cache is set to a reasonable
- Not all requested data information can be cached
Nginx log-related optimization and security
1) to cut the Web service log information
2) do not log unwanted access logs
Location ~. *. (js|jpg| Jpg|jpeg| Jpeg|css|bmp|gif| GIF) $ {
Access_log off;
}
3) Authorization of important log information
Chown-r Root.root/app/logs
Chmod-r 700/app/logs
4) Log cleanup
Write scripts to automate the purge log
Nginx Site directory and file URL access control
The company will build internal website platform, only want to let the company internal personnel to view
Example 1: Configure Nginx to prohibit the resolution of the specified program under the specified directory.
Location ~ ^/images/. . (php|php5|sh|pl|py|html) $
{
Allow 10.0.0.0/24;
Deny 10.0.0.0/24;
}
Location ~ ^/static/. (php|php5|sh|pl|py) $
{
Deny all;
}
Location ~ ^/data/(Attachment|avatar)/... (PHP|PHP5) $
{
Deny all;
}
Example 1: Configuration prevents access to the specified single or multiple directories.
The command to disallow access to a single directory is as follows:
Location ~ ^/(static)/{
Deny all;
}
Location ~ ^/static {
Deny all;
}
16 Configure Nginx, prohibit illegal domain name resolution visit corporate website
Method 1: Let the user who uses IP to access the website, or the user who resolves the domain name maliciously, receives 501 error, the command is as follows:
server {
Listen 80;
Servername ;
return 501;
}
Method 2: Jump to the home page via 301, with the following command:
server {
Listen 80;
Servername ;
Rewrite ^ (. *) http://blog.etiantian.org/$1 permanent;
}
Method 3: Find a domain name malicious resolution to the company's server IP, add the following code in the server tag, if there are more than one server to add multiple places.
if ($host!) ~ ^www.oldboyedu.com$)
{
Rewrite ^ (. *) http://blog.etiantian.org/$1 permanent;
}
Nginx Image and catalogue anti-theft chain solution
The simulation implements the hotlinking process:
- Configure Hotlinking website Information
First mileage: Writing the hotlinking Web site configuration file
server {
Listen 80;
server_name www.daolian.org;
Root Html/daolian;
Index index.html index.htm;
}
Second Mileage: Writing hotlinking website program code
<title> Old Boys Education
</title>
<body bgcolor=green>
WHW's Blog!
<br> my blog is Linux
<a href= "http://oldboy.blog.51cto.com" target= "_blank" > Blog address
</a>
</body>
- Configure Hotlinking website Information
In the Site directory, generate the picture information to be hotlinking
[email protected] www]# ll oldboy.jpg
-rw-r--r--1 root root 71806 March 9 16:27 oldboy.jpg
1) implement anti-theft chain based on HTTP Referer
Location ~. . (Jpg|gif|swf|flv|wma|wmv|asf|mp3|mmf|zip|rar) $ {<---To determine if a user is accessing a picture resource
Valid_referers none blocked . etiantian.org etiantian.org;
if ($invalid _referer) {
Rewrite ^/http://www.etiantian.org/nolink.png;
}
}
Location ~ ^.+. (gif|jpg|png|swf|flv|rar|zip) $ {<== Description: Caches hotlinking hint picture to user local
Valid_referers None blocked Server_names . etiantian.org etiantian.org;
if ($invalid _referer) {
Rewrite ^/http://bbs.etiantian.com/img/nolink.jpg;
}
Access_log off;
Root html/www;
Expires 1d;
Break
}
}
2) According to the cookie anti-theft chain
3) implement anti-theft chain through encrypted transform access path (extended study)
Research on Nginx Module Ngx_http_accesskey_module
4) solve hotlinking solution in product design
Add Watermark logo Information to data information
Elegant display of the Nginx error page
# #www
server {
Listen 80;
server_name www.etiantian.org;
Location/{
Root html/www;
Index index.html index.htm;
}
Error_page 403/403.html; #<== when a 403 error occurs, it jumps to the 403.html page
}
The example 2:50x page is placed in a separate local directory for elegant display.
Error_page 502 503 504/50x.html;
Location =/50x.html {
root/data0/www/html;
}
Example 3: Change the status code to the new status code and display the specified file contents, the command is as follows:
Error_page 404 =200/empty.gif;
server {
Listen 80;
server_name www.linuxpeixun.com;
Location/{
Root/data0/www/bbs;
Index index.html index.htm;
Fastcgi_intercept_errors on;
Error_page 404 =200/ta.jpg;
Access_log/app/logs/bbs_access.log Commonlog;
}
}
Example 4: Error status code URL redirection, the command is as follows:
server {
Listen 80;
server_name www.oldboyedu.com;
Location/{
Root html/www;
Index index.html index.htm;
Error_page 404 http://oldboy.blog.51cto.com;
#<== when a 404 error occurs, it jumps to the specified URL http://oldboy.blog.51cto.com the page is displayed to the user,
This URL is typically an additional available address for the enterprise
Access_log/app/logs/bbs_access.log Commonlog;
}
}
Nginx Site Directory file and directory permissions optimization
- Robots.txt Robot Protocol Introduction (Gentleman Agreement)
Using user_agent parameter information for anti-crawler
Example 1: Block the download of the Protocol agent with the following command:
if ($http _user_agent ~* lwp::simple| Bbbike|wget)
{
return 403;
}
if ($http _user_agent ~* "qihoobot| baiduspider| Googlebot| googlebot-mobile| googlebot-image| mediapartners-google| adsbot-google| Yahoo! Slurp china| Youdaobot| sosospider| Sogou spider| Sogou Web spider| MSNBot ")
{
return 403;
}
20 using Nginx to restrict HTTP request method
#Only allow these request methods
if ($request _method! ~ ^ (get| head| POST) ($) {
return 501;
}
#Do not accept delete,search and other methods
if ($request _method ~* ^ (GET) $) {
return 501;
}
21 using normal user to start Nginx (prison mode)
First Mileage: Place nginx Service important file or directory information in the normal user's home directory
[[email protected] ~]$ mkdir {conf,html,logs}
[Email protected] ~]$ Cp/application/nginx/conf/nginx.conf.default./conf/
[Email protected] ~]$ cp/application/nginx/conf/mime.types./conf/
?
Second Mileage: Writing nginx configuration file
[email protected] ~]$ cat./conf/nginx.conf
Worker_processes 1;
Error_log/home/oldboy/logs/error.log;
Pid/home/oldboy/logs/nginx.pid;
Events {
Worker_connections 1024;
}
HTTP {
Include Mime.types;
Default_type Application/octet-stream;
Sendfile on;
Keepalive_timeout 65;
Log_format Main ' $remote _addr-$remote _user [$time _local] "$request" '
' $status $body _bytes_sent ' $http _referer '
' "$http _user_agent" "$http _x_forwarded_for";
Access_log/home/oldboy/logs/web_blog_access.log main;
server {
Listen 80; <--for ordinary users is not eligible to apply special ports greater than 1024 ports can be managed by ordinary users
server_name www.etiantian.org;
Location/{
root/home/oldboy/html/;
Index index.html index.htm;
}
}
}
Third mileage: The use of ordinary start Nginx program
[Email protected] ~]$/application/nginx/sbin/nginx-c/home/oldboy/conf/nginx.conf
Nginx: [alert] could not open error log file:open () "/application/nginx-1.12.2/logs/error.log" Failed (13:permission den Ied
[Email protected] ~]$ Ps-ef|grep Nginx
Oldboy 24337 1 0 19:00? 00:00:00 Nginx:master process/application/nginx/sbin/nginx-c/home/oldboy/conf/nginx.conf
Oldboy 24338 24337 0 19:00? 00:00:00 Nginx:worker Process
Oldboy 24340 24297 0 19:00 pts/0 00:00:00 grep--color=auto nginx
The enterprise-level Nginx Web Service optimization in Web site cluster (II.)