gzip on;
gzip_min_length 1k;
gzip_buffers 16 64k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
只是打开 gzip on 和gzip——types 本人在centos系统下对js不能有效压缩,要加上最后的gzip_vary才能压缩js
隐藏版本号
在nginx配置文件的http标签内加入“server_tokens off; ”参数,也可以放大server标签和location标签中
或者在源代码中更改
src/core/nginx.h
12#define NGINX_VERSION "1.6.2" // 修改为想要的版本号如2.4.3
#define NGINX_VER "nginx/" 改为 Apache
src/http/ngx_http_header_filter_module.c
1static
char
ngx_http_server_string[] =
"Server:nginx"
//改为apache
src/http/ngx_http_special_response.c
12345678910111213static
u_char ngx_http_error_full_tail[] =
"<hr><center>"
NGINX_VER
"</center>"
CRLF
"</body>"
CRLF
"</html>"
CRLF
;
static
u_char ngx_http_error_tail[] =
"<hr><center>nginx</center>"
CRLF
"</body>"
CRLF
"</html>"
CRLF
;
//改为apache
安装nginx concat
配置nginx
URL访问控制
来就应该只是资源文件,禁止指定扩展名程序被执行,例如:.php,.sh,.pl,nginx下禁止访问资源目录下的php程序文件
123456789101112131415161718location ~ ^/images/.*\.(php|php5|.sh|.pl|.py)$
{
deny all;
}
if
($request_method !~ ^(GET|HEAD|POST)$ ) {
return
444;
}
location ~ ^/
static
/.*\.(php|php5|.sh|.pl|.py)$
{
deny all;
}
location ~* ^/data/(attachment|avatar)/.*\.(php|php5)$
{
deny all;
}
限制使用网站ip访问网站
12345server {
listen 80 default_server;
server_name _;
return
444;
}
图片及目录防盗链
123456location ~* \.(jpg|gif|png|swf|flv|wma|wmv|asf|mp3|mmf|zip|rar)$ {
valid_referers none blocked *.etiantian.org etiantian.org;
if
($invalid_referer) {
return
302 http:
//www.explam.com/img/nolink.jpg;
}
}
优雅的错误提示
12error_page 500 501 502 503 504 http:
//www.example.com/error2.html;
error_page 400 403 404 405 408 410 411 412 413 414 415 http:
//www.example.com/error1.html;
爬虫优化,可以进行适当限速
使用tmpfs文件系统给/tmp
提高效率,部分程序切图片操作临时放到/tmp下,可以把tmp设置成内存文件系统,占用内存空间的,就是从内存里拿出一块来当磁盘用
1mount -t tmpfs -o size=16m tmpfs /tmp
防DOS攻击
限制单个ip的 req/s , conn
123456789101112131415161718192021222324252627282930313233343536373839404142434445map $remote_addr $rt_filtered_ip {
default
$binary_remote_addr;
1.2.3.4
""
;
4.4.4.4
""
;
}
or
geo $rt_filtered_ip {
default
$binary_remote_addr;
127.0.0.1
""
;
192.168.1.0/24
""
;
10.1.0.0/16
""
;
::1
""
;
2001:0db8::/32
""
;
1.2.3.4
""
}
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
limit_conn_zone $host$uri zone=peruri:10m;
limit_req_zone $rt_filtered_ip zone=qps:10m rate=1r/s;
server {
location = /wp-login.php {
limit_req zone=qps burst=5 nodelay;
limit_conn perip 10;
limit_conn perserver 100;
limit_rate 500k;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
}
ab -n 100 -c 10 example.com/wp-login.php
$binary_remote_addr是限制同一客户端ip地址;
$server_name是限制同一server最大并发数;
limit_conn为限制并发连接数;
limit_rate为限制下载速度;
访问控制 allow/deny
12345678910location /nginx-status {
stub_status
on
;
access_log off;
auth_basic
"NginxStatus"
;
auth_basic_user_file /usr/local/nginx/htpasswd;
allow 192.168.10.100;
allow 172.29.73.0/24;
deny all;
}
//htpasswd -c htpasswd admin