1.2 Nginx安装部署
1.2.1 依赖安装与环境准备
#添加用户与用户组(用户名可自行定义)
groupadd -r nginx && useradd -s /sbin/nologin -r -g nginx nginx
#安装依赖
yum -y install gcc gcc-c++ automake autoconf libtool make wget net-tools
yum install -y libxslt* libxml2* gd-devel perl-devel perl-ExtUtils-Embed GeoIP GeoIP-devel GeoIP-data openssh-server lrzsz tree openssl libssl-dev libpcre3 libpcre3-dev zliblg-dev zliblg-dev pcre pcre-devel openssl openssl‐devel
wget https://nginx.org/download/
#所需目录创建
mkdir -pv /usr/local/nginx/{logs,client_body,proxy,fastcgi,uwsgi,scgi}
chown -R nginx:nginx /usr/local/nginx
1.2.2 隐藏nginx版本号
#修改nginx.h文件如下三行配置信息变更
vi /opt/nginx-1.19.1/src/core/nginx.h
#define nginx_version 1010001
#define NGINX_VERSION "618"
#define NGINX_VER "WEB/" NGINX_VERSION
#修改ngx_http_header_filter_module.c文件的ngx_http_server_string显示名称与上述中的NGINX_VER名称一致
vi /opt/nginx-1.19.1/src/http/ngx_http_header_filter_module.c
static u_char ngx_http_server_string[] = "Server: WEB" CRLF;
static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;
#修改ngx_http_special_response.c文件的ngx_http_error_tail显示名称与上述中的NGINX_VER名称一致
vi /opt/nginx-1.19.1/src/http/ngx_http_special_response.c
static u_char ngx_http_error_tail[] =
"<hr><center>WEB</center>" CRLF
"</body>" CRLF
"</html>" CRLF
;
#修改完成后注意保存配置文件
1.2.3 模块安装
(1)Pcre安装
cd /opt
wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
tar -zxvf pcre-8.44.tar.gz
cd pcre-8.44/
./configure
make && make install
(2)Zlib安装
cd /opt
wget http://www.zlib.net/fossils/zlib-1.2.11.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make && make install
(3)Openssl安装
cd /opt
wget https://ftp.openssl.org/source/old/1.1.1/openssl-1.1.1g.tar.gz
tar -zxvf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
./config
make && make install
openssl version
备注:如果openssl版本输入不对应,需要重装
cd openssl-OpenSSL_1_1_1g
./config --prefix=/usr/local/openssl
make
make install
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/local/lib/
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/local/lib/
ln -s /usr/local/lib/libssl.so.1.1 /usr/lib/
ln -s /usr/local/lib/libcrypto.so.1.1 /usr/lib/
ln -s /usr/local/lib/libssl.so.1.1 /usr/lib64/
ln -s /usr/local/lib/libcrypto.so.1.1 /usr/lib64/
/usr/local/openssl/bin/openssl version
ldd /usr/local/openssl/bin/openssl
ldconfig -v
mv /usr/bin/openssl /usr/bin/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
openssl version
nginx安装时则需要指定openssl路径
--with-openssl=../openssl-1.1.1g \
以上模块可使用yum直接安装,安装指令如下:
yum install -y pcre-devel zlib-devel openssl-devel
1.2.4 Nginx安装
#安装包下载与解压
cd /opt
wget http://nginx.org/download/nginx-1.19.1.tar.gz
tar -zxvf nginx-1.19.1.tar.gz
cd /opt/nginx-1.19.1
./configure \
--prefix=/usr/local/nginx \
--pid-path=/usr/local/nginx/logs/nginx.pid \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_random_index_module \
--with-http_degradation_module \
--with-http_secure_link_module \
--with-http_gzip_static_module \
--with-http_perl_module \
--with-http_limit_conn_module \
--with-pcre=../pcre-8.44 \
--with-zlib=../zlib-1.2.11 \
--with-openssl=../openssl-1.1.1g \
--with-debug \
--with-file-aio \
--with-mail \
--with-mail_ssl_module \
--http-client-body-temp-path=/usr/local/nginx/client_body \
--http-proxy-temp-path=/usr/local/nginx/proxy \
--http-fastcgi-temp-path=/usr/local/nginx/fastcgi \
--http-uwsgi-temp-path=/usr/local/nginx/uwsgi \
--http-scgi-temp-path=/usr/local/nginx/scgi \
--with-stream \
--with-ld-opt="-Wl,-E"
make && make install
1.2.5 系统服务配置
#配置nginx环境变量
cat >>/etc/profile<<EOF
NGINX_HOME=/usr/local/nginx
PATH=$NGINX_HOME/sbin:$PATH
EOF
source /etc/profile
添加nginx系统服务启动脚本
vi /etc/init.d/nginx
#!/bin/bash
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: 2345 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
#
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)
NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
lockfile=/var/lock/nginx.lock
start() {
[ -x $nginx ] || exit 5
[ -f $NGINX_CONF_FILE ] || exit 6
echo -n "Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n "Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
configtest || return $?
stop
sleep 1
start
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
status)
rh_status
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 2
;;
esac
配置nginx系统服务及自启动
#编译完成后,执行以下命令
#上面命令执行完成后,执行以下命令
chmod 755 /etc/init.d/nginx
chkconfig --add nginx && chkconfig nginx on
chkconfig --list nginx
启动与停止nginx服务
systemctl daemon-reload
service nginx start 或使用 systemctl start nginx
service nginx status 或使用 systemctl status nginx
ps -ef|grep nginx
service nginx stop 或使用 systemctl stop nginx
2、Nginx加固
2.1 安全审计
#启用错误日志
error_log logs/error.log;
#启用访问日志
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent" "$http_x_forwarded_for"'
'"$request_time" "$upstream_response_time"';
#日志缓存
access_log logs/access.log main buffer=64k flush=60s;
open_log_file_cache max=300 inactive=20s valid=1m min_uses=2;
2.2 隐藏nginx版本
#在nginx.conf配置文件中添加隐藏nginx版本的参数
# hide nginx version
server_tokens off;
#在fastcgi.conf配置文件中添加#注释如下配置隐藏php中nginx的版本信息
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
2.3 数据保密性
配置防盗链,在nginx.conf对应的server中配置以下参数(根据实际环境需要配置)
location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
valid_referers none blocked 域名;
if ($invalid_referer) {
return 403;
break;
}
access_log off;
}
2.4 配置错误界面
把error.html放在nginx/html下。在nginx.conf的http中配置以下参数
error_page 404 500 502 503 504 505 /error.html;
2.5 Web前端安全
防止点击劫持,防止ie内容嗅探,防止xss,只能从本域名加载资源(外部脚本无法执行),在nginx.conf的server中配置以下参数(根据实际环境需要配置)
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection 1;
#add_header Content-Security-Policy "default-src 'self'";
2.6 访问控制
限制ip访问(因公网访问nginx,建议不设置。除非有恶意ip尝试cc攻击或暴力破解等非法操作)(根据实际环境需要配置)
location / {
deny 192.168.1.1; #拒绝IP
allow 192.168.1.0/24; #允许IP
allow 10.1.1.0/16; #允许IP
deny all; #拒绝其他所有IP
}
2.7 限制请求方法
不使用SSL和TLS1.1以下,使用TLS1.2以上版本,在nginx.conf的server中配置以下参数(在启用https的场景中配置)
SSL_Protocols TLSv1.2;
在nginx.conf的server中配置以下参数,只允许GET、POST两个http请求方式
location / {
if ($request_method !~* GET|POST) {
return 403;
}
}
nginx禁用option方法,将下面语句添加到nginx.conf文件或者server模块中
if ($request_method ~* OPTIONS) {
return 404;
}
3、Nginx优化
3.1 Nginx工作进程数量
一般设置CPU的核心或者核心数x2(worker_processes最多开启8个)
grep ^processor /proc/cpuinfo | wc -l //获取cpu核心数
worker_processes 4;
3.2 Nginx运行CPU亲和力
#比如2核配置
worker_processes 2;
worker_cpu_affinity 01 10;
#比如4核配置
worker_processes 4;
worker_cpu_affinity 0001 0010 0100 1000;
#比如8核配置
worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 0000100000010000 00100000 01000000 10000000;
3.3 优化内核参数与连接数
cat >>/etc/sysctl.conf<<EOF
fs.file-max = 6815744
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 40960
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
EOF
sysctl -p
cat >>/etc/security/limits.conf<<EOF
* soft nofile 65535
* hard nofile 65535
* soft noproc 65535
* hard noproc 65535
EOF
3.4 Nginx事件处理
启用epoll模型以提高处理效率
events {
use epoll;
worker_connections 65535;
multi_accept on;
}
3.5 开启高效传输模式
sendfile on;
tcp_nopush on;
3.6 连接超时时间
保护服务器资源,CPU,内存与控制连接数
keepalive_timeout 60;
tcp_nodelay on;
client_header_buffer_size 4k;
open_file_cache max=102400 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
client_header_timeout 60;
client_body_timeout 60;
reset_timedout_connection on;
send_timeout 20;
client_max_body_size 10m;
3.7 专属路径便携配置
不同的服务配置单独的conf文件,提高运维效率,以nginx.conf配置文件添加include参数
mkdir /usr/local/nginx/conf/conf.d
include /usr/local/nginx/conf/conf.d/*.conf;
3.8 Gzip调优
使用gzip压缩功能,可能为我们节约带宽,加快传输速度
gzip on;
gzip_min_length 2k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_typestext/plain text/css text/javascriptapplication/json application/javascript application/x-javascriptapplication/xml;
gzip_vary on;
gzip_proxied any;
3.9 Expires缓存调优
缓存,主要针对于图片,css,js等元素更改机会比较少的情况下使用,特别是图片,占用带宽大,可以设置图片在浏览器本地缓存365d,css,js,html可以缓存个10来天。
location ~* \.(ico|jpe?g|gif|png|bmp|swf|flv)$ {
expires 30d;
#log_not_found off;
access_log off;
}
location ~* \.(js|css)$ {
expires 7d;
log_not_found off;
access_log off;
}
4、日志分割处理
vim clearNginxLog.sh
#设置日志的存储路径
LOG_PATH=/usr/local/nginx/logs
#设置历史日志的存储地址
HISTORY_LOG_PATH=/usr/local/nginx/history_logs
if [ ! -d "${HISTORY_LOG_PATH}" ]; then
mkdir -p ${HISTORY_LOG_PATH}
fi
#获取分割日志时所需要的时间当做日志文件名称
TIME=$(date +%Y%m%d)
#当前日志备份到指定的存储目录
mv ${LOG_PATH}/access.log ${HISTORY_LOG_PATH}/${TIME}_access.log
mv ${LOG_PATH}/error.log ${HISTORY_LOG_PATH}/${TIME}_error.log
if [ -f "${LOG_PATH}/https_access.log" ]; then
mv ${LOG_PATH}/https_access.log ${HISTORY_LOG_PATH}/${TIME}_https_access.log
fi
if [ -f "${LOG_PATH}/https_error.log" ]; then
mv ${LOG_PATH}/https_error.log ${HISTORY_LOG_PATH}/${TIME}_https_error.log
fi
#发送信号重新打开日志文件,在没有执行kill -USR1 nginx_pid 之前,即便已经对文件执行了mv命令也只是改变了文件的名称,nginx还是会向新命名的文件中照常写入日志数据。原因在于linux系统中,内核是根据文件描述符来找文件的
kill -USR1 $(cat ${LOG_PATH}/nginx.pid)
#压缩历史日志
cd ${HISTORY_LOG_PATH}
tar -zcf ${TIME}.tar.gz ${TIME}_*.log
#rm -rf ${HISTORY_LOG_PATH}/${TIME}_*.log
find ${HISTORY_LOG_PATH} -type f -name "*.log" -mtime +3 -exec rm -f {} \;
#定时清理90天前的日志
find ${HISTORY_LOG_PATH} -type f -name "*.tar.gz" -mtime +90 -exec rm -f {} \;
#将sh脚本加入到定时任务中,每天23:59执行
crontab -e
#添加定时任务
58 23 * * * /usr/local/nginx/clearNginxLog.sh > /usr/local/nginx/history_logs/clearNginxLog`date +\%y\%m\%d`.log 2>&1
[Ubuntu conf]$ more nginx.conf
#user nobody;
worker_processes 2;
#error_log logs/error.log;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
limit_req_zone $binary_remote_addr zone=one:10m rate=2000r/s;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $http_host '
'$status $request_length $body_bytes_sent "$http_referer" '
'"$http_user_agent" $request_time $upstream_response_time';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 15;
client_body_timeout 10;
send_timeout 10;
gzip on;
gzip_static on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
server_tokens off;
server_names_hash_bucket_size 512;
port_in_redirect off;
error_page 404 /404.html;
upstream xxx.com {
server xx.xx.xx.xx:80 weight=1;
}
upstream xxx1.com {
server xx.xx.xx.xx:81 weight=1;
}
server {
listen 80;
server_name xx.com;
add_header X-Frame-Options ALLOWALL;
location /{
rewrite ^ https://$host$request_uri? permanent;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name xx.com;
add_header X-Frame-Options SAMEORIGIN;
location /{
proxy_pass http://xx.com.cn:101;
proxy_set_header X-Real-IP $remote_addr;
}
}
limit_conn_zone $binary_remote_addr zone=addr:20m;
limit_conn_zone $binary_remote_addr zone=perip:20m;
limit_conn_zone $server_name zone=perserver:20m;
server {
listen 80;
server_name xx.com;
location / {
proxy_pass http://xx.com/;
proxy_set_header X-Real-IP $remote_addr;
}
location /xx/xxx {
limit_conn addr 3; #限制连接并发数仅能为3。
limit_rate 500k; #单个连接的传输速率
limit_conn perip 20;其中limit_conn perip 10表示限制单个IP同时最多能持有20个连接;limit_conn perserver 100表示server同时能处理并发连接的总数为100个。PS:只有当request header被后端处理后,这个连接才进行计数。
proxy_pass http://xx.com.cn/xx/;
proxy_set_header X-Real-IP $remote_addr;
}
}
include conf.d/*.conf;
}