Nginx优化

最新推荐文章于 2023-11-03 15:44:03 发布

乐于技术分享

最新推荐文章于 2023-11-03 15:44:03 发布

阅读量179

点赞数 1

本文链接：https://blog.csdn.net/weixin_40018205/article/details/81319240

版权

审计

auditctl -l

auditctl -S

auditctl -D

auditctl -w /etc/passwd -p rwxa -k 名称

vim /etc/audit/rule.d/audit.rules

-w /etc/passwd -p rwxa -k 名称

-w /bin/程序 -p rwxa -k 名称

vim /var/log/audit/audit.log

tailf

ausearch -k 名称 -if 文件

Nignx是模块化设计的软件，需要什么功能与模块以及

不需要哪些模块，都可以在编译安装软件时算定义，使用

--with参数可以开启某些模块，使用--without可以禁用某些

模块。最小化安装永远是对的方案！

nmcli connection modify eth0 ipv4.method manual ipv4.address “192.168.4.1/24” connection.autoconnect yes

nmcli connection up eth0

Ifconfig eth0

hostname set-hostname proxy

[root@rootroom9pc01 ~]# ssh -X root@192.168.4.1

[root@rootroom9pc01 ~]# scp -r '/root/桌面/nginx-1.12.2.tar.gz' 192.168.4.1:/root

[root@proxy ~]# tar -xf nginx-1.12.2.tar.gz

[root@proxy nginx-1.12.2]# ./configure --without-http_autoindex_module --without-http_ssi_module

[root@proxy nginx-1.12.2]# vim /etc/yum.repos.d/local.repo

[name]

name=rhel7

baseurl=http://192.168.4.254/rhel7

enabled=1

gpgcheck=0

[root@proxy nginx-1.12.2]# yum repolist

[root@proxy nginx-1.12.2]# yum -y install gcc pcre-devel openssl-devel

[root@proxy nginx-1.12.2]# useradd -s /sbin/nologin nginx

[root@proxy nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

[root@proxy nginx-1.12.2]# make

[root@proxy nginx-1.12.2]# make install

[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx

[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s stop

[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload

[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.12.2

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module

[root@proxy nginx-1.12.2]# ln -s /usr/local/nginx/sbin/nginx /sbin/

[root@proxy nginx-1.12.2]# nginx

[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf

http {

server_tokens off; //隐藏版本号

[root@proxy nginx-1.12.2]# curl -I http://192.168.4.1 //查看服务器响应的头部信息

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 31 Jul 2018 09:59:20 GMT

Content-Type: text/html

Content-Length: 612

Last-Modified: Tue, 31 Jul 2018 09:50:53 GMT

Connection: keep-alive

ETag: "5b6030fd-264"

Accept-Ranges: bytes

//隐藏软件版本信息

[root@proxy nginx-1.12.2]# vim +48 src/http/ngx_http_header_filter_module.c

static u_char ngx_http_server_string[] = "Server: nginx" CRLF;

static u_char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;

static u_char ngx_http_server_build_string[] = "Server: " NGINX_VER_BUILD CRLF;

修改如下：

static u_char ngx_http_server_string[] = "Server: test" CRLF;

static u_char ngx_http_server_full_string[] = "Server: test" CRLF;

static u_char ngx_http_server_build_string[] = "Server: test" CRLF;

[root@proxy nginx-1.12.2]# ./configure

[root@proxy nginx-1.12.2]# make && make install

[root@proxy nginx-1.12.2]# killall nginx

[root@proxy nginx-1.12.2]# nginx

[root@proxy nginx-1.12.2]# curl -I http://192.168.4.1

HTTP/1.1 200 OK

Server: test

Date: Tue, 31 Jul 2018 10:06:47 GMT

Content-Type: text/html

Content-Length: 612

Last-Modified: Tue, 31 Jul 2018 09:50:53 GMT

Connection: keep-alive

ETag: "5b6030fd-264"

Accept-Ranges: bytes

限制并发量

DDOS攻击者会发送大量的并发连接，占用服务器资源（包括连接数、带宽等），这样会导致正常用户处于等待或无法访问服务器的状态。

Nginx提供了一个ngx_http_limit_req_module模块，可以有效降低DDOS攻击的风险

[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {

listen 80;

server_name localhost;

limit_req zone=one burst=5;

//limit_req_zone语法格式：

//limit_req_zone key zone=name:size rate=rate;

//将客户端IP信息存储名称为one的共享内存，内存空间为10M

//1M可以存储8千个IP信息，10M可以存储8万个主机连接的状态，

容量可以根据需要任意调整

//每秒中仅接受1个请求，余的放入漏斗

//漏斗超过5个则报错

[root@proxy nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload

[root@rootroom9pc01 ~]# ab -c 100 -n 100 http://192.168.4.1/

This is ApacheBench, Version 2.3 <$Revision: 1430300 $>

Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 192.168.4.1 (be patient).....done

Server Software: test

Server Hostname: 192.168.4.1

Server Port: 80

Document Path: /

Document Length: 612 bytes

Concurrency Level: 100

Time taken for tests: 5.003 seconds

Complete requests: 100

Failed requests: 94

(Connect: 0, Receive: 0, Length: 94, Exceptions: 0)

Write errors: 0

Non-2xx responses: 94

Total transferred: 72984 bytes

HTML transferred: 54150 bytes

Requests per second: 19.99 [#/sec] (mean)

Time per request: 5002.765 [ms] (mean)

Time per request: 50.028 [ms] (mean, across all concurrent requests)

Transfer rate: 14.25 [Kbytes/sec] received

Connection Times (ms)

min mean[+/-sd] median max

Connect: 1 2 0.5 2 3

Processing: 2 159 727.7 10 4998

Waiting: 1 159 727.8 10 4998

Total: 5 161 727.9 12 5001

Percentage of the requests served within a certain time (ms)

50% 12

66% 14

75% 16

80% 17

90% 19

95% 1001

98% 4001

99% 5001

100% 5001 (longest request)

[root@rootroom9pc01 ~]#

拒绝非法的请求

网站使用的是HTTP协议，该协议中定义了很多方法，可以让用户连接

服务器，获得需要的资源。但实际应用中一般仅需要get和post。

请求方法	功能描述
GET	请求指定的页面信息，并返回实体主体
HEAD	类似于get请求，只不过返回的响应中没有具体的内容，用于获取报头。
POST	向指定资源提交的数据进行处理请求（例如提交表单或者上传文件）
DELETE	请求服务器删除指定的页面
PUT	向服务器特定位置上传资料
..	其他