目录
1、安全控制
限制并发连接
cd /usr/local/nginx/html/
mkdir download
vim /usr/local/nginx/conf/nginx.conf
limit_conn_zone $binary_remote_addr zone=addr:10m;
location /download/ {
limit_conn addr 1;
}
systemctl reload nginx.service
必须单线程下载,超出的并发连接会失败
ab -c 10 -n 10 http://192.168.189.111/download/vim.jpg
cat /usr/local/nginx/logs/access.log
限制请求数
vim /usr/local/nginx/conf/nginx.conf
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one burst=5 nodelay;
systemctl reload nginx.service
限制速率
location /download/ {
##autoindex on;
limit_conn addr 1;
limit_rate 100k;
##limit_req zone=one burst=5 nodelay;
}
2、自动索引
vim /usr/local/nginx/conf/nginx.conf
autoindex on;
systemctl reload nginx.service
3、缓存配置
location ~ .*\.(gif|jpg|png)$ {
expires 365d;
root html;
}
4、禁用日志记录
access_log off;
5、日志轮转
vim /opt/nginx_log.sh
#!/bin/bash
cd /usr/local/nginx/logs && mv access.log access_$(date +%F -d -1day).log
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid`
chmod +x /opt/nginx_log.sh
/opt/nginx_log.sh
cd /usr/local/nginx/logs/
crontab -e
00 00 * * * /opt/nginx_log.sh
6、nginx日志可视化
安装依赖性
dnf install -y ncurses-devel ncurses-devel.x86_64
tar xf goaccess-1.4.tar.gz
./configure --enable-utf8
make
make install
启动
goaccess /usr/local/nginx/logs/access.log -o /usr/local/nginx/html/report.html --log-format=COMBINED --real-time-html &
7、站点限制
location /status {
stub_status on; #启用监控模块
access_log off; #禁用日志记录
allow 127.0.0.1; #只允许本机访问
deny all; #禁用所有主机访问
}
8、中文乱码
9、虚拟主机
mkdir /www1/
echo web1 > /www1/index.html
vim /usr/local/nginx/conf/nginx.conf
server {
listen 80;
server_name www1.yyl.org;
location / {
root /www1;
index index.html;
}
}
10、https配置
openssl req --newkey rsa:2048 -nodes -sha256 -keyout /usr/local/nginx/conf/cert.key -x509 -days 365 -out /usr/local/nginx/conf/cert.pem
11、重定向
rewrite ^/(.*)$ https://www1.yyl.org/$1 permanent;
www1.yyl.org/bbs 重定向bbs.westos.org
mkdir /bbs
echo bbs.yyl.org > /bbs/index.html
rewrite ^/bbs$ http://bbs.yyl.org/$1 permanent;
rewrite ^/bbs(.*)$ http://bbs.yyl.org/$1 permanent;
12、防盗链
配置vm2上的apache服务,盗链vm1上的图片
<html>
<body>
<img src="http://www1.yyl.org/vim.jpg"/>
</body>
</html>
配置nginx网页防盗链
location ~ \.(jpg|png)$ {
root /www1;
valid_referers none blocked www1.yyl.org;
if ($invalid_referer) {
#return 403;
rewrite ^/ http://bbs.yyl.org/daolian.jpg;
}
}