Nginx服务优化
隐藏版本号
为了防止攻击者不能通过nginx针对特定版本进行攻击
方法1:修改配置文件方式
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
访问网址,只显示 Nginx,版本号已经隐藏
[root@localhost ~]# curl -i http://192.168.10.101
HTTP/1.1 200 OK
Server: nginx
…………
方法2:设置版本信息
nginx-1.12.0/src/core/nginx.h包含了版本信息,可以随意修改
[root@localhost ~]# vim nginx-1.12.0/src/core/nginx.h
#define nginx_version 1012000
#define NGINX_VERSION "10.12.0"
#define NGINX_VER "iis/" NGINX_VERSION
修改完成后,需要重新编译安装
[root@localhost ~]# cd nginx-1.12.0
[root@www nginx-1.12.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module && make && make install
[root@localhost nginx-1.12.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
http {
include mime.types;
default_type application/octet-stream;
server_tokens on;
访问网址,查看版本信息
[root@localhost ~]# nginx -s stop && nginx
[root@localhost ~]# curl -i 127.0.0.1
HTTP/1.1 200 OK
Server: iis/10.12.0
Date: Thu, 09 Jun 2022 07:57:08 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12
Last-Modified: Thu, 09 Jun 2022 07:46:09 GMT
Connection: keep-alive
ETag: "62a1a541-c"
Accept-Ranges: bytes
www.kgc.com
设置网页缓存时间
修改 Nginx 的配置文件,在新 location 段加入 expires 参数,指定缓存的时间
location / {
root html;
index index.html index.htm index.php;
}
location ~ \.(gif|jpg|jepg|png|bmp|ico)$ {
root html;
expires 1d;
}
重启 Nginx 服务后,利用浏览器可以看到响应报文中图片文件含有 Expires 参数
日志切割
编写脚本/opt/fenge.sh
[root@www ~]# vim /opt/fenge.sh
#!/bin/bash
# Filename: fenge.sh
d=$(date -d "-1 day" "+%Y%m%d")
logs_path="/var/log/nginx"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p $logs_path
mv /usr/local/nginx/logs/access.log ${logs_path}/test.com-access.log-$d
kill -USR1 $(cat $pid_path)
find $logs_path -mtime +30 |xargs rm -rf
执行/opt/fenge.sh,测试日志文件是否被切割
[root@www ~]# chmod +x /opt/fenge.sh
[root@www ~]# /opt/fenge.sh
[root@www ~]# ls /var/log/nginx
[root@www ~]# ls /usr/local/nginx/logs/access.log
设置 crontab 任务,定期执行脚本自动进行日志分割
[root@www ~]# crontab -e
30 1 * * * /opt/fenge.sh
网页压缩
[root@www ~]# vim /usr/local/nginx/conf/nginx.conf
http {
//去掉gzip on;前面的注释,增加其他的参数
gzip on;
gzip_buffers 4 64k;
gzip_comp_level 2;
gzip_types text/plain text/javascript application/x-javascript text/css text/xml image/jpeg image/gif image/png;
[root@www ~]# systemctl restart nginx
使用浏览器访问网址验证,http://192.168.10.101/,如果响应头中有Content-Encoding参数则是成功
防盗链
实验环境
修改两台主机和客户端hosts文件
192.168.10.101 www.benet.com
192.168.10.102 www.accp.com
把图片 logo.jpg 放到源主机(benet.com)的工作目录下
[root@www ~]# vim /usr/local/nginx/html/index.html
<html>
<body>
<p>原图网站</p>
<img src="http://www.benet.com/logo.jpg"/>
</body>
</html>
在盗链主机(accp.com)的工作目录编写盗链页面index.html,盗取源主机(benet.com)的图片
[root@accp~]# yum -y install httpd
[root@accp~]# systemctl stop firewalld
[root@accp~]# systemctl start httpd
[root@accp~]# vim /var/www/html/index.html
<html>
<body>
<p>盗图网站</p>
<img src="http://www.benet.com/logo.jpg"/>
</body>
</html>
访问盗链的网页 http://www.accp.com/index.html 查看是否盗链成功
配置 Nginx 防盗链
[root@www ~]# vim /usr/local/nginx/conf/nginx.conf
location / {
root html;
index index.html index.htm;
}
location ~* \.(gif|jpg|jpeg)$ {
valid_referers *.benet.com benet.com;
if ($invalid_referer) {
rewrite ^/ http://www.benet.com/error.png;
}
}
注意:
去掉页面缓存相关配置
测试
重新访问 http://www.accp.com/,无法看到盗图
标签:index,www,nginx,优化,Nginx,html,com,root,防盗链 From: https://blog.csdn.net/anbesrt/article/details/139776609