nginx企业级优化

                          Nginx企业级优化

一、配置Nginx隐藏版本号（两种方法）（避免安全漏洞的泄露）

1、 修改配置文件

[root@localhost ~]# curl -I 192.168.200.116   //修改之前

HTTP/1.1 200 OK

Server: nginx/1.16.0

开始修改：

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

28 server_tokens off;

[root@localhost ~]# killall -1 nginx

[root@localhost ~]# curl -I 192.168.200.116   //修改之后

HTTP/1.1 200 OK

Server: nginx

2、 修改源码包

[root@localhost ~]# curl -I 192.168.200.116   //修改之前

HTTP/1.1 200 OK

Server: nginx/1.16.0

[root@localhost ~]# killall -3 nginx

[root@localhost ~]# tar xf nginx-1.16.0

[root@localhost ~]# vim nginx-1.16.0/src/core/nginx.h

13 #define NGINX_VERSION      "x.x.x"

14 #define NGINX_VER          "XX/" NGINX_VERSION

[root@localhost ~]# cd nginx-1.16.0/

[root@localhost nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx && make && make install

[root@localhost nginx-1.16.0]# nginx

[root@localhost ~]# curl -I 192.168.200.116   //修改之后

HTTP/1.1 200 OK

Server: XX/x.x.x

二、修改Nginx用户与组

[root@localhost ~]# ps aux | grep nginx

root      13883  0.0  0.1  20552   612 ?        Ss   10:19   0:00 nginx: master process nginx

nginx     13884  0.0  0.3  21004  1576 ?        S    10:19   0:00 nginx: worker process

root      13892  0.0  0.2 112724   984 pts/0    R+   10:32   0:00 grep --color=auto nginx

编译安装时指--user=nginx --group=nginx

[root@localhost ~]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx && make && make install

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

2   user  nginx nginx;

3   worker_processes  2;

12  events {

13     use epoll;

14     worker_connections  1024;

15  }

[root@localhost ~]# ps aux | grep nginx

root      13883  0.0  0.2  20596  1400 ?        Ss   10:19   0:00 nginx: master process nginx

nginx     26520  0.0  0.2  21024  1376 ?        S    10:50   0:00 nginx: worker process

nginx     26521  0.0  0.2  21024  1376 ?        S    10:50   0:00 nginx: worker process

root      26525  0.0  0.2 112724   984 pts/0    R+   10:50   0:00 grep --color=auto nginx

三、配置Nginx网页缓存时间

四、[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

48         location ~ .(gif|jpg|jpeg|png|bmp|ico)$ {

49             expires 1d;

50         }

[root@localhost ~]# killall -1 nginx

五、实现Nginx的日志切割

[root@localhost ~]# vim /opt/fenge.sh

#!/bin/bash

d=$(date -d "-1 day" "+%Y%m%d")

logs_path="/var/log/nginx"

pid_path="/usr/local/nginx/logs/nginx.pid"

[ -d $logs_path ] || mkdir -p $logs_path

if [ -f $pid_path]

then

    mv /usr/local/nginx/logs/access.log $logs_path/test.com-access.log-$d

    kill -USR1 $(cat $pid_path)

    find $logs_path -mtime +30 | xargs rm -rf

else

    echo "Error, Nginx is not working!" | tee -a /var/log/messages

fi

[root@localhost ~]# chmod +x fenge.sh

[root@localhost ~]# crontab -e

0       0       *       *       *       bash fenge.sh

六、配置Nginx实现连接超时

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

keepalive_timeout  65;

    client_header_timeout 60;

client_body_timeout 60;

[root@localhost ~]# killall -1 nginx

七、更改Nginx运行进程数

[root@localhost ~]# cat /proc/cpuinfo | grep -c "physical"

2

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

worker_processes  4;  //是cpu核数的两倍

worker_cpu_affinity 0001 0010 0100 1000;

[root@localhost ~]# killall -1 nginx

八、配置Nginx实现网页压缩功能

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

gzip  on;

    gzip_min_length 1k;

    gzip_buffers 4 16k;

    gzip_http_version 1.1;

    gzip_comp_level 2;

gzip_types text/plain text/javascript application/x-javascript text/css text/xml application/xml application/xml+rss;

[root@localhost ~]# killall -1 nginx

九、配置Nginx实现防盗链功能

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

location ~* .(jpg|gif|png|swf)$ {

        valid_referers none blocked *.amber.com amber.com;

            if ($invalid_referer) {

               rewrite ^/ http://www.amber.com/error.jpg;

            }

        }

[root@localhost ~]# killall -1 nginx

十、对FPM模块进行参数优化

[root@localhost ~]# vim /usr/local/php/etc/php-fpm.conf

pm=dynamic

pm=stat_servers=5

pm.min_spare_servers=2

pm.max_spare_servers=8

十一、Nginx为目录添加访问控制6

[root@localhost ~]# yum -y install httpd-tools

[root@localhost ~]# htpasswd -c /usr/local/nginx/.htpasswd amber

New password:

Re-type new password:

Adding password for user amber

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

location ~ /status {

            stub_status on;

            access_log  off;

            auth_basic  "Nginx Status";

            auth_basic_user_file  /usr/local/nginx/.htpasswd;

        }

[root@localhost ~]# killall -1 nginx

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

location /amber {

            stub_status on;    ##确认在编译安装时加上stub_status模块

            access_log  off;

            auth_basic  "Nginx Amber";

            auth_basic_user_file  /usr/local/nginx/.htpasswd;

            allow 192.168.200.0;  //允许200网段地址

            deny 192.168.100.0;  //不允许100网段地址

        }

[root@localhost ~]# killall -1 nginx

十二、nginx平滑升级

[root@www ~]# tar fx nginx-1.16.0.tar.gz -C /usr/src/

[root@www nginx-1.16.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module && make

[root@www nginx-1.16.0]# mv /usr/local/nginx/sbin/nginx  /usr/local/nginx/sbin/nginx.old

[root@www ~]# cp /usr/src/nginx-1.16.0/objs/nginx  /usr/local/sbin/

[root@www ~]# killall -USR2 34346（真实进程号）

[root@www ~]# nginx -V

nginx version: nginx/1.16.0

十三、自定义错误页面

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

error_page  404              /404.html;   //不要忘记在/usr/local/nginx/html中放error图片

        location = /404.html {

            root  html;

        }

[root@localhost ~]# killall -1 nginx

十四、自动索引

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

location /mirrors {       //后面文件名自定义

            autoindex  on;

        }

[root@localhost ~]# killall -1 nginx

最终优化文件：（仅供参考）

user  nginx nginx;

worker_ processes  2;

error_ log  logs/error.log;

#error_ log logs/error.log  notice;

#error_ log logs/error.log  info;

Pid    logs/nginx.pid;

events {

use epoll;

worker_ connections  10240;

}

http {

include  mime.types;

default_ type  application/octet-stream;

log_ format main '$remote_ addr - $remote_ user [$time_ local] "$request"'

'$status $body_ bytes_ sent "$http_ referer" '

"$http_ user_ agent" "$http x_ forwarded for";

#access_ log logs/access.log main;

Sendfile  on;

#tcp_ nopush  on;

#keepalive_ timeout  0;

keepalive_ timeout  65;

client_ header timeout  60;

client_ body_ timeout  60;

server  tokens off;

gzip  on;

gzip_ min _length 1lk;

gzip_ buffers4 16k;

gzip_ http version 1.1;

gzip_ .comp_ level 2;

gzip_ types text/plain text/javascript application/x-javascrip text/css text/xml application/xml application/xml+rss;

gzip_ vary on;

server {

listen  80;

server_ name  www.amber.com;

charset utf-8;

access_ log  logs/ambercomacssog  main;

location/ {

root  /web/amber.com;

index  index.html index.htm;

location ~+(gif|gpeg|png|bmp|ico)${

root  /web/amber.com;

expires 1d;

valid_ referers none blocked *. amber.com amber.com;

if ($invalid_ referer) {

rewrite ^/ http://www.amber.com/error.jpg;

#return 403;

}

}

error _page  500 502 503 504 /50x.html;

location = /50x.html {

root  html;

}

}

}