Shulou(Shulou.com)05/31 Report--

This article mainly explains "what are the skills to improve the hardness of Nginx server". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the skills to improve the hardness of Nginx server"?

TIP # 1: keep Nginx up-to-date

At present, the stable version of Nginx is 1.14.0. It is best to upgrade to the latest version. If you look at the official release note, you will find that they have fixed a lot of bug. No production environment of any product wants to run under such bug risk.

In addition, although the installation package is easier to install than compiling from source code, the latter option has two advantages:

1) it allows you to add additional modules to Nginx (such as more _ header,mod_security)

2) it always provides a newer version than the installation package, and release note is available on the Nginx website.

TIP # 2: remove unused Nginx modules

When compiling and installing, you can explicitly delete unused modules by executing the. / configure method with the following configuration instructions:

. / configure-- without-module1-- without-module2-- without-module3

For example:

. / configure-without-http_dav_module-withouthttp_spdy_module

Note: configuration instructions are provided by the module. Make sure that the module you disable does not contain the instructions you need to use! Before deciding to disable modules, you should check the list of instructions available for each module in the Nginx documentation.

TIP # 3: disable the server_tokens entry in the Nginx configuration

When opened, server_tokens causes the 404 page to display the current version number of Nginx. This is obviously not safe because hackers will use this information to try vulnerabilities in the corresponding Nginx version.

You only need to set server_tokens off in the http module in nginx.conf, for example:

Server {listen 192.168.0.25 Server_tokens off; server_name tecmintlovesnginx.com www.tecmintlovesnginx.com; access_log 80; Server_tokens off; server_name tecmintlovesnginx.com www.tecmintlovesnginx.com; access_log / var/www/logs/tecmintlovesnginx.access.log; error_log / var/www/logs/tecmintlovesnginx.error.log error; root / var/www/tecmintlovesnginx.com/public_html; index index.html index.htm;}

It takes effect when Nginx is restarted:

TIP # 4: prohibit illegal HTTP User Agents

User Agent is an identification of browsers in HTTP protocol. Banning illegal User Agent can prevent some requests from crawlers and scanners and prevent these requests from consuming Nginx server resources.

For better maintenance, it's best to create a file that contains an unexpected useragent list such as / etc/nginx/blockuseragents.rules that contains the following:

Map $http_user_agent $blockedagent {default 0; ~ * malicious 1; ~ * bot 1; * backdoor 1; ~ * crawler 1; ~ * bandit 1;}

Then put the following statement into the server module of the configuration file:

Include / etc/nginx/blockuseragents.rules

And add the if statement to set the blocked page to enter:

TIP # 5: disable unwanted HTTP methods

For example, some web sites and applications can support only GET, POST, and HEAD methods.

Add the following methods to the server module in the configuration file to prevent some spoofing attacks

If ($request_method! ~ ^ (GET | HEAD | POST) $) {return 444;}

TIP # 6: set buffer capacity limit

This setting prevents buffer overflow attacks (also Server modules)

Client_div_buffer_size 1k; client_header_buffer_size 1k; client_max_div_size 1k; large_client_header_buffers 2 1k

No matter how many HTTP requests are set, the buffer of the server system will not be overflowed.

TIP # 7: limit the maximum number of connections

Within the http module, you can set the connected IP by setting limit_conn_zone outside the server module.

You can set the maximum number of connections to IP by setting limit_conn in the http,server or location module

For example:

Limit_conn_zone $binary_remote_addr zone=addr:5m; limit_conn addr 1

TIP # 8: set log monitoring

The screenshot above shows how to set the nginx log.

You may need to take the log that failed to access because of the setting of Tip # 7

Grep addr / var/www/logs/tecmintlovesnginx.error.log-- color=auto

At the same time, you can also filter the following in the log:

Client IP

Browser Typ

HTTP request method

Request content

Server corresponding

TIP # 9: prevent pictures from being linked from your server

This will obviously increase the bandwidth pressure on your server.

Suppose you have an img directory to store pictures. Your own IP is 192.168.0.25. Add the following configuration to prevent links.

Location / img/ {valid_referers none blocked 192.168.0.25; if ($invalid_referer) {return 403;}}

TIP # 10: disable SSL and open only TLS

Avoid using SSL whenever possible and replace it with TLS. The following settings can be placed in the Server module:

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2

TIP # 11: do Certificate encryption (HTTPS)

First generate keys and integers, either of the following:

# openssl genrsa-aes256-out tecmintlovesnginx.key 1024 # openssl req-new-key tecmintlovesnginx.key-out tecmintlovesnginx.csr # cp tecmintlovesnginx.key tecmintlovesnginx.key.org # openssl rsa-in tecmintlovesnginx.key.org-out tecmintlovesnginx.key # openssl x509-req-days 1024-in tecmintlovesnginx.csr-signkey tecmintlovesnginx.key-out tecmintlovesnginx.crt

Then configure the Server module

Server {listen 192.168.0.25:443 ssl; server_tokens off; server_name tecmintlovesnginx.com www.tecmintlovesnginx.com; root / var/www/tecmintlovesnginx.com/public_html; ssl_certificate / etc/nginx/sites-enabled/certs/tecmintlovesnginx.crt; ssl_certificate_key / etc/nginx/sites-enabled/certs/tecmintlovesnginx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}

TIP # 12: redirecting HTTP requests to HTTPS

Add on the TIP#11 basis

Return 301https://$server_name$request_uri; thank you for reading, the above is "what are the skills to improve the hardness of the Nginx server" content, after the study of this article, I believe you have a deeper understanding of the skills to improve the hardness of the Nginx server, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.