Shulou(Shulou.com)06/02 Report--

The following are the common problems we have sorted out in nginx. We have listed 1 or 2 solutions, which we can all test.

common problem

Problem 1: priority access of multiple virtual hosts with the same server_name

Server {listen 80; server_name server1; location {...}} server {listen 80; server_name server2; location {...}}

Solution:

Configure two conf files: server1.conf and server2.conf

Read according to the order of files in the Linux system

Question 2: location matching priority

Location = / code1/ {rewrite ^ (. *) $/ code1/index.html break;} location ~ / code.* {rewrite ^ (. *) $/ code3/index.html break;} location ^ ~ / code {rewrite ^ (. *) $/ code2/index.html break;}

Fill in the knowledge hole:

=: exact matching of ordinary characters, exact matching

^ ~: ordinary character matching, using prefix matching

~\ ~ *: means to perform a regular match ()

Solution:

Find the best match according to the match

Priority: exact match > regular match > prefix match

Question 3: use of try_files

Location / {try_files $uri $uri/ / index.html;}

Solution:

Check the existence of files sequentially

Question 4: the difference between alias and root of Nginx

Location / request_path/img/ {root / local_path/img/;} location / request_path/img/ {alias / local_path/img/;}

Solution:

Root setting, and the path of the final request is / local_path/img/request_path/img/

Alias setting, the final request is / local_path/img/

Problem 5: pass the user's real IP through multi-tier agents

Solution:

Set xrealipps remotesaddrplayxrealipps = real IP

Performance optimization problem

Optimization considerations:

Current system structure bottlenecks, such as observation indicators, stress testing

Understand the business model, such as interface business type, system hierarchical structure

Performance and security

Interface stress testing tool: ab

Installation: yum install httpd-tools

Use: ab-n 2000-c 20 http://127.0.0.1/

Nginx's optimization points about the system:

Network, system, service, program, database

Controls the number of file handles, which is an index

CPU affinity, so that processes will not migrate frequently between processors, reducing performance loss

Vim / etc/nginx/nginx.confuser nginx;worker_processes 16: workerships cputated auto;worker_rlimit_nofile 15535: events {use epoll; worker_connections 10240;} http {include / etc/nginx/mime.types; default_type application/octet-stream; # Charset charset utf-8; log_format main'; access_log / var/log/nginx/access.log main; # Core module sendfile on; keepalive_timeout 65; # Gzip module gzip on; gzip_disable "MSIE [1-6]\." Gzip_http_version 1.1; # Virtal server include / etc/nginx/conf.d/*.conf;}

Nginx Security problems and Preventive Strategies

Malicious behavior

Problems: reptile behavior and malicious grabbing, resource embezzlement

Solution:

Basic hotlink protection function: do not allow malicious users to easily crawl the external data of the website

Secure_link_module module: improve encryption verification and invalidation for data security, and use for some important data

Access_module module: provides IP monitoring for backend and some user service data, such as specifying IP, etc.

Application layer attack

Problem 1: the background password hits the library, and constantly tries to log in to the background system through the password dictionary to obtain the background password.

Solution:

Complex background passwords, uppercase and lowercase numeric characters, etc.

Early warning mechanism, frequent access to the same IP

Access_module module: provide IP monitoring for the data of background and some user services

Problem 2: file upload vulnerability, using interfaces that can be uploaded, malicious code is implanted into the server, and then accessed through url to execute

Solution:

Do some processing for some Trojans and suffixes.

Location ^ ~ / upload {root / usr/share/html; if ($request_filename ~ * (. *)\ .php) {return 403; # access denied}}

Problem 3: SQL injection, which uses unfiltered or unaudited user input attacks to make applications run SQL code that should not have been run.

Solution:

Detect common injection codes such as'or 1 # 1 #

Build a secure waf and write regular expressions for penetration rules

Nginx anti-attack strategy

Using nginx+Lua to build secure waf Firewall

Firewall features:

Intercept Cookie type attacks

Intercept abnormal post requests

Block cc attacks and visit frequently

Intercept URL, interfaces that you do not want to expose

Intercept arg parameters

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.