Shulou(Shulou.com)06/01 Report--

Editor to share with you how to achieve Nginx access control and parameter tuning, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's learn about it!

Nginx global variable

There are many global variables in Nginx, which can be used by the name of the $variable. Here are some common global variables:

The variable describes the parameters in the $args request. For example, the $args of www.123.com/1.php?a=1&b=2 is the "Content-Length" in the a=1&b=2 $content_lengthHTTP request information. The "Content-Type" $conten_typeHTTP request information in the "Content-Type" $document_rootnginx virtual host configuration file corresponds to the value of $document_uri URI that does not contain instructions in the current request. For example, the $document_uri of www.123.com/1.php?a=1&b=2 is 1.php, which does not contain the following parameter $host host header, that is, the domain name $http_user_agent client details, that is, the browser identity. Use curl-A to specify the cookie information of the $http_cookie client $limit_rate. If the nginx server is configured to display the network rate using limit_rate, it will be displayed, if not set. Then the port$remote_user of the public network ip$remote_port client of the 0 $remote_addr client is displayed. If nginx has configuration authentication, this variable represents the user name authenticated by the client $request_body_file when doing reverse proxy, the name of the local resource sent to the backend server $request_method requests the resource, and the path name of the resource file currently requested by $request_filename, such as GET/PUT/DELETE, is equivalent to the combination of $document_root/$document_uri $request_uri request link. Includes protocols for $document_uri and $args$scheme requests, such as the version of the protocol used by ftp,http,https$server_protocol clients to request resources, such as HTTP/1.0,HTTP/1.1,HTTP/2.0, $server_addr server IP address, $server_name server hostname, $server_port server port number $uri and $document_uri the same $http_referer client request referer, generally speaking, which is the link through which the request is jumped, and can be specified with curl-e

Nginx location

Location action

The function of the location instruction is to execute different applications according to the URI requested by the user. That is, it is matched according to the website address URL requested by the user, and the corresponding operation is carried out if the match is successful.

Grammar

Syntax rules of location: location [= | ~ | ~ * | ^ ~] / uri/ {… }

The variable that location matches is $uri

A description of several characters

Character description = indicates exact match ~ indicates case-sensitive regular match ~ * indicates case-insensitive regular match ^ ~ indicates that uri starts with a specified character or string / universal match, and any request will match to the

Rule priority

= higher than ^ ~ higher than * equals to higher than /

Example 1

Location = "/ 12.jpg" {...} such as: www.syushin.com/12.jpg match www.syushin.com/abc/12.jpg does not match location ^ ~ "/ abc/" {...} e.g. www.syushin.com/abc/123.html match www.syushin.com/a/abc/123.jpg does not match location ~ "png" {...} e.g. www.syushin.com/aaa/bbb/ccc/123.png match Match www.syushin.com/aaa/png/123.html match location * "png" {...} such as: www.syushin.com/aaa/bbb/ccc/123.PNG match www.syushin.com/aaa/png/123.html match location / admin/ {...} e.g. www.syushin.com/admin/aaa/1.php match www.syushin.com/123/admin/1.php mismatch

Note:

Some materials introduce that location support does not match! ~ such as: location! ~ 'png' {...}

This is wrong, location does not support! ~

If there is such a need, it can be achieved through if (location priority is less than if), such as if ($uri! ~ 'png') {.}

access control

In the era of web2.0, many websites are user-centric, allowing users to publish content to the server. Because the upload function is open for users, there are great security risks, such as hackers uploading Trojans and so on. Therefore, it is necessary to configure access control.

Deny and allow

It's literally easy to understand: refusal and permission.

The deny and allow instructions for Nginx are provided by the ngx_http_access_module module, which is built into the Nginx installation by default.

Grammar

Syntax: allow/deny address | CIDR | unix: | all

It indicates that access to an ip or an ip segment is allowed / denied. If unix:, is specified, access to socket will be allowed.

Note: new features added to unix in 1.5.1.

In nginx, the rules for allow and deny are executed sequentially.

Example 1:

Location / {allow 192.168.0.0 allow 24; allow 127.0.0.1; deny all;}

Note: this configuration value allows the request of 192.168.0.0 IP 24 network segment and 127.0.0.1, and all other sources reject it.

Example 2:

Location ~ "admin" {allow 192.168.30.7; deny all}

Note: the uri accessed contains the request for admin, and only the request for 192.168.30.7 IP is allowed.

Access Control based on location

On a daily basis, access control is basically configured with location, let's take a direct example.

Example 1:

Location / blog/ {deny all;}

Description: for the / blog/ directory, all access is prohibited, where the deny all; can be changed to return 403.

Example 2

Location ~ ".bak |\ .ht" {return 403;}

Description: the accessed uri contains the word .bak or the direct return 403 status code that contains .ht.

Examples of test links:

Www.syushin.com/abc.bak

Www.syushin.com/blog/123/.htalskdjf

If the URL entered by the user is one of the above, it will return 403.

Example 3

Location ~ (data | cache | tmp | image | attachment). *\ .php ${deny all;}

Description: the requested uri contains data, cache, tmp, image, attachment and ends with .php. Access is all prohibited.

Examples of test links:

Www.xxxxxx.com/aming/cache/1.php

Www.xxxxxxx.com/image/123.phps

Www.xxxxxx.com/aming/datas/1.php

Access control based on $document_uri

I mentioned earlier that the built-in variable $document_uri means URI that does not contain instructions in the current request.

For example, the $document_uri of www.123.com/1.php?a=1&b=2 is 1.php and does not contain the following parameters.

We can do access control for this variable.

Example 1

If ($document_uri ~ "/ admin/") {return 403;}

Note: when the requested uri contains / admin/, it returns 403. 0 directly.

Note: allow and deny are not supported in the if structure.

Test links:

1. Www.xxxxx.com/123/admin/1.html matching

2. Www.xxxxx.com/admin123/1.html mismatch

3. Www.xxxxx.com/admin.php mismatch

Example 2

If ($document_uri = / admin.php) {return 403;}

Description: 403 status code is returned when the requested uri is / admin.php.

Test links:

1. Www.xxxxx.com/admin.php # match

2. Www.xxxxx.com/123/admin.php # mismatch

Example 3

If ($document_uri ~'/ data/ | / cache/.*\ .php $') {return 403;}

Description: if the requested uri contains a data or cache directory and is php, a 403 status code will be returned.

Test links:

1. Www.xxxxx.com/data/123.php # match

2. Www.xxxxx.com/cache1/123.php # mismatch

Access control based on $request_uri

$request_uri has more requested parameters than $docuemnt_uri. It is mainly controlled by the parameters in the requested uri.

Example

If ($request_uri ~ "gid=\ d {9 return 12}") {return 403;}

Note:\ d {9 < 12} is a regular expression that represents 9 to 12 numbers, for example, gid=1234567890 requires symbols.

Test links:

1. Www.xxxxx.com/index.php?gid=1234567890&pid=111 matching

2. Www.xxxxx.com/gid=123 mismatch

Background knowledge:

There was once a cc attack on a customer's website, and the other party made too many requests like this: / read-123405150-1-1.html

In fact, such a request is not a normal request, the site will throw a page indicating that the post does not exist.

Therefore, you can directly respond to such a request, the return 403 status code.

Access control based on $http_user_agent (anti-crawler)

User_agent can be simply understood as a browser logo, including some spider reptiles can be identified by user_agent. If you look at the access log, you can find that some spiders of search engines visit the site very frequently, and they are not friendly. In order to reduce the pressure on the server, you can actually seal off all the spider crawlers except the mainstream search engine spiders.

Example

If ($user_agent ~ 'YisouSpider | MJ12bot/v1.4.2 | YoudaoBot | Tomato') {return 403;}

Description: user_agent contains the above keyword requests, all return 403 status codes.

Test:

1. Curl-A "123YisouSpider1.0"

2. Curl-A "MJ12bot/v1.4.1"

Access control based on $http_referer

Http_referer can not only achieve hotlink protection, but also do some special requirements.

For example:

The website is hacked, and the pages included in the search engine are problematic. When clicked to the site through the search engine, it shows a gambling site.

As it takes time to find the Trojan horse, it cannot be solved immediately. In order not to affect the user experience, you can do a special operation for this kind of request.

For example, the link visited from Baidu can directly return the 404 status code, or return a piece of html code.

Example

If ($http_referer ~ 'baidu.com') {return 404;}

Or

If ($http_referer ~ 'baidu.com') {return 200 "_ window.location.href='//$host$request_uri';";}

Nginx parameter optimization

As a high-performance web server, Nginx can handle a large number of concurrent requests even without deliberately adjusting the configuration parameters. Of course, configuration tuning will make Nginx performance more robust, and configuration parameters need to be combined with server hardware performance as a reference.

Worker process optimization

Worker_processes num

This parameter indicates that several working processes are started. It is recommended to keep the number of cores consistent with that of native CPU. Each core CPU processes one process, and num represents a number.

Worker_rlimit_nofile

It represents the maximum number of file descriptors available in Nginx, and needs to match the maximum descriptor of the system. It is recommended to set it to 102400.

You also need to execute ulimit-n 102400 in the system.

You can also modify the configuration file / etc/security/limits.conf directly.

Add:

# * soft nofile 655350 (remove the previous #)

# * hard nofile 655350 (remove the previous #)

Worker_connections

This parameter is used to configure the maximum number of connections per Nginx worker process.

This parameter also determines the maximum number of client requests that the Nginx server can handle (worker_processes * worker_connections)

It is recommended that this parameter be set to 10240, not too large.

Optimization of http/tcp connection number

Use epoll

Use the event-driven model of epoll pattern, which is the best way under Linux system.

Multi_accept on

Enables each worker process to process multiple client requests at the same time.

Sendfile on

Using the FD file transfer function of the kernel, you can reduce the switching between user mode and kernel mode, thus improving server performance.

Tcp_nopush on

When tcp_nopush is set to on, the tcp_cork method is called for data transfer.

Using this method has the effect that when the application generates data

The kernel does not encapsulate the packet immediately, but encapsulates it when the amount of data accumulates to a certain amount, and then transmits it.

Tcp_nodelay on

Do not cache data-sends (turn off Nagle algorithm), which can improve the real-time performance of sending small data packets at high frequency.

(about Nagle algorithm)

[if you need to send some packet data frequently, such as 1 byte, take IPv4 as an example, each packet should be accompanied by a 40-byte header.

In other words, out of a total of 41 bytes of data, only 1 byte is the data we need.

In order to solve this problem, the Nagle algorithm appears.

It states that if the size of the packet meets the MSS, it can be sent immediately, otherwise the data will be put into the buffer and can not be sent until the packet that has been sent has been confirmed.

Through such regulations, the number of packets in the network can be reduced, thus improving network performance.

Keepalive_timeout

It is recommended to define the timeout period for long connections. It is recommended that 30s be too short or too long. Of course, it is best to adjust this parameter dynamically according to the business itself.

Keepalive_requests

Defines the maximum number of requests each client can make when the client and the server are in a persistent connection, which can be set to a large number, such as 50000.

Reset_timeout_connection on

If set to on, the server is allowed to close the connection when the client no longer sends requests to the server.

Client_body_timeout

If the client does not finish loading body data within the specified time, it disconnects in seconds. The default is 60, which can be set to 10.

Send_timeout

This timeout is the timeout for sending a response, that is, the Nginx server sends a packet to the client, but the client never receives the packet.

If a connection exceeds the timeout defined by send_timeout, Nginx will close the connection. The unit is seconds, which can be set to 3.

Compress

For plain text content, Nginx can be compressed using gzip. Using compression technology can reduce the consumption of bandwidth.

Supported by ngx_http_gzip_module module

The configuration is as follows:

Gzip on; / / enable the gzip feature gzip_min_length 1024; / / set the requested resources to be compressed beyond this value (in bytes of gzip_buffers 168k); / / set the size of buffer used for compression. The first number is the number, and the second is the size of each buffer gzip_comp_level 6. / / sets the compression level, with a range of 1-9 MSIE 9, the highest compression level and the most expensive CPU resources gzip_types text/plain application/x-javascript text/css application/xml image/jpeg image/gif image/png; / / specifies which types of files need to be compressed gzip_disable "MSIE 6\."; / / IE6 browsers do not enable compression

Test:

Curl-I-H "Accept-Encoding: gzip, deflate" http://www.xxxxx.com/1.css

Journal

Increase the error log level, such as the crit level, and keep as few unimportant logs as possible.

For access logs, if logging is not required, you can turn off

Access log for static resources is turned off

Static files expire

For static files, you need to set an expiration time so that these resources can be cached to the client browser

Before the cache expires, the client no longer requests the same resources from the service period, thus saving bandwidth and resource consumption.

Examples of configurations are as follows:

Location ~ * ^. +\. (gif | jpg | png | css | js) ${expires 1d; / / 1d means one day, or 24 hours can be used to represent a day. } these are all the contents of the article "how Nginx implements access control and parameter tuning". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.