1. Gzip Compression optimization 2. 3. Expires expires Network IO Event Model Optimization 4. Hiding the software Name and version 5. Anti-theft chain optimization 6. Prohibit malicious domain name resolution 7. Prohibit website access through IP address 8. HTTP request method optimization 9. Anti-dos attack Single-IP concurrent connection control and connection rate control 10. Strictly set the permission of web site directory 11. Run nginx processes and sites in prison mode 12. Crawler optimization with the Robot protocol and HTTP_USER_AGENT 13. Configure the error page and send feedback to the user according to the error code 14. Nginx log related optimization Access log cutting polling, do not record the log of the specified element, minimize the log directory permission 15. FastCGI parameter buffer and cache configuration file optimization 17. Php.ini and php-fpm.conf configuration file optimization 18. Deep optimization of Linux kernel for Web services (network connection, IO, memory, etc.) 19. Nginx Encryption transmission optimization (SSL) 20. Web server disk mount and network file system optimization 21. Use nginx cacheCopy the code

In general, software bugs are version-dependent, so we hide or eliminate sensitive information that web services display to visitors.

1 [root@db01 RPM]# curl -I 10.0.0.8 2 HTTP/1.1 401 Unauthorized 3 Server: Date: Thu, 21 Jul 2016 03: 23:38 GMT 5 Content-Type: nginx # Hidden Version 4 Date: Thu, 21 Jul 2016 03: 23:38 GMT 5 text/html 6 Content-Length: 188 7 Connection: keep-alive 8 WWW-Authenticate: The Basic realm = "oldboy training" process: 10 vim/application/nginx/conf/nginx. 11 under the HTTP module to join the conf: 12 server_tokens off; 13 /application/nginx/sbin/nginx -t 14 /application/nginx/sbin/nginx -s reloadCopy the code

The first method:

Change the nginx.conf.default parameter to #user nobody; Instead the user nginx. Nginx;

The second method:

To specify users and user groups when compiling nginx, run the following command:

/configure –prefix=/application/nginx-1.6.3 –user=nginx –group=nginx –with-http_ssl_module –with-http_stub_status_module

1 useradd inca 2 cd /home/inca/ 3 mkdir conf logs www 4 echo inca >www/index.html 5 chown -R inca.inca * 6 ln -s / application/nginx/conf/mime types conf/mime. # mime types. The file types media typesCopy the code

egrep -v “#|^$” /application/nginx/conf/nginx.conf.default >conf/nginx.conf

Nginx. conf configuration file

worker_processes 1; error_log /home/inca/logs/error.log; pid /home/inca/logs/ nginx.pid; events { worker_connections 1024; } http { include mime.types; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"' ; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 8080; server_name localhost; location / { root /home/inca/www; index index.html index.htm; } access_log /home/inca/logs/access.log main; }}Copy the code

Su – Inca – c “/ application/nginx/sbin/nginx – c/home/Inca/conf/nginx. Conf” # start nginx service

Emphasize:

1. All related paths in nginx.conf should be changed

2. The port of a common user is faulty

In high-concurrency, high-traffic Web service scenarios, more Nginx processes need to be started in advance to ensure fast response and handle requests from a large number of concurrent users.

worker_processes 1; Generally adjust to the same number of cores as the CPU (for example,2 quad-core cpus count as 8)

(1) View LInux. You can view the number of cpus and total cores

grep processor /proc/cpuinfo|wc -lCopy the code

(2) Check the total number of cpus

grep 'physical id' /proc/cpuinfo|sort|uniq|wc -lCopy the code

(3) Run the top command and press 1 to display the number of ALL CPU cores

Top Press 1 to display the first information CPU0:0.0% US, 0.0% SY, 0.0% Ni,100.0% ID, 0.0% WA, 0.0% HI, 0.0% Si, 0.0Copy the code

The connection processing mechanism of Nginx is that different operating systems use different I/O models. On Linux, Nginx uses epoll I/O multiplexing model, on FreeBSD uses KQueue I/O multiplexing model, and on Solaris uses /dev/pool I/O multiplexing model. Icop used in Windows and so on. To choose different transaction processing model depending on the type of system, choose to have “use [kqueue | rtsig | epool | dev/pool | select | pllo];” We used Linux with Centos6.5, so we adapted the nginx event handling model to the epool model.

events {
worker_connections  1024;
use epoll;
}Copy the code

Official note: When no event handling model is specified, nginx automatically selects the best event handling model service by default

Worker_rlimit_nofile number Changes the maximum number of files that worker processes can open

worker_rlimit_nofile 65535;Copy the code

These parameters are limited by the maximum number of open files in the system.

[root@admin nginx]# cat /proc/sys/fs/file-max
8192Copy the code

Maximum number of open files in a file system

[root@admin nginx]# ulimit -n
1024Copy the code

The program limits the number of files to 1024

Use # ulimit -n 8192 to adjust

Add fs.file-max= XXX at the end of /etc/rc.d/rc.local

Example: the sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; server_names_hash_bucket_size 128; server_names_hash_max_size 512; keepalive_timeout 65; client_header_timeout 15s; client_body_timeout 15s; send_timeout 60s;Copy the code

fastcgi_connect_timeout 240;       
fastcgi_send_timeout 240;
fastcgi_read_timeout 240;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
#fastcgi_temp_path /data/ngx_fcgi_tmp;
fastcgi_cache_path /data/ngx_fcgi_cache levels=2:2 keys_zone=ngx_fcgi_cache:512m inactive=1d max_size=40g;Copy the code

Improve the user experience of the site: because the content delivered to the user is smaller, the user can visit the page per unit size faster, and the user experience is improved

Save web bandwidth costs: because data is compressed and transmitted, it consumes some CPU resources

Gzip on; # indicates that compression is enabled

1 k gzip_min_length; # indicates the minimum number of bytes of a page that can be compressed. The number of bytes of a page is obtained from the Content-Length of the header. The default value is 0, which indicates that the page is compressed regardless of size. You are advised to set the value to a value greater than 1K. If it’s less than 1 kelvin it’s going to get bigger and bigger

Gzip_buffers 432 k; # compress the cache size

Gzip_http_version 1.1; # compressed version

Gzip_comp_level 9; # Compression ratio

Gzip_types text/CSS text/XML application/javascript. # specify the type of compression

Gzip_vary on; # than the header

Perfect configuration:

Nginx. conf HTTP module gzip on; 1 k gzip_min_length; Gzip_buffers 4 32 k; Gzip_http_version 1.1; Gzip_comp_level 9; Gzip_types text/CSS text/XML application/javascript. gzip_vary on;Copy the code

## Add expires header according to URI(path or dir).

location ~ ^/(images|javascript|js|css|flash|media|static)/ {
    expires 360d;
}Copy the code

In practice, logs of load balancer health check nodes or specific files (such as images, JS, and CSS) do not need to be recorded. PV statistics are calculated on a page basis. In addition, frequent log writing consumes disk I/O and reduces service performance

Specific preparation methods: the location ~. * \. (js | JPG | JPG | jpeg | jpeg | | CSS BMP | | GIF GIF) ${access_log off; }Copy the code

1 location ~ ^/images/.*\.(php|php5|.sh|.pl|.py)$ 2 { 3 deny all; 5 the location ~ ^ 4} / static /. * \. (PHP | php5. | sh |. Pl. | py) $6 {7 deny all; 8} 9 location ~ * ^ / data/(attachment | avatar) /. * \. (PHP | php5) $10 {11 deny all; 12}Copy the code

Restrictions on directories mentioned above must precede nginx’s PHP service configuration

location ~ ^/(static)/ {
        deny all;
}

 

location ~ ^/static {
        deny all;
}Copy the code

Disallow directory access and return code 404

server { listen 80; server_name www.etiantian.org etiantian.org; root /data0/www/www; index index.html index.htm; access_log /app/logs/www_access.log commonlog; location /admin/ { return 404; } location /templates/ { return 403; }}Copy the code

Location ~ ^/oldboy/ {allow 202.111.12.211; deny all; }Copy the code

Example 2: Restrict and specify IP address or IP segment access.

Location / {deny 192.168.1.1; Allow 192.168.1.0/24; Allow 10.1.1.0/16; deny all; }Copy the code

server {

listen 80 default_server;

server_name _;

return 501;

}Copy the code

Method 2: Go to the home page through section 301

server {

listen 80 default_server;

server_name _;

rewrite ^(.*) http//:blog.etiantian.org/$1 permanent; 
}Copy the code

1. Implement anti-theft chain according to HTTP referer
2. Prevent theft by cookie

1 #Preventing hot linking of images and other file types 2 3 location ~* ^.+\.(jpg|png|swf|flv|rar|zip)$ { 4 5 valid_referers none blocked *.etiantian.org etiantian.org; 6 7 if ($invalid_referer) { 8 9 rewrite ^/ http://bbs.etiantian.org/img/nolink.gif; 10 11 } 12 13 root html/www; 14 15}Copy the code

Cloud server, cloud database solution and network security protection are preferred

8. Deploy the site application permission Settings

(1) WordPress site directory permission setting

Plan 1: Recommended plan

755 directory:

644 file:

Owner: root

Image and upload directory set owner to WWW

cd /application/apache/html/ chown -R root.root blog

find ./blog/ -type f|xargs chmod 644                                                    find ./blog/ -type d|xargs chmod                                                    755Copy the code

if ($http_user_agent ~* LWP:Simple|BBBike|wget)  {

return  403 ;

rewrite ^(.*) http://blog.etiantian.org/$1 permanent; 
}Copy the code

#Only allow these request methods ##

if ($request_method ~*(GET)$ ) {

   return 501;

}Copy the code

Local Cache acceleration improves the speed and stability of enterprise sites, especially those with lots of images and static pages

The mirroring service eliminates the bottleneck caused by the interconnection between different carriers, accelerates the network across carriers, and ensures good access quality for users on different networks.

Remote acceleration Remote access Users automatically select the Cache server based on the DNS load balancing technology and select the fastest Cache server to speed up remote access

Bandwidth optimization The remote Mirror cache server is automatically generated for the server. When remote users access the cache server, data is read from the cache server. This reduces the bandwidth for remote access, shares network traffic, and lightens the load on the WEB server of the original site.

Cluster anti-attack Widely distributed CDN nodes and intelligent redundancy mechanism between nodes can effectively prevent hacker intrusion and reduce the impact of various D.D.O.S attacks on websites, while ensuring better service quality.

useradd inca

cd /home/inca

mkdir conf www log

echo inca >www/index.html
Copy the code

Modifying a Configuration File

error_log /home/inca/log/error.log

pid /home/inca/log/nginx.pidCopy the code

The ngx_HTTP_limit_req_module module is used to limit the rate of requests per IP address to access each defined key.

Limit_req_zone Parameters are described as follows: Syntax: limit_req_zone key zone=name:size rate=rate; Context: HTTP is used to set shared memory areas, keys can be strings, Nginx native variables, or a combination of the first two. Name is the name of the memory area, size is the size of the memory area, and rate is the rate (unit: r/s). One request per second. Limit_req Parameters are described as follows: Syntax: limit_req zone=name [burst-number] [nobelay] context: HTTP, server, location: burst=num, a num quick token, when the token is issued, the extra requests will return 503. By default, nodelay queues up for processing within the value of the burst. If this parameter is used, num+1 requests are processed, and 503 is returned for the remaining requests.

Plus a Linux kernel and memory optimization

1. Optimization of kernel parameters

net.ipv4.tcp_max_tw_buckets = 6000

Number of timewaits, default is 180,000.

net.ipv4.ip_local_port_range = 1024 65000

Range of ports allowed to be opened by the system.

net.ipv4.tcp_tw_recycle = 1

Enable timewait quick collection.

net.ipv4.tcp_tw_reuse = 1

Enable reuse. Allows time-wait Sockets to be reused for new TCP connections.

net.ipv4.tcp_syncookies = 1

Enable SYN Cookies to handle SYN wait queue overflow.

net.core.somaxconn = 262144

The listen backlog for web applications limits the kernel parameter net.core.somaxconn to 128 by default, while the NGX_LISTEN_BACKLOG defined by Nginx defaults to 511, so it is necessary to adjust this value.

net.core.netdev_max_backlog = 262144

The maximum number of packets that are allowed to be sent to the queue if each network interface receives packets at a rate faster than the kernel can process them.

net.ipv4.tcp_max_orphans = 262144

The maximum number of TCP sockets in the system that are not associated with any user file handle. If this number is exceeded, the orphan connection is immediately reset and a warning message is printed. This limit is intended only to prevent simple DoS attacks and should not be relied upon or artificially reduced, but rather increased (if memory is added).

net.ipv4.tcp_max_syn_backlog = 262144

The maximum number of connection requests logged that have not received client confirmation. The default value is 1024 for a system with 128 MB of memory and 128 for a system with small memory.

net.ipv4.tcp_timestamps = 0

Timestamps prevent serial number winding. A 1Gbps link is bound to encounter a previously used serial number. Timestamps enable the kernel to accept such “abnormal” packets. I need to turn it off here.

net.ipv4.tcp_synack_retries = 1

To open the connection to the peer, the kernel sends a SYN with an ACK that responds to the previous SYN. The second of the three handshakes. This setting determines how many SYN+ACK packets the kernel sends before abandoning the connection.

net.ipv4.tcp_syn_retries = 1

The number of SYN packets sent before the kernel aborts the connection.

net.ipv4.tcp_fin_timeout = 1

If the socket is closed at the request of the local end, this parameter determines how long it remains in fin-WaIT-2 state. The peer end can go wrong and never close the connection, or even go down unexpectedly. By default, it is 60 seconds. 2.2 The usual kernel value is 180 seconds, 3 You can press this setting, but keep in mind that even if your machine is a lightweight WEB server, there is a risk of memory overflow due to a large number of dead sockets, and fin-WaIT-2 is less dangerous than Fin-Wait-1. Because they can only eat up to 1.5K of memory, but they live longer.

net.ipv4.tcp_keepalive_time = 30

Indicates the frequency at which TCP sends keepalive messages when Keepalive is enabled. The default value is 2 hours.

The default value for Linux is Open Files and Max User processes: 1024

#ulimit -n

1024

#ulimit Cu

1024

Symptom: The server can open only 1024 files and process 1024 user processes at the same time

You can run the ulimit -a command to view all limits of the current system. You can run the ulimit -n command to view the maximum number of open files.

The default value of a newly installed Linux server is 1024, so it is easy to encounter error: Too many Open Files on a heavily loaded server. So you need to make it bigger.

Solutions:

Using ulimit Cn 65535 can be modified immediately, but will be invalid after restart. (note ulimit-shn 65535 is equivalent to ulimit-n 65535, -s means soft, -h means hard)

There are three modification methods:

1. Add a line of ulimit-shn 65535 in /etc/rc.local. Add a line of ulimit-shn 65535 3 to /etc/profile. In the/etc/security/limits the conf last increase:

* soft nofile 65535

* hard nofile 65535

* soft nproc 65535

* hard nproc 65535

The first method has no effect on CentOS, the third method has effect, and the second method has effect on Debian

# ulimit -n

65535

# ulimit -u

65535

Note: The ulimit command itself has soft and hard Settings, add -h is hard, add -s is soft default display soft limit

Soft limit refers to the setting value that is currently in effect on the system. The hard limit value can be lowered by ordinary users. But it can’t increase. Soft limits cannot be set higher than hard limits. Only the root user can increase the hard limit.