优化链接参数
| 优化前 | 优化后 | 参数说明 |
|---|---|---|
| worker_processes 1; | worker_processes auto; | 进程数 |
| worker_connections 1024; | worker_connections 65535; | 每个进程允许的最多链接 |
安全策略优化
禁止空主机头访问
禁止IP直接访问,防止非法域名直接解析到IP上
# 禁止使用IP直接访问,返回403错误码
server {
listen 80 default;
server_name _;
return 403;
}
#server_name处定义允许访问的域名,将80端口的http请求转发到https
server {
listen 80;
server_name www.itgod.org itgod.org;
rewrite ^(.*)$ https://$host$1 permanent;
禁止目录浏览
- 在Http中配置autoindex off;关闭目录浏览
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
include vhost/*.conf;
#添加这行
autoindex off;
防盗链配置
- 只允许referer为空或者referer为信任站点时才能拉取图片
- 允许referer为空是为了允许浏览器直接访问图片路径
- 伪造referer很容易,所以此方法只能防止一般的盗链
location ~*\.(gif|jpg|png|swf|flv|bmp)$ {
valid_referers none blocked *.itgod.org itgod.org;
if ($invalid_referer) {
return 403;
}
}
隐藏Nginx版本号
屏蔽Nginx版本号,减低被版本漏洞攻击风险,在HTTP下添加一行内容
server_tokens off;
例:
http {
include mime.types;
default_type application/octet-stream;
server_tokens off;
封禁指定的url
- 恶意攻击通常会尝试通过URL执行一些命令,有必要禁用包含一些特殊字符串的链接访问,比如URL中包含.sh old bak sql等关键词,直接进行URL访问限制
location ~*\.(sh|git|bak|sql|old)$ {
return 403;
}
系统内核参数优化
vim /etc/sysctl.conf
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
一个Nginx主配置文件示例
- 以下不包含图片缓存等配置,可以根据自身业务需求再合理添加图片等缓存、日志格式化等
#
user www www;
worker_processes auto;
#Specifies the value for maximum file descriptors that can be opened by this process.
pcre_jit on;
worker_rlimit_nofile 66600;
worker_shutdown_timeout 60s;
worker_cpu_affinity auto;
events {
use epoll;
worker_connections 66600;
}
stream {
proxy_connect_timeout 3s;
include conf.d/tcp/*.conf;
}
http {
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
charset utf-8;
include mime.types;
default_type application/octet-stream;
proxy_temp_path /var/log/nginx/nginx_cache/proxy_cache/proxy_temp_dir;
proxy_cache_path /var/log/nginx/nginx_cache/proxy_cache/proxy_dir levels=1:2 keys_zone=cache_one:200m inactive=1d max_size=2g;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504 http_404;
# 老代码需要这个 clientRealIp 头,如果没有,网站会挂
map $http_x_forwarded_for $clientRealIp {
"" $remote_addr;
~^(?P<firstAddr>[0-9\.]+),?.*$ $firstAddr;
}
log_format main
'$remote_addr - [$remote_addr] - $remote_user [$time_local]'
' "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length'
' $request_time [$http_appid] $upstream_addr "$upstream_response_length"'
' $upstream_response_time "$upstream_status" "$upstream_status" $host [$http_appkey] "$request_id"' ;
log_format json '{"access_time": "$time_iso8601", "remote_addr": "$remote_addr", "x_forward_for": "$http_x_forwarded_for", "request_method": "$request_method", "request_uri_path": "$uri", "request_uri": "$request_uri", "status": $status, "request_time": $request_time, "request_length": "$request_length", "upstream_host": "$upstream_http_host", "upstream_response_length": "$upstream_response_length", "upstream_response_time": "$upstream_response_time", "upstream_status": "$upstream_status", "http_referer": "$http_referer", "remote_user": "$remote_user", "http_user_agent": "$http_user_agent", "appkey": "$arg_appKey", "upstream_addr": "$upstream_addr", "http_host": "$http_host", "pro": "$scheme", "request_id": "$request_id", "bytes_sent": $bytes_sent}';
#log_format json '{"access_time": "$time_iso8601", "remote_addr": "$remote_addr", "x-forward-for": "$http_x_forwarded_for", "method": "$request_method", "request_url_path": "$uri", "request_url": "$request_uri", "status": $status, "request_time": $request_time, "request_length": "$request_length", "upstream_host": "$upstream_http_host", "upstream_response_length": "$upstream_response_length", "upstream_response_time": "$upstream_response_time", "upstream_status": "$upstream_status", "http_referer": "$http_referer", "remote_user": "$remote_user", "http_user_agent": "$http_user_agent", "appkey": "$arg_appKey", "upstream_addr": "$upstream_addr", "http_host": "$http_host", "pro": "$scheme", "request_id": "$request_id", "bytes_sent": $bytes_sent}';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
proxy_next_upstream error http_502 timeout;
proxy_next_upstream_tries 2;
open_file_cache max=10240 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
reset_timedout_connection on;
keepalive_timeout 45s;
keepalive_requests 3000;
client_header_timeout 15s;
client_body_timeout 15s;
proxy_connect_timeout 5s;
variables_hash_max_size 1024;
server_tokens off;
proxy_intercept_errors on;
fastcgi_intercept_errors on;
client_header_buffer_size 16k;
large_client_header_buffers 4 32k;
client_max_body_size 160m;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 256;
gzip on;
gzip_min_length 1k;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json application/javascript;
gzip_vary on;
gzip_proxied any;
proxy_temp_file_write_size 64k; #设定缓存文件夹大小,大于这个值,将从upstream服务器传递请求,而不缓冲到磁盘
client_body_buffer_size 256k;
proxy_buffer_size 64k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小
proxy_buffers 4 64k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置
proxy_buffering on;
geo $whiteIpList {
default 1;
192.168.0.0/16 0;
}
map $whiteIpList $binary_remote_addr_limit {
1 $binary_remote_addr;
0 "";
}
limit_req_zone $http_host zone=open_api_domain:50m rate=6000r/s;
limit_req_zone $arg_appkey zone=open_api_appkey:50m rate=200r/s;
limit_req_zone $binary_remote_addr zone=zone_web_tmp:50m rate=5r/s;
limit_req_zone $binary_remote_addr zone=zone_web:50m rate=50r/s;
limit_req_zone $binary_remote_addr zone=zone_web_yjtg:50m rate=30r/s;
limit_req_zone $binary_remote_addr_limit zone=zone_open_api:50m rate=80r/s;
limit_req_zone $binary_remote_addr_limit zone=zone_dtkapi:50m rate=5r/s;
map $sent_http_cdn_time $expires {
default -1;
~^\d+$ $sent_http_cdn_time;
}
more_clear_headers Pragma;
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
expires $expires;
more_set_headers "Upstream-Name: $proxy_host";
lua_package_path "${prefix}conf/conf.d/lrc4/?.lua;/opt/nginx/lua_modules/?.lua;/opt/nginx/lua/?.lua;/opt/nginx/lua_modules/?.lua;/opt/nginx/lua/?.lua;;";
lua_shared_dict domain_mem 10m;
lua_shared_dict open_url_mem_min 10m;
lua_shared_dict open_appkey_mem_day 10m;
lua_shared_dict my_limit_req_store 30m;
lua_shared_dict my_limit_req_api 30m;
lua_shared_dict cms_domain_mem 10m;
lua_shared_dict cms_domain_vipstatus_mem 2m;
lua_socket_log_errors off; # TCP发送失败的时候,会发送error日志到error.log,此过程会有性能开销,建议关闭,避免健康检查中多台机器down了,导致日志一直写入error.log。对于异常的情况请使用ngx.log来记录
lua_shared_dict healthcheck 2m; # 存放upstream servers的共享内存,upstream组越多,配置就越大。
proxy_redirect off ;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Request-Id $request_id;
proxy_set_header x-b3-traceid $request_id;
resolver 100.100.2.138 100.100.2.136 valid=30s;
# 静态化varnish缓存,轮训负载均衡主备
split_clients "$request_uri" $proxy_cache {
50% master_cache_servers;
* backup_cache_servers;
}
limit_req_status 429;
server {
listen 80;
server_name ~^\d+\.\d+\.\d+\.\d+;
set $cms_uri '';
set $mysql_host_uri '';
return 444;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
include upstream.conf;
include conf.d/*.conf;
include testconfig/*.conf;
include blocksip.conf;
}