合集yum安装 gzip压缩 404 503页面 LibreSSL 云锁web模块 http2 444代码 typecho伪静态 socket status 反向代理 301重定向 跨目录 证书信息链不受信 worker_connections最大连接数 网站安全加固 配置模板
yum篇
yum安装nginx是centos下最简单的方式,nginx官方提供了优化过的nginx,因此yum是新手最好的选择
官方安装说明,linux下包管理器方式
例如centos7中稳定版安装:
在红帽系系统中,建立 /etc/yum.repos.d/nginx.repo 内容为:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/
gpgcheck=0
enabled=1
其中 “OS” 字段写 “rhel” 或者 “centos”, “OSRELEASE” 字段写系统版本 “5”, “6”, or “7”, for 5.x, 6.x, or 7.x
安装
yum install nginx
nginx -V
nginx version: nginx/1.10.0
即可。
gzip压缩
在http{}内添加
gzip on;
gzip_http_version 1.0;
gzip_disable "MSIE [1-6].";
gzip_types text/plain application/x-javascript text/css text/javascript;
server{}区域添加
location~ .*\.(gif|jpg|png|htm|html|css|js|flv|ico|swf)(.*) {
expires 1d;
}
404 503页面
server{}区域加入
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
重启服务即可nginx -s reload
LibreSSL
LibreSSL是一个比openssl更可靠的项目,使用也很简单
现阶段LibreSSL已经可以直接编译到nginx中而不需要任何设置。
配置编译环境
yum install -y gcc gcc-c++ pcre-devel openssl openssl-devel
mkdir /data;cd /data
LibreSSL
wget http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.3.tar.gz
tar xvzf libressl-2.3.3.tar.gz
nginx或tengine
cd /data
wget http://nginx.org/download/nginx-1.9.15.tar.gz
tar -xzvf nginx-1.9.15.tar.gz
cd nginx-1.9.15
./configure --with-openssl=/data/libressl-2.3.3/ --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module
make;make install
ln -s /usr/local/nginx/sbin/nginx /usr/sbin/nginx
ln -s /usr/local/nginx/conf /etc/nginx
nginx -V
nginx version: nginx/1.9.15
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with LibreSSL 2.3.3
TLS SNI support enabled
即可
云锁web模块
nginx&tengine下安装云锁模块也比较简单
官方模块说明,nginx需要按照说明更改post方式
配置编译环境
yum install -y gcc gcc-c++ pcre-devel openssl openssl-devel
mkdir /data;cd /data
openssl或libressl
wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz
tar -xvzf openssl-1.0.2g.tar.gz
cd openssl-1.0.2g
./config
make;make install
mkdir .openssl
cd .openssl
cp -rf /usr/local/ssl/lib .
cp -rf /usr/local/ssl/include .
cd /data
云锁模块
wget https://codeload.github.com/yunsuo-open/nginx-plugin/zip/master -O nginx-plugin-master.zip
unzip nginx-plugin-master.zip
tengine或nginx
cd /data
wget http://tengine.taobao.org/download/tengine-2.1.2.tar.gz
tar -xzvf tengine-2.1.2.tar.gz
cd tengine-2.1.2
./configure --with-openssl=/data/openssl-1.0.2g/ --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --add-module=/data/nginx-plugin-master
make;make install
ln -s /usr/local/nginx/sbin/nginx /usr/sbin/nginx
ln -s /usr/local/nginx/conf /etc/nginx
nginx -V
Tengine version: Tengine/2.1.2 (nginx/1.6.2)
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
TLS SNI support enabled
让云锁识别您自己编译的nginx 步骤如下
1. 安装云锁,如果您已经安装了云锁,可跳过此步骤。如果还没有,请到http://www.yunsuo.com.cn/ht/software/ 下载并安装云锁
2. cd /usr/local/yunsuo_agent/nginx/
3. ./configure_compiled_nginx nginx_install_path (nginx_install_path为nginx的安装路径,即configure时 --prefix=path 如果未指定过路径, 那么默认为/usr/local/nginx)
./configure_compiled_nginx /usr/local/nginx/
http2
--with-http_v2_module即为http2编译参数
查看http2支持,chrome浏览器中输入
chrome://net-internals/#http2
444代码
444是nginx特有的返回代码,意思就是立即断开
return 444;
如果我们想针对80端口来使用呢
server {
listen 80 default_server;
server_name _;
return 444;
}
_它仅仅是一个许多无效的域名中的一个代表与任何真实的名字,永远不会相交。其它无效的名称,如“ - “ 和” !@# “也可同样使用
也可以设置任意域名直接阻断。
typecho伪静态
if (!-e任何时候都是邪恶的存在,请使用try_files
伪静态规则
添加到location / {中
try_files $uri $uri/ /index.php?$args;
socket模式
编辑/etc/php-fpm.d/www.conf
;listen = 127.0.0.1:9000 #注销原来的
listen = /dev/shm/fpm-cgi.sock #自动创建文件
listen.owner=nginx #nginx和apache权限
listen.group=apache
listen.backlog = -1 #无限并发
nginx虚拟主机配置文件
#fastcgi_pass 127.0.0.1:9000; #注释掉
fastcgi_pass unix:/dev/shm/fpm-cgi.sock; #使用socket文件
解决UnixSocket时,大量http code 502,11: Resource temporarily unavailable的问题
在/etc/sysctl.conf中添加如下
net.core.somaxconn = 2048
然后在终端中执行
sysctl -p
重启nginx和php-fpm即可
status模块
编译参数--with-http_stub_status_module,默认及有
location /status
{
stub_status on;
access_log off;
#allow 127.0.0.1;
#deny all;
}
Active connections //当前 Nginx 正处理的活动连接数。
server accepts handledrequests //总共处理了 个连接 , 成功创建 次握手,总共处理了 个请求。
Reading //nginx 读取到客户端的 Header 信息数。
Writing //nginx 返回给客户端的 Header 信息数。
Waiting //开启 keep-alive 的情况下,这个值等于 active – (reading + writing),意思就是 Nginx 已经处理完正在等候下一次请求指令的驻留连接
反向代理
server {
listen 80;
server_name gg.tntsec.com;
rewrite ^(.*) https://gg.tntsec.com$1 permanent;
}
server {
listen 443;
server_name gg.tntsec.com;
ssl on;
ssl_certificate /etc/nginx/google.crt;
ssl_certificate_key /etc/nginx/google.key;
location / {
proxy_redirect https://www.google.com.hk/ /;
proxy_cookie_domain google.com.hk gg.tntsec.com;
proxy_set_header Host www.google.com.hk;
proxy_pass https://www.google.com.hk;
}
}
301重定向
server {
listen 80;
server_name example.com www.example.com;
## redirect http to https ##
rewrite ^ https://$server_name$request_uri? permanent;
}
跨目录
简单来说,nginx+php-fpm,php-fpm是一个用户在运行
我们在A站 /www/a 下上传webshell,可以直接访问php-fpm用户权限所能查看的任何地方,包括全部/www/下的网站。
传统方案要么改php-fpm用户,每个站一个用户
要么就是open_basedir=/home/wwwroot/:/tmp/,这样还是能跨这个目录下
最好的办法就是,每个站一个open_basedir
server{
location ~ .*\.php(\/.*)*$ {
include pathinfo.conf;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
下面加上一句
`fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/";`
修复后,webshell不能跳出限定范围
证书信息链不受信
证书信息链不受信其实是用错了证书了,nginx必须用包含根ca的证书,申请的时候注意区分。
worker_connections最大连接数
worker_connections exceed open file resource limit: 1024
在/etc/security/limits.conf最后增加如下两行记录
* soft nofile 65535
* hard nofile 65535
网站安全加固,php nginx
关闭php版本显示
php.ini
Expose_php = off
关闭nginx版本显示
nginx.conf
在 http { 后面加: server_tokens off;
php不安全函数
disable_functions=exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_socket_server,disk_total_space,disk_free_space,diskfreespace,getrusage,get_current_user,getmyuid,getmypid,dl,leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount,posix_mkfifo,putenv,sleep,chmod,chown,chroot,ini_set,phpinfo,proc_get_status,error_log,syslog,readlink,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_getpriority,pcntl_setpriority,eval,pfsockopen,openlog,popepassthru,fsocket,chdir
配置模板
nginx.conf
cat /etc/nginx/nginx.conf
user nobody;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 5024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 50;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
博客
cat /etc/nginx/conf.d/blog.conf
server {
listen 80;
server_name blog.0up.org;
# sysguard on;
# sysguard_load load=10.5 action=/loadlimit;
#
# location /loadlimit {
# return 503;
# }
rewrite ^/(.*)$ https://z.9sb.org/$1 permanent;
}
server {
listen 443 ssl http2;
#listen 443 ssl http2 spdy;
ssl_certificate /etc/nginx/0up.crt;
ssl_certificate_key /etc/nginx/0up.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
#ssl_dhparam /etc/nginx/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name blog.0up.org;
# sysguard on;
#
# sysguard_load load=10.5 action=/loadlimit;
#
# location /loadlimit {
# return 503;
# }
access_log /var/log/nginx/log/blog.log main buffer=1m;
root /var/www/html/blog;
index index.php index.html index.htm;
error_page 502 503 /50x.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
location /status
{
stub_status on;
access_log off;
#allow 127.0.0.1;
# #deny all;
}
location ~ .*\.(css|js|ico|png)(.*) {
expires 30d;
}
location ~ /(usr/uploads|usr/plugins/CommentToMail/cache|usr/plugins/Sitemap/sitemap|usr/plugins/CommentToMail/log)/.*\.(php|php5)?$ {
deny all;
}
location ~ .*\.php(\/.*)*$ {
#fastcgi_pass 127.0.0.1:9000;
#location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/dev/shm/fpm-cgi.sock;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/:/proc/";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
评论