Home > Article > Backend Development > About Nginx architecture
About Nginx architecture
- 不言Original
- 2018-05-07 10:51:151607browse
Nginx-Architecture Chapter
1. Nginx FAQ
1. Multiple virtual hosts with the same server_name have priority access
# 三个配置文件: # testserver1: server_name testserver1 www.rona1do.top; root /opt/app/code1; # testserver2: server_name testserver2 www.rona1do.top; root /opt/app/code2; # testserver3: server_name testserver3 www.rona1do.top; root /opt/app/code3;
Configure the three virtual hosts with the same server_name mentioned above The host will access testserver1 first, and the priority of access is based on the server's reading order, that is, the order of file names.
2. Location matching priority
=: Exact matching of ordinary characters, that is, complete matching
^~ : Indicates ordinary character matching, use prefix matching
- ##~ ~
: Indicates performing a regular match (adding is not case-sensitive)
# 先检查对应的url地址下的文件存不存在,如果不存在找/index.php,类似于重定向
location / {
try_file $uri /index.php;
}- root
location /request_path/image/ {
root /local_path/image/;
}
# 请求:http://www.rona1do.top/request_path/image/cat.png
# 查询: /local_path/image/request_path_image/cat.png
- alias
location /request_path/image/ {
alias /local_path/image/;
}
# 请求:http://www.rona1do.top/request_path/image/cat.png
# 查询: /local_path/image/cat.png5. What method is used to pass the user’s real IP address
- In the case of a proxy, remote_addr obtains the proxy's IP, not the user's IP
- x-forwarded-for is easily tampered with
General solution: You can negotiate with the first-level agent and set the header information x_real_ip to record the user’s ip6. Common error codes in Nginx
set x_real_ip=$remote_addr
- 413: request entity too large
- User upload File limit: client_max_body_size
- ## 2. Nginx performance optimization
- Backend service not responding
- Backend service time-out
- Observation indicators (top View status, logs, etc.), stress test
- Understand the business model
- Interface business type, system hierarchical structure
- Performance and Security
- Configuring a firewall that pays too much attention to security will reduce performance
- 2. ab interface stress testing tool
- yum install httpd- tools
- -n: Total number of requests
- -c: Number of concurrent requests
- -k : Whether to enable long connections
- 3. System and Nginx performance optimization
- Setting method
- 系统全局性修改、用户局部性修改、进程局部性修改
Configuration File:
/etc/security/limits.conf# root:root用户 root soft nofile 65535 # hard 强制限制、soft 超过会发送提醒(邮件等),不限制 root hard nofile 65535 # *:所有用户 * soft nofile 65535 * hard nofile 65535Process locality modification
/etc/nginx/nginx.conf# 针对nginx进程进行设置 worker_rlimit_nofile 35535;4. CPU affinity
CPU affinity:
Place the process /The most intuitive benefit of binding threads to the CPU is to increase the hit rate of the CPU cache, thereby reducing memory access losses and increasing program speed.Number of physical CPUs:
- cat /proc/cpuinfo | grep "physical id" | sort | uniq | wc -l
-
CPU core: cat /proc/cpuinfo | grep "cpu cores" | uniq -
Core and process usage: press top# first ##, then press - 1
to view the cpu binding status of Nginx:<pre class="brush:php;toolbar:false;"># /etc/nginx/nginx.conf # nginx建议数量跟cpu核心数保持一致 worker_processes 2; # 配置cpu亲和 worker_cpu_affinity 0000000000000001 0000000000000010 # 与上一行等价,自动对应(Nginx1.9版本以上) worker_cpu_affinity auto</pre>
ps -eo pid, args,psr | grep [n]ginx
5. Nginx general configuration optimization<pre class="brush:php;toolbar:false;"># nginx服务使用nginx用户(最好不要使用root用户)
user nginx;
# cpu亲和(最好跟核心数保持一致)
worker_processes 2;
worker_cpu_affinity auto;
# error的日志级别设置为warn
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
# 文件句柄对于进程间的限制(建议1w以上)
worker_rlimit_nofile 35535;
# 事件驱动器
events {
use epoll;
# 限制每一个worker_processes进程可以处理多少个连接
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#字符集(服务端响应发送的报文字符集)
charset utf-8;
log_format main &#39;$remote_addr - $remote_user [$time_local] "$request" &#39;
&#39;$status $body_bytes_sent "$http_referer" &#39;
&#39;"$http_user_agent" "$http_x_forwarded_for"&#39;;
access_log /var/log/nginx/access.log main;
# 静态资源的处理
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
# gzip压缩(对于IE6或以下版本对于gzip压缩支持不是很好)
gzip on;
# IE6或以下不进行压缩(兼容)
gzip_disable "MSIE [1-6]\.";
gzip_http_version 1.1;
include /etc/nginx/conf.d/*.conf;
}</pre>3. Nginx security
1. Common malicious behaviors
Crawling behavior and malicious grabbing and resource theft
- Basic anti-leeching function prevents malicious users from easily crawling external data of the website
secure_link_module, improves encryption verification and effectiveness of data security, suitable for core important data
acces_module, serves the backend and some users Data provides IP prevention and control
2. 常见的攻击手段
后台密码撞库,通过猜测密码字典不断对后台系统尝试性登录,获取后台登录密码
后台登录密码复杂度
access_module,对后台提供IP防控
预警机制(一个IP在一段时间内重复不断请求等)
3. 文件上传漏洞
利用一些可以上传的接口将恶意代码植入到服务器中,再通过url去访问以执行代码
例:http://www.rona1do.top/upload...(Nginx将1.jpg作为php代码执行)
# 文件上传漏洞解决办法
location ^~ /upload {
root /opt/app/images;
if ($request_file ~* (.*)\.php){
return 403;
}
}
4. SQL注入
利用未过滤/未审核用户输入的攻击方法,让应用运行本不应该运行的SQL代码
Nginx+LUA配置WAF防火墙防止SQL注入
ngx_lua_waf 下载地址
使用waf步骤:
git clone https://github.com/loveshell/ngx_lua_waf.gitcd ngx_lua_wafmv ngx_lua_waf /etc/nginx/wafvim /etc/nginx/waf/conf.lua,修改RulePath为对应路径(/etc/nginx/waf/wafconf)vim /etc/nginx/waf/wafconf/post,加入一行,\sor\s+,放sql注入的正则集成waf:
# /etc/nginx/nginx.conf lua_package_path "/etc/nginx/waf/?.lua"; lua_shared_dict limit 10m; init_by_lua_file /etc/nginx/waf/init.lua; access_by_lua_file /etc/nginx/waf/waf.lua
reload Nginx
5. 复杂的访问攻击中CC攻击
waf/conf.lua配置文件中打开防cc攻击配置项CCDeny="on"CCrate="100/60" #每60秒100次请求
四、Nginx总结
定义Nginx在服务体系中的角色
静态资源服务
代理服务
动静分离
设计评估
LVS、keepalive、syslog、Fastcgi
用户权限、日志目录存放
CPU、内存、硬盘
硬件
系统
关联服务
配置注意事项
合理配置
了解原理(HTTP、操作系统...)
关注日志
相关推荐:
The above is the detailed content of About Nginx architecture. For more information, please follow other related articles on the PHP Chinese website!