nginx is a high performance web server software. It is a much more flexible and lightweight program than apache.<\/p>\n
yum install epel-release<\/p>\n
yum install nginx<\/p>\n
ifconfig eth0 | grep inet | awk ‘{ print $2 }’<\/p>\n
wget \u2013no-cookies \u2013no-check-certificate \u2013header \u201cCookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie\u201d \u201chttp:\/\/download.oracle.com\/otn-pub\/java\/jdk\/8u60-b27\/jdk-8u60-linux-x64.tar.gz\u201d
\nwget http:\/\/mirror.nus.edu.sg\/apache\/tomcat\/tomcat-8\/v8.0.30\/bin\/apache-tomcat-8.0.30.tar.gz
\ntar xzf jdk-8u40-linux-i586.tar.gz
\nmkdir \/usr\/java\/<\/p>\n
cd \/usr\/java\/jdk1.8.0_40\/
\n[root@cluster1 java]# ln -s \/usr\/java\/jdk1.8.0_40\/bin\/java \/usr\/bin\/java
\n[root@cluster1 java]# alternatives \u2013install \/usr\/java\/jdk1.8.0_40\/bin\/java java \/usr\/java\/jdk1.8.0_40\/bin\/java 2<\/p>\n
alternatives –install \/usr\/java\/jdk1.8.0_40\/bin\/java java \/usr\/java\/jdk1.8.0_40\/bin\/java 2
\nalternatives –config java<\/p>\n
vi \/etc\/profile.d\/java.sh
\nexport JAVA_HOME=\/usr\/java\/jdk1.8.0_25
\nPATH=$JAVA_HOME\/bin:$PATH
\nexport PATH=$PATH:$JAVA_HOME
\nexport JRE_HOME=\/usr\/java\/jdk1.8.0_25\/jre
\nexport PATH=$PATH:\/usr\/java\/jdk1.8.0_25\/bin:\/usr\/java\/jdk1.8.0_25\/jre\/bin<\/p>\n
Three, Tomcat load balancing configuration<\/p>\n
When Nginx start loading default configuration file \/etc\/nginx\/nginx.conf, while nginx.conf in references \/etc\/nginx\/conf.d catalog all .conf files.<\/p>\n
Therefore, some of their own custom configuration can be written to a separate .conf files, as long as the files are placed \/etc\/nginx\/conf.d this directory can be, and easy maintenance.<\/p>\n
Create tomcats.conf: vi \/etc\/nginx\/conf.d\/tomcats.conf, which reads as follows:<\/p>\n
\/usr\/tomcat\/apache-tomcat-8.0.30\/bin\/startup.sh<\/p>\n
vi \/etc\/nginx\/conf.d\/tomcats.conf<\/p>\n
upstream tomcats {
\nip_hash;
\nserver 192.168.1.60:8080;
\nserver 192.168.1.62:8080;
\nserver 192.168.0.63:8080;
\n}<\/p>\n
Modify default.conf: vi \/etc\/nginx\/conf.d\/default.conf, amend as follows:
\nvi \/etc\/nginx\/conf.d\/default.conf
\nneed to amend the below lines
\n#location \/ {
\n# root \/usr\/share\/nginx\/html;
\n# index index.html index.htm;
\n#}<\/p>\n
# new configuration default forwards the request to tomcats. conf configuration upstream processing
\nlocation \/ {
\nproxy_set_header Host $host;
\nproxy_set_header X-Real-IP $remote_addr;
\nproxy_set_header REMOTE-HOST $remote_addr;
\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
\nproxy_pass http:\/\/tomcats;
\n}<\/p>\n
After saving reload the configuration: nginx -s reload<\/p>\n
Four separate static resource configuration<\/p>\n
Modify default.conf: vi \/etc\/nginx\/conf.d\/default.conf, add the following configuration:
\nvi \/etc\/nginx\/conf.d\/default.conf<\/p>\n
All js, css requests related static resource files processed by Nginx<\/p>\n
location ~.*\\.(js|css)$ {
\nroot \/opt\/static-resources;
\nexpires 12h;
\n}<\/p>\n
Request # All photos and other multimedia-related static resource files is handled by Nginx<\/p>\n
location ~.*\\.(html|jpg|jpeg|png|bmp|gif|ico|mp3|mid|wma|mp4|swf|flv|rar|zip|txt|doc|ppt|xls|pdf)$ {
\nroot \/opt\/static-resources;
\nexpires 7d;
\n}<\/p>\n
Create a Directory for the Certificate
\nmkdir \/etc\/nginx\/ssl
\ncd \/etc\/nginx\/ssl
\nopenssl genrsa -des3 -out server.key 2048
\nopenssl req -new -key server.key -out server.csr
\ncp server.key server.key.org
\nopenssl rsa -in server.key.org -out server.key
\nopenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt<\/p>\n
server {
\nlisten 80;
\nlisten 443 default ssl;
\nserver_name cluster1.rmohan.com;
\nkeepalive_timeout 70;
\n# ssl on;
\nssl_certificate \/etc\/nginx\/ssl\/server.crt;
\nssl_certificate_key \/etc\/nginx\/ssl\/server.key;
\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;
\nssl_ciphers HIGH:!aNULL:!MD5;
\nssl_prefer_server_ciphers on;
\n}<\/p>\n
Nginx server security configuration<\/p>\n
First, turn off SELinux
\nSecurity-Enhanced Linux (SELinux) is a Linux kernel feature that provides security policy protection mechanism supports access control.
\nHowever, SELinux brings additional security and the disproportionate use of complexity, cost is not high<\/p>\n
sed -i \/SELINUX=enforcing\/SELINUX=disabled\/ \/etc\/selinux\/config<\/p>\n
\/usr\/sbin\/sestatus -v # Check status<\/p>\n
Second, the least privilege allowed by zoning mount<\/p>\n
A separate partition on the server nginx directory.<\/p>\n
For example, create a new partition \/dev\/sda5 (first logical partition), and mounted at \/nginx.
\nMake sure \/nginx is noexec,nodev and nosetuid permission to mount<\/p>\n
The following is my \/etc\/fstab mount \/nginx information: LABEL=\/nginx \/nginx ext3 defaults,nosuid,noexec,nodev 1 2<\/p>\n
Note: You need to create a new partition using fdisk and mkfs.ext3 command.
\nThird, to strengthen the Linux security configuration \/etc\/sysctl.conf<\/p>\n
You can control and configure the Linux kernel by editing \/etc\/sysctl.conf, network settings<\/p>\n
# Avoid a smurf attack<\/p>\n
net.ipv4.icmp_echo_ignore_broadcasts = 1<\/p>\n
# Turn on protection for bad icmp error messages<\/p>\n
net.ipv4.icmp_ignore_bogus_error_responses = 1<\/p>\n
# Turn on syncookies for SYN flood attack protection<\/p>\n
net.ipv4.tcp_syncookies = 1<\/p>\n
# Turn on and log spoofed, source routed, and redirect packets<\/p>\n
net.ipv4.conf.all.log_martians = 1<\/p>\n
net.ipv4.conf.default.log_martians = 1<\/p>\n
# No source routed packets here<\/p>\n
net.ipv4.conf.all.accept_source_route = 0<\/p>\n
net.ipv4.conf.default.accept_source_route = 0<\/p>\n
# Turn on reverse path filtering<\/p>\n
net.ipv4.conf.all.rp_filter = 1<\/p>\n
net.ipv4.conf.default.rp_filter = 1<\/p>\n
# Make sure no one can alter the routing tables<\/p>\n
net.ipv4.conf.all.accept_redirects = 0<\/p>\n
net.ipv4.conf.default.accept_redirects = 0<\/p>\n
net.ipv4.conf.all.secure_redirects = 0<\/p>\n
net.ipv4.conf.default.secure_redirects = 0<\/p>\n
# Don\u2019t act as a router<\/p>\n
net.ipv4.ip_forward = 0<\/p>\n
net.ipv4.conf.all.send_redirects = 0<\/p>\n
net.ipv4.conf.default.send_redirects = 0<\/p>\n
# Turn on execshild<\/p>\n
kernel.exec-shield = 1<\/p>\n
kernel.randomize_va_space = 1<\/p>\n
# Tuen IPv6<\/p>\n
net.ipv6.conf.default.router_solicitations = 0<\/p>\n
net.ipv6.conf.default.accept_ra_rtr_pref = 0<\/p>\n
net.ipv6.conf.default.accept_ra_pinfo = 0<\/p>\n
net.ipv6.conf.default.accept_ra_defrtr = 0<\/p>\n
net.ipv6.conf.default.autoconf = 0<\/p>\n
net.ipv6.conf.default.dad_transmits = 0<\/p>\n
net.ipv6.conf.default.max_addresses = 1<\/p>\n
# Optimization for port usefor LBs<\/p>\n
# Increase system file descriptor limit<\/p>\n
fs.file-max = 65535<\/p>\n
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768<\/p>\n
kernel.pid_max = 65536<\/p>\n
# Increase system IP port limits<\/p>\n
net.ipv4.ip_local_port_range = 2000 65000<\/p>\n
# Increase TCP max buffer size setable using setsockopt()<\/p>\n
net.ipv4.tcp_rmem = 4096 87380 8388608<\/p>\n
net.ipv4.tcp_wmem = 4096 87380 8388608<\/p>\n
# Increase Linux auto tuning TCP buffer limits<\/p>\n
# min, default, and max number of bytes to use<\/p>\n
# set max to at least 4MB, or higher if you use very high BDP paths<\/p>\n
# Tcp Windows etc<\/p>\n
net.core.rmem_max = 8388608<\/p>\n
net.core.wmem_max = 8388608<\/p>\n
net.core.netdev_max_backlog = 5000<\/p>\n
net.ipv4.tcp_window_scaling = 1<\/p>\n
Fourth, remove all unnecessary Nginx module<\/p>\n
You need to make the number of modules directly by compiling the source code Nginx minimized. By limiting access to only allow web server module to minimize risk.
\nYou can configure only install nginx modules you need. For example, disabling SSL and autoindex module you can execute the following command:<\/p>\n
.\/configure -without-http_autoindex_module -without-http_ssi_module
\nmake && make install<\/p>\n
Change nginx version name, edit the file \/h\/http\/ngx_http_header_filter_module.c?<\/p>\n
vim src\/http\/ngx_http_header_filter_module.c<\/p>\n
static char ngx_http_server_string[] = \u201cServer: nginx\u201d CRLF;<\/p>\n
static char ngx_http_server_full_string[] = \u201cServer: \u201d NGINX_VER CRLF;<\/p>\n
\/\/change to<\/p>\n
static char ngx_http_server_string[] = \u201cServer: Mohan Web Server\u201d CRLF;<\/p>\n
static char ngx_http_server_full_string[] = \u201cServer: Mohan Web Server\u201d CRLF;<\/p>\n
Close nginx version number display<\/p>\n
server_tokens off<\/p>\n
Fifth, based Iptables firewall restrictions<\/p>\n
The following firewall script block any addition to allowing:<\/p>\n
HTTP (TCP port 80) of a request from
\nICMP ping requests from
\nntp (port 123) requests output
\nsmtp (TCP port 25) request output<\/p>\n
Six control buffer overflow attacks<\/p>\n
Edit and set all clients buffer size limit is as follows:<\/p>\n
client_body_buffer_size 1K;<\/p>\n
client_header_buffer_size 1k;<\/p>\n
client_max_body_size 1k;<\/p>\n
large_client_header_buffers 2 1k;<\/p>\n
client_body_buffer_size 1k (default 8k or 16k) This instruction can specify the buffer size of the connection request entity.
\nIf the value exceeds the specified buffer connection request, then the whole or part of the requesting entity will try to write a temporary file.
\nclient_header_buffer_size 1k directive specifies the client request buffer size of the head.
\nIn most cases a request header is not greater than 1k, but if there is a large cookie wap from the client that it may be greater than 1k,
\nNginx will assign it a larger buffer, this value can be set inside the large_client_header_buffers .
\nclient_max_body_size 1k- directive specifies the maximum allowable size of the client requesting entity connected, it appears in the Content-Length header field of the request.<\/p>\n
If the request is greater than the specified value, the client will receive a “Request Entity Too Large” (413) error. Remember, the browser does not know how to display the error.
\nlarge_client_header_buffers- specify the client number and size of some of the larger buffer request header use.
\nRequest a field can not be greater than the buffer size, if the client sends a relatively large head, nginx returns “Request URI too large” (414)
\nSimilarly, the head of the longest field of the request can not be greater than one buffer, otherwise the server will return “Bad request” (400). Separate buffer only when demand.
\nThe default buffer size for the operating system paging file size is usually 4k or 8k, if a connection request is ultimately state to keep- alive, it occupied the buffer will be freed.<\/p>\n
You also need to improve server performance control timeouts and disconnects the client. Edit as follows:<\/p>\n
client_body_timeout 10;
\nclient_header_timeout 10;
\nkeepalive_timeout 5 5;
\nsend_timeout 10;<\/p>\n
\u2022 client_body_timeout 10; – directive specifies the timeout request entity read. Here timeout refers to a requesting entity did not enter the reading step, if the connection after this time the client does not have any response, Nginx will return a “Request time out” (408) error.
\n\u2022 client_header_timeout 10; – directive specifies the client request header headline read timeout. Here timeout refers to a request header did not enter the reading step, if the connection after this time the client does not have any response, Nginx will return a “Request time out” (408) error.
\n\u2022 keepalive_timeout 5 5; – the first parameter specifies the timeout length of the client and server connections, over this time, the server will close the connection. The second parameter (optional) specifies the response header Keep-Alive: timeout = time value time, this value can make some browsers know when to close the connection to the server not repeat off if you do not specify this parameter , nginx does not send Keep-Alive header information in the response. (This does not refer to how a connection “Keep-Alive”) These two values ??of the parameters can be different.
\n\u2022 send_timeout 10; directive specifies the timeout is sent to the client after the response, Timeout refers not enter a complete state established, completed only two handshakes, more than this time if the client does not have any response, nginx will close the connection.<\/p>\n
Seven control concurrent connections<\/p>\n
You can use NginxHttpLimitZone module to restrict a specific session or a special case of concurrent connections IP addresses under. Edit nginx.conf:<\/p>\n
### Directive describes the zone, in which the session states are stored i.e. store in slimits. ###<\/p>\n
### 1m can handle 32000 sessions with 32 bytes\/session, set to 5m x 32000 session ###<\/p>\n
limit_zone slimits $binary_remote_addr 5m;<\/p>\n
### Control maximum number of simultaneous connections for one session i.e. ###<\/p>\n
### restricts the amount of connections from a single ip address ###<\/p>\n
limit_conn slimits 5<\/p>\n
The above represents the remote IP address to limit each client connection can not be open at the same time more than five.<\/p>\n
Eight, only allow access to our domain<\/p>\n
If the robot is just random scan all domain name servers, that reject the request. You must allow the configuration of the virtual domain or reverse proxy request. You do not use IP addresses to reject.<\/p>\n
if ($host !~ ^(test.in|www.test.in|images.test.in)$ ) {
\nreturn 444;
\n}<\/p>\n
Nine, to limit the request method available<\/p>\n
GET and POST are the Internet’s most commonly used method. The method of the Web server is defined in RFC 2616. If the Web server is not required to run all available methods, they should be disabled. The following command will filter only allows GET, HEAD and POST methods:<\/p>\n
## Only allow these request methods ##<\/p>\n
if ($request_method !~ ^(GET|HEAD|POST)$ ) {<\/p>\n
return 444;<\/p>\n
}<\/p>\n
## Do not accept DELETE, SEARCH and other methods ##<\/p>\n
More about HTTP method introduced<\/p>\n
\u2022 GET method is used to request,<\/p>\n
\u2022 HEAD method is the same, unless GET request to the server can not return the message body.<\/p>\n
\u2022 POST method can involve many things, such as storage or update data, or ordering products, or send e-mail by submitting the form. This is usually the use of server-side processing, such as PHP, Perl and Python scripts. If the file you want to upload and server processing the data, you must use this method.<\/p>\n
Ten, how to refuse a number of User-Agents?<\/p>\n
You can easily stop User-Agents, such as scanners, robotics and abuse your server spammers.<\/p>\n
## Block download agents ##<\/p>\n
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {<\/p>\n
return 403;<\/p>\n
}<\/p>\n
Soso and the proper way to prevent robots:<\/p>\n
## Block some robots ##<\/p>\n
if ($http_user_agent ~* Sosospider|YodaoBot) {<\/p>\n
return 403;<\/p>\n
}<\/p>\n
XI prevent image hotlinking<\/p>\n
Pictures or HTML Daolian mean someone directly with your website address to display pictures on his website. The end result, you need to pay the extra cost of broadband. This is often in the forum and blog. I strongly recommend that you block and prevent hotlinking behavior.<\/p>\n
# Stop deep linking or hot linking<\/p>\n
location \/images\/ {<\/p>\n
valid_referers none blocked www.example.com example.com;<\/p>\n
if ($invalid_referer) {<\/p>\n
return 403;<\/p>\n
}<\/p>\n
}<\/p>\n
For example: the redirect and display the specified image<\/p>\n
valid_referers blocked www.example.com example.com;<\/p>\n
valid_referers blocked www.example.com example.com;<\/p>\n
if ($invalid_referer) {<\/p>\n
rewrite ^\/images\/uploads.*\\.(gif|jpg|jpeg|png)$ http:\/\/www.examples.com\/banned.jpg last<\/p>\n
}<\/p>\n
Twelve, directory restrictions<\/p>\n
You can set access permissions on the specified directory. All websites directory should one configuration, allowing only access to the directory.
\nAccess by IP address restrictions
\nYou can restrict access by IP address directory \/ admin \/:<\/p>\n
ocation \/docs\/ {<\/p>\n
## block one workstation<\/p>\n
deny 192.168.1.1;<\/p>\n
## allow anyone in 192.168.1.0\/24<\/p>\n
allow 192.168.1.0\/24;<\/p>\n
## drop rest of the world<\/p>\n
deny all;<\/p>\n
}<\/p>\n
Via password protected directory, first create the password file and increase the “user” user<\/p>\n
mkdir \/usr\/local\/nginx\/conf\/.htpasswd\/<\/p>\n
htpasswd -c \/usr\/local\/nginx\/conf\/.htpasswd\/passwd user<\/p>\n
Edit nginx.conf, added need protected directories<\/p>\n
### Password Protect \/personal-images\/ and \/delta\/ directories ###<\/p>\n
location ~ \/(personal-images\/.*|delta\/.*) {<\/p>\n
auth_basic \u201cRestricted\u201d;<\/p>\n
auth_basic_user_file \/usr\/local\/nginx\/conf\/.htpasswd\/passwd;<\/p>\n
}<\/p>\n
Once the password file has been generated, you can also use the following command to allow access to the user increases<\/p>\n
htpasswd -s \/usr\/local\/nginx\/conf\/.htpasswd\/passwd userName<\/p>\n
Thirteen, Nginx SSL Configuration<\/p>\n
HTTP is a plain text protocol, which is open to passive surveillance. You should use SSL to encrypt your user content.
\nCreate SSL certificate, execute the following command:<\/p>\n
cd \/usr\/local\/nginx\/conf<\/p>\n
openssl genrsa -des3 -out server.key 1024<\/p>\n
openssl req -new -key server.key -out server.csr<\/p>\n
cp server.key server.key.org<\/p>\n
openssl rsa -in server.key.org -out server.key<\/p>\n
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt<\/p>\n
Edit nginx.conf press following updates:<\/p>\n
server {<\/p>\n
server_name example.com;<\/p>\n
listen 443;<\/p>\n
ssl on;<\/p>\n
ssl_certificate \/usr\/local\/nginx\/conf\/server.crt;<\/p>\n
ssl_certificate_key \/usr\/local\/nginx\/conf\/server.key;<\/p>\n
access_log \/usr\/local\/nginx\/logs\/ssl.access.log;<\/p>\n
error_log \/usr\/local\/nginx\/logs\/ssl.error.log;<\/p>\n
}<\/p>\n
Fourteen, Nginx and PHP Security Recommendations<\/p>\n
PHP is a popular scripting language on the server side. Edit \/etc\/php.ini file as follows:<\/p>\n
# Disallow dangerous functions<\/p>\n
disable_functions = phpinfo, system, mail, exec<\/p>\n
## Try to limit resources ##<\/p>\n
# Maximum execution time of each script, in seconds<\/p>\n
max_execution_time = 30<\/p>\n
# Maximum amount of time each script may spend parsing request data<\/p>\n
max_input_time = 60<\/p>\n
# Maximum amount of memory a script may consume (8MB)<\/p>\n
memory_limit = 8M<\/p>\n
# Maximum size of POST data that PHP will accept.<\/p>\n
post_max_size = 8M<\/p>\n
# Whether to allow HTTP file uploads.<\/p>\n
file_uploads = Off<\/p>\n
# Maximum allowed size for uploaded files.<\/p>\n
upload_max_filesize = 2M<\/p>\n
# Do not expose PHP error messages to external users<\/p>\n
display_errors = Off<\/p>\n
# Turn on safe mode<\/p>\n
safe_mode = On<\/p>\n
# Only allow access to executables in isolated directory<\/p>\n
safe_mode_exec_dir = php-required-executables-path<\/p>\n
# Limit external access to PHP environment<\/p>\n
safe_mode_allowed_env_vars = PHP_<\/p>\n
# Restrict PHP information leakage<\/p>\n
expose_php = Off<\/p>\n
# Log all errors<\/p>\n
log_errors = On<\/p>\n
# Do not register globals for input data<\/p>\n
register_globals = Off<\/p>\n
# Minimize allowable PHP post size<\/p>\n
post_max_size = 1K<\/p>\n
# Ensure PHP redirects appropriately<\/p>\n
cgi.force_redirect = 0<\/p>\n
# Disallow uploading unless necessary<\/p>\n
# Enable SQL safe mode<\/p>\n
sql.safe_mode = On<\/p>\n
# Avoid Opening remote files<\/p>\n
allow_url_fopen = Off<\/p>\n
Fifth, if possible, let Nginx run in a chroot jail<\/p>\n
The nginx placed in a chroot jail to reduce the potential for illegal entry into other directories. You can use the traditional and nginx installed with chroot. If possible, that use FreeBSD jails, Xen, OpenVZ virtualization container concept.<\/p>\n
XVI firewall level limits the number of connections for each IP<\/p>\n
Network server must monitor connections and connection limits per second. PF and Iptales are able to enter your nginx server before the end user to block access.
\nLinux Iptables: limit the number of connections for each Nginx
\nfollowing example will prevent from a single IP connection of more than 15 the number of ports 80, 60 seconds.<\/p>\n
\/sbin\/iptables -A INPUT -p tcp \u2013dport 80 -i eth0 -m state \u2013state NEW -m recent \u2013set<\/p>\n
\/sbin\/iptables -A INPUT -p tcp \u2013dport 80 -i eth0 -m state \u2013state NEW -m recent \u2013update \u2013seconds 60 \u2013hitcount 15 -j DROP<\/p>\n
service iptables save<\/p>\n
According to your specific situation to set the connection limit.<\/p>\n
XVII configure the operating system to protect Web servers<\/p>\n
Like the above described start SELinux Correct set permissions \/nginx document root directory.
\nNginx running in user nginx. But the root directory (\/ nginx or \/usr\/local\/nginx\/html\/) should not be set, or the user belongs to the user nginx nginx writable.
\nFind the error file permissions can use the following command:<\/p>\n
find \/nginx -user nginx<\/p>\n
find \/usr\/local\/nginx\/html -user nginx<\/p>\n
Make sure you are more ownership of the root or other users, a typical permission settings \/usr\/local\/nginx\/html\/<\/p>\n
ls -l \/usr\/local\/nginx\/html\/<\/p>\n
Sample output:<\/p>\n
-rw-r-r- 1 root root 925 Jan 3 00:50 error4xx.html<\/p>\n
-rw-r-r- 1 root root 52 Jan 3 10:00 error5xx.html<\/p>\n
-rw-r-r- 1 root root 134 Jan 3 00:52 index.html<\/p>\n
You must delete the backup files from the vi or another text editor to create:<\/p>\n
find \/nginx -name \u2018.?*\u2019 -not -name .ht* -or -name \u2018*~\u2019 -or -name \u2018*.bak*\u2019 -or -name \u2018*.old*\u2019<\/p>\n
find \/usr\/local\/nginx\/html\/ -name \u2018.?*\u2019 -not -name .ht* -or -name \u2018*~\u2019 -or -name \u2018*.bak*\u2019 -or -name \u2018*.old*\u2019<\/p>\n
To delete these files by -delete option to find command.<\/p>\n
Eighth, the outgoing connections limit Nginx<\/p>\n
Hackers can use tools such as wget download your local file server. Iptables from using nginx user to block outgoing connections. ipt_owner module tries to match the creator of locally generated packets. The following example allows only users 80 user connections outside.<\/p>\n
\/sbin\/iptables -A OUTPUT -o eth0 -m owner \u2013uid-owner vivek -p tcp \u2013dport 80 -m state \u2013state NEW,ESTABLISHED -j ACCEPT<\/p>\n
With the above configuration, your nginx server is already very safe and you can publish web pages. However, you should also find more information on security settings according to your site procedures. For example, wordpress or a third-party program.<\/p>\n
nginx is a good web server, providing a full range of speed limit function, the main function module is ngx_http_core_module,
\nngx_http_limit_conn_module and ngx_http_limit_req_module, the first module in limit_rate function (limited speed bandwidth),<\/p>\n
the latter two modules Literally , functions are limiting connections (limit connection) and restriction request (limit request), these modules are compiled into the default nginx core.<\/p>\n
All limits are for IP and therefore CC, DDOS has some defensive role.<\/p>\n
Limited bandwidth is very easy to understand, directly on the example<\/p>\n
location \/mp3 {
\nlimit_rate 200k;
\n}<\/p>\n
There is a way you can make the speed limit is more humane, namely transmission speed after the start of a certain flow,<\/p>\n
Such as the first full-speed transmission 1M, then start speed:<\/p>\n
location \/photo {
\nlimit_rate_after 1m;
\nlimit_rate 100k;
\n}<\/p>\n
Then speak and limit the number of concurrent requests.<\/p>\n
Why do these two modules? Because we know that a page is usually more than one child module, such as five pictures, then we request this page initiated a connection,
\nbut this is a connection request that contains the five pictures, which means that a connection can initiate multiple requests . We have to maintain the user experience,
\nit is to limit the number of connections or requests, to be selected according to actual needs.<\/p>\n
limit the number of connections<\/p>\n
To restrict access, you must first have a container for connection count, add the following code segment http:<\/p>\n
limit_conn_zone $binary_remote_addr zone=addr:5m;<\/p>\n
This will create a 5M in memory size, speed pool named addr (each connection occupies 32 or 64 bytes, 5m size which can accommodate tens of thousands of connections, is usually sufficient,
\nif memory is exhausted 5M , will return to 503)<\/p>\n
Next, the need for a different location server (location above) to limit the rate, such as restrictions on the number of concurrent connections per IP is 2,<\/p>\n
limit_conn addr 2;<\/p>\n
2, limit the number of requests<\/p>\n
To limit the number of requests, you must first create a speed pool, add the following code segment at http:<\/p>\n
limit_conn_zone $binary_remote_addr zone=addr:5m;<\/p>\n
Limit divided into global and local speed limit,<\/p>\n
For global speed limit, we only need to be followed by the parameters, such as 20 requests per second, rate = 20r \/ s, namely:<\/p>\n
limit_req_zone $binary_remote_addr zone=perip:5m rate=20r\/s;<\/p>\n
Sometimes we want to adjust the location segment links, you can help burst parameters<\/p>\n
limit_req zone=one burst=50;<\/p>\n
If you do not want to delay, there nodelay parameters<\/p>\n
limit_req zone=one burst=50 nodelay;<\/p>\n
The above is the rate-limiting nginx Introduction, inappropriate, please correct me. As for the specific use of methods which limit must be considered, so as not to damage the user experience.<\/p>\n
nginx log filter Web Crawler<\/p>\n
Nginx log analysis, when there is a headache many spiders reptiles marks.<\/p>\n
Given that most spiders reptiles are called xx-bot or xx-spider, the following methods can be written to a separate log reptiles:<\/p>\n
location \/ {
\nif ($http_user_agent ~* “bot|spider”) {
\naccess_log \/var\/log\/nginx\/spider.access.log;
\n}
\n}
\nOr simply do not write log<\/p>\n
location \/ {
\nif ($http_user_agent ~* “bot|spider”) {
\naccess_log off;
\n}
\n}<\/p>\n
Tomcat implement multi-instance use systemd centos 7 RHEL 7<\/p>\n
rpm -ivh jdk-8u60-linux-x64.rpm<\/p>\n
getent group tomcat || groupadd -r tomcat
\ngetent passwd tomcat || useradd -r -d \/opt -s \/bin\/nologin tomcat<\/p>\n
cd \/opt
\nwget http:\/\/mirror.nus.edu.sg\/apache\/tomcat\/tomcat-8\/v8.0.30\/bin\/apache-tomcat-8.0.30.tar.gz
\ntar xzf jdk-8u40-linux-i586.tar.gz<\/p>\n
mv apache-tomcat-8.0.30 tomcat01
\nchown -R tomcat:tomcat tomcat01<\/p>\n
tar zxvf apache-tomcat-8.0.30.tar.gz
\nmv apache-tomcat-8.0.30 tomcat02
\nchown -R tomcat:tomcat tomcat02<\/p>\n
sed -i ‘s\/8080\/8081\/g’ \/opt\/tomcat01\/conf\/server.xml
\nsed -i ‘s\/8005\/8001\/g’ \/opt\/tomcat01\/conf\/server.xml
\nsed -i ‘s\/8080\/8082\/g’ \/opt\/tomcat02\/conf\/server.xml
\nsed -i ‘s\/8005\/8002\/g’ \/opt\/tomcat02\/conf\/server.xml<\/p>\n
sed -i ‘\/8009\/d’ \/opt\/tomcat01\/conf\/server.xml
\nsed -i ‘\/8009\/d’ \/opt\/tomcat01\/conf\/server.xml<\/p>\n
cd \/usr\/lib\/systemd\/system
\ncat >tomcat01.service <<EOF
\n[Unit]
\nDescription=Apache Tomcat 7
\nAfter=network.target
\n[Service]
\nType=oneshot
\nExecStart=\/opt\/tomcat01\/bin\/startup.sh
\nExecStop=\/opt\/tomcat01\/bin\/shutdown.sh
\nRemainAfterExit=yes
\nUser=tomcat
\nGroup=tomcat
\n[Install]
\nWantedBy=multi-user.target
\nEOF<\/p>\n
sed ‘s\/tomcat01\/tomcat02\/g’ tomcat01.service > tomcat02.service<\/p>\n
systemctl enable tomcat01
\nsystemctl enable tomcat02
\nsystemctl start tomcat01
\nsystemctl start tomcat02<\/p>\n
proxy_cache_path \/var\/cache\/nginx\/proxy_cache levels=1:2 keys_zone=static:10m inactive=30d max_size=1g;<\/p>\n
upstream tomcat {
\nip_hash ;
\n#hash $remote_addr consistent;
\nserver 127.0.0.1:8081 max_fails=1 fail_timeout=2s ;
\nserver 127.0.0.1:8082 max_fails=1 fail_timeout=2s ;
\nkeepalive 16;
\n}<\/p>\n
server {
\nlisten 80;
\nserver_name tomcat.example.com;<\/p>\n
charset utf-8;
\naccess_log \/var\/log\/nginx\/tomcat.access.log main;
\nroot \/usr\/share\/nginx\/html;
\nindex index.html index.htm index.jsp;<\/p>\n
location \/ {
\nproxy_pass http:\/\/tomcat;
\nproxy_redirect off;
\nproxy_set_header Host $host;
\nproxy_set_header X-Real-IP $remote_addr;
\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
\nproxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;<\/p>\n
proxy_connect_timeout 300;
\nproxy_send_timeout 300;
\nproxy_read_timeout 300;
\nproxy_http_version 1.1;
\nproxy_set_header Connection “”;<\/p>\n
add_header X-Backend “$upstream_addr”;
\n}<\/p>\n
location ~* ^.+\\.(js|css|ico|gif|jpg|jpeg|png)$ {
\nproxy_pass http:\/\/tomcat ;
\nproxy_redirect off;
\nproxy_set_header Host $host;
\nproxy_set_header X-Real-IP $remote_addr;
\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
\nproxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;<\/p>\n
proxy_connect_timeout 300;
\nproxy_send_timeout 300;
\nproxy_read_timeout 300;
\nproxy_http_version 1.1;
\nproxy_set_header Connection “”;<\/p>\n
proxy_cache static;
\nproxy_cache_key $host$uri$is_args$args;
\nproxy_cache_valid 200 302 7d;
\nproxy_cache_valid 404 1m;
\nproxy_cache_valid any 1h;
\nadd_header X-Cache $upstream_cache_status;<\/p>\n
#log_not_found off;
\n#access_log off;
\nexpires max;
\n}<\/p>\n
location ~ \/\\.ht {
\ndeny all;
\n}<\/p>\n
}<\/p>\n","protected":false},"excerpt":{"rendered":"
nginx is a high performance web server software. It is a much more flexible and lightweight program than apache.<\/p>\n
yum install epel-release<\/p>\n
yum install nginx<\/p>\n
ifconfig eth0 | grep inet | awk ‘{ print $2 }’<\/p>\n
wget \u2013no-cookies \u2013no-check-certificate \u2013header \u201cCookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie\u201d \u201chttp:\/\/download.oracle.com\/otn-pub\/java\/jdk\/8u60-b27\/jdk-8u60-linux-x64.tar.gz\u201d wget http:\/\/mirror.nus.edu.sg\/apache\/tomcat\/tomcat-8\/v8.0.30\/bin\/apache-tomcat-8.0.30.tar.gz tar xzf jdk-8u40-linux-i586.tar.gz mkdir \/usr\/java\/<\/p>\n
cd \/usr\/java\/jdk1.8.0_40\/ [root@cluster1 java]# […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7295"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7295"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7295\/revisions"}],"predecessor-version":[{"id":7296,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7295\/revisions\/7296"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}