LEMP構建高性能WEB伺服器 ( 三 )
四、Nginx多虛擬主機配置及基本優化(以配置Discuz!論壇為例)
1.配置Nginx虛擬主機(防盜鏈及expires設置)
#vi /usr/local/nginx/conf/vhosts/bbs.linuxtone.org.conf
server
• {
• listen 80;
• server_name bbs.linuxtone.org www.linuxtone.org;
• index index.html index.php index.htm;
• root /data/www/wwwroot/lt/bbs;
• #access_log /var/log/nginx/access_bbs.redocn.com.log combined;
• location / {
• if (!-e $request_filename) {
• rewrite ^/archiver/((fid|tid)-[\w\-]+\.html)$ /archiver/index.php?$1 last;
• rewrite ^/forum-(+)-(+)\.html$ /forumdisplay.php?fid=$1&page=$2 last;
• rewrite ^/thread-(+)-(+)-(+)\.html$ /viewthread.php?tid=$1&extra=page%3D$3&page=$2
•
•last;
• rewrite ^/space-(username|uid)-(.+)\.html$ /space.php?$1=$2 last;
• rewrite ^/tag-(.+)\.html$ /tag.php?name=$1 last;
• break;
• }
•
• }
•
• #Preventing hot linking of images and other file types
• location ~* ^.+\.(gif|jpg|png|swf|flv|rar|zip)$ {
• valid_referers none blocked server_names *.linuxtone.org http://localhost;
• if ($invalid_referer) {
• rewrite ^/ http://bbs.linuxtone.org/images/default/logo.gif;
• return 403;
• }
• }
• # Add expires header for static content
• location ~* \.(js|css|jpg|jpeg|gif|png|swf)$ {
• if (-f $request_filename) {
• root /data/www/wwwroot/lt/bbs;
• expires 1d;
• break;
• }
•
• }
• #support php
• location ~ .*\.php?$
• {
• include enable_php5.conf;
• }
•
• }
複製代碼2.Nginx搭建下載站點限制併發數和速率.
vi /usr/local/nginx/conf/vhosts/down.redocn.com.conf
•limit_zone one $binary_remote_addr 10m;
•server
• {
• listen 80;
• server_name down.redocn.com;
• index index.html index.htm index.php;
• root /data/www/wwwroot/down;
• error_page 404 /index.php;
• # redirect server error pages to the static page /50x.html
• error_page 500 502 503 504 /50x.html;
• location = /50x.html {
• root html;
• }
• #Zone limit
• location / {
• limit_conn one 1;
• limit_rate 20k;
• }
•
•
• # serve static files
• location ~ ^/(images|javascript|js|css|flash|media|static)/ {
• root /data/www/wwwroot/down;
• expires 30d;
• }
• }
複製代碼3.如何實現Nginx身份驗證
實現輸入http://count.linuxtone.org/tongji 要求輸入用戶名和密碼驗證才可查看內內。配置方法如下:
創建統計配置文件:
mkdir /usr/local/nginx/conf/htpasswd #創建存放密碼的目錄
•/usr/local/apache2/bin/htpasswd -c /usr/local/nginx/conf/htpasswd/tongji admin
•
•server
• {
• listen 80;
• server_name count.linuxtone.org;
• index index.html index.php;
• root /data/www/wwwroot/count;
• access_log /data/logs/access_count.linuxtone.org.log combined;
• #error page
• error_page 404 http://www.linuxtone.org/error.html;
• error_page 500 502 503 504 http://www.linuxtone.org;
• #support php
• location ~ .*\.php?$
• {
• include enable_php5.conf;
• }
•
• #expires static files
• location ~* \.(js|css|jpg|jpeg|gif|png)$ {
• if (-f $request_filename) {
• access_log off;
• expires 1d;
• break;
• }
• }
• location ~ ^/(tongji)/ {
• root /data/www/wwwroot/count;
• auth_basic "LT-COUNT-TongJi";
• auth_basic_user_file /usr/local/nginx/conf/htpasswd/tongji;
• }
•
• }
複製代碼4.如何實現Nginx目錄列表
在相關虛擬主機配置文件加入如下設置即可,更多請參考官方wiki
location / {
• autoindex on;
•}
複製代碼5.修改Nginx的header偽裝伺服器
cd nginx-0.6.31/src/core
•#define NGINX_VERSION "1.2"
•#define NGINX_VER "LTWS/" NGINX_VERSION
複製代碼仍后重新編譯nginx即可,查看一下效果:
# curl -I http://bbs.linuxtone.org
HTTP/1.1 200 OK
•Server: LTWS/1.2
•Date: Mon, 23 Jun 2008 06:11:17 GMT
•Content-Type: text/html; charset=gb2312
•Transfer-Encoding: chunked
•Connection: keep-alive
•Set-Cookie: lt__sid=cJN2FT; expires=Mon, 30-Jun-2008 06:11:17 GMT; path=/
•Set-Cookie: lt__onlineusernum=228; expires=Mon, 23-Jun-2008 06:16:17 GMT; path=/
複製代碼6.減小nginx編譯后的文件大小 (Reduce file size of nginx)
默認的nginx編譯選項里居然是用debug模式(-g)的(debug模式會插入很多跟蹤和ASSERT之類),編譯以後一個nginx有好幾兆。
去掉nginx的debug模式編譯,編譯以後只有480K(nginx-0.6.31 , gcc4)。
# du -sh nginx
480K nginx
在auto/cc/gcc,最後幾行有:
# debug
•CFLAGS="$CFLAGS -g"
複製代碼註釋掉或刪掉這幾行,重新編譯即可
7.Nginx日誌處理
# crontab -l
59 23 * * * /usr/local/sbin/logcron.sh /dev/null 2>&1
複製代碼# cat /usr/local/sbin/logcron.sh
#!/bin/bash
•log_dir="/data/logs"
•time=`date +%Y%m%d`
•/bin/mv ${log_dir}/access_linuxtone.org.log ${log_dir}/access_count.linuxtone.org.$time.log
•kill -USR1 `cat /var/run/nginx.pid`
複製代碼更多的日誌分析與處理就關注(同時歡迎你參加討論):http://bbs.linuxtone.org/forum-8-1.html
8.優化內核參數
vi /etc/sysctl.conf
net.ipv4.tcp_fin_timeout = 30
•net.ipv4.tcp_keepalive_time = 300
•net.ipv4.tcp_syncookies = 1
•net.ipv4.tcp_tw_reuse = 1
•net.ipv4.tcp_tw_recycle = 1
•net.ipv4.ip_local_port_range = 5000 65000
複製代碼五、基本安全設置策略
1)SSH安全策略:經常升級OpenSSH,SSH全安(修改SSH埠限制來源IP登陸,或者參考http://bbs.linuxtone.org/thread-106-1-1.html
)
2)關掉不需要的服務可以利用上文提到的腳本;iptables 封鎖相關埠(推薦讀CU白金大哥的兩小時玩轉iptables)
3)做好系統監控和審計相關的工作,做好系統自動化備份腳本,保證數據短時期可以恢復最近時間段,降低損失!
4)Linux防Arp攻擊策略(http://bbs.linuxtone.org/thread-41-1-1.html)
5)注意(還是那句老話:安全工作從細節做起!)更多的請實時關注:http://bbs.linuxtone.org/forum-21-1.html (安全專項)
《解決方案》
頂起來