fr33.info

User Tools

Site Tools

linux:webserver:nginx

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
linux:webserver:nginx [2016/08/10 21:31]
tkilla 		linux:webserver:nginx [2020/11/13 04:11]
tkilla [Block Bots, SQL Injections, etc]
Line 3: Line 3:
 ====== Performance ====== ====== Performance ======
  
-  * uninstall nginx-full from wheezy (nginx is just an empty meta-package), instead install nginx-extras from dotdeb. this version is much faster! +  * uninstall nginx-full (nginx is just an empty meta-package), instead install nginx-extras from dotdeb. this version includes pagespeed and everything 
-  * nginx.conf optimizations: +  * try nginx-light -> it'faster (ca. 0,2sec), but few modules 
-    worker_processes 4;   we have 4 cores +  * always use latest versions from dotdeb repo 
-    worker_connections 4096+ 
-    multi_accept on;  +**nginx.conf optimizations:** 
-    access_log /var/log/nginx/access.log main buffer=16k; # log buffer (reduce slow disc writes) +** 
-    # gzip enabled +  use the number of** logical cores / threads: 
-    # Cache information about frequently accessed files enabled+  worker_processes 8; 
 +  worker_connections 1024
 + 
 +  multi_accept on;  
 +   
 +  # log buffer (reduce slow disc writes) 
 +  access_log /var/log/nginx/access.log main buffer=16k; 
 + 
 +  # gzip config 
 +  gzip on; 
 +  gzip_disable "msie6"; 
 +  gzip_min_length 1400; 
 +  gzip_vary on; 
 +  gzip_proxied any; 
 +  gzip_comp_level 6; 
 +  gzip_buffers 16 8k; 
 +  gzip_http_version 1.1; 
 +  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; 
 + 
 +  # Cache information about frequently accessed files 
 +  open_file_cache max=2000 inactive=20s; 
 +  open_file_cache_valid 60s; 
 +  open_file_cache_min_uses 5; 
 +  open_file_cache_errors off; 
 + 
 +  # buffers optimzed: 
 +  client_max_body_size 20m; 
 +  client_body_buffer_size 128k; 
 +  # fix 169 upstream sent too big header while reading response header from upstream 
 +  proxy_buffer_size   128k; 
 +  proxy_buffers   4 256k; 
 +  proxy_busy_buffers_size   256k; 
 +  proxy_connect_timeout  1200s; 
 +  proxy_send_timeout  1200s; 
 +  proxy_read_timeout  1200s; 
 +  fastcgi_send_timeout 1200s; 
 +  fastcgi_read_timeout 1200s; 
 +   
 +  # mitigate https://httpoxy.org: 
 +  fastcgi_param HTTP_PROXY ""; 
 + 
 + 
 +  tcp_nopush on; 
 +  tcp_nodelay on; 
 +  #tcp_nopush off; # -> 0,1s - 0,3s slower 
 +  keepalive_timeout 5;   # instead of 65 - less ressources, same performance
  
  
Line 53: Line 98:
  
   rewrite (*UTF8)^/[öüäÖÜÄßa-zA-Z][a-zA-Z]/index.php(.*)$ /index.php$1;   rewrite (*UTF8)^/[öüäÖÜÄßa-zA-Z][a-zA-Z]/index.php(.*)$ /index.php$1;
 +
 +
 +===== microcaching =====
 +
 +Cache PHP output for a very short time on busy sites to reduce php load:
 +
 +Vhost config top:
 +
 +  fastcgi_cache_path /home/cache levels=1:2 keys_zone=MYAPP:100m inactive=60m;
 +  fastcgi_cache_key "$scheme$request_method$host$request_uri";
 +
 +
 +server {
 +  ....
 +  
 +  location ~ \.php$ {
 +
 +  # Setup var defaults
 +  set $no_cache "";
 +  # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie
 +  if ($request_method !~ ^(GET|HEAD)$) {
 +       set $no_cache "1";
 +  }
 +  # Drop no cache cookie if need be
 +  # (for some reason, add_header fails if included in prior if-block)
 +  if ($no_cache = "1") {
 +       add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
 +       add_header X-Microcachable "0";
 +  }
 +  # Bypass cache if no-cache cookie is set
 +  if ($http_cookie ~* "_mcnc") {
 +       set $no_cache "1";
 +  }
 +  # Bypass cache if flag is set
 +  fastcgi_no_cache $no_cache;
 +  fastcgi_cache_bypass $no_cache;
 +  fastcgi_cache microcache;
 +  fastcgi_cache_key $server_name|$request_uri;
 +  fastcgi_cache_valid 404 30m;
 +  fastcgi_cache_valid 200 10s;
 +  fastcgi_max_temp_file_size 1M;
 +  fastcgi_cache_use_stale updating;
 +  fastcgi_pass_header Set-Cookie;
 +  fastcgi_pass_header Cookie;
 +  fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 +
 +====== Security ======
 +
 +
 +===== Block Bots, SQL Injections, etc =====
 +
 +Block Bots in nginx.conf include like dissallow.conf:
 +
 +  server { ...
 +  
 +    if ($http_user_agent ~* (AspiegelBot|MegaIndex|heritrix|panscient|HubSpot|libwww-perl|OpenVAS-VT|masscan|Linguee|Nimbostratus|Seekport|SMTBot|SEOkicks|SeobilityBot|360Spider|AhrefsBot|BLEXBot|MJ12bot|BUbiNG|Findxbot|Morfeus|larbin|ZmEu|Toata|talktalk|Baiduspider|webalta|nikto|wkito|pikto|scan|acunetix|morfeus|webcollage|youdao|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|SemrushBot|GetWeb!|GetRight|Go!Zilla|Download\Demon|Go-Ahead-Got-It|TurnitinBot|GrabNet|Indy\ Library) ) {
 +    
 +        # Connection Closed Without Response
 +        # A non-standard status code used to instruct nginx to close the connection without sending a response to the client, 
 +        # most commonly used to deny malicious or malformed requests.
 +        
 +        return 444;
 +    }
 +  ...
 +  }
 +
 +
 +
 +https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc
 +
 +
  
linux/webserver/nginx.txt · Last modified: 2020/11/13 04:12 by tkilla

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki