linux:webserver:nginx
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
linux:webserver:nginx [2015/01/21 10:23] tkilla created |
linux:webserver:nginx [2020/11/13 04:12] (current) tkilla [Block Bots, SQL Injections, etc] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Nginx ====== | ====== Nginx ====== | ||
| + | |||
| + | ====== Performance ====== | ||
| + | |||
| + | * uninstall nginx-full (nginx is just an empty meta-package), | ||
| + | * try nginx-light -> it's faster (ca. 0,2sec), but few modules | ||
| + | * always use latest versions from dotdeb repo | ||
| + | |||
| + | **nginx.conf optimizations: | ||
| + | ** | ||
| + | # use the number of** logical cores / threads: | ||
| + | worker_processes 8; | ||
| + | worker_connections 1024; | ||
| + | |||
| + | multi_accept on; | ||
| + | | ||
| + | # log buffer (reduce slow disc writes) | ||
| + | access_log / | ||
| + | |||
| + | # gzip config | ||
| + | gzip on; | ||
| + | gzip_disable " | ||
| + | gzip_min_length 1400; | ||
| + | gzip_vary on; | ||
| + | gzip_proxied any; | ||
| + | gzip_comp_level 6; | ||
| + | gzip_buffers 16 8k; | ||
| + | gzip_http_version 1.1; | ||
| + | gzip_types text/plain text/css application/ | ||
| + | |||
| + | # Cache information about frequently accessed files | ||
| + | open_file_cache max=2000 inactive=20s; | ||
| + | open_file_cache_valid 60s; | ||
| + | open_file_cache_min_uses 5; | ||
| + | open_file_cache_errors off; | ||
| + | |||
| + | # buffers optimzed: | ||
| + | client_max_body_size 20m; | ||
| + | client_body_buffer_size 128k; | ||
| + | # fix 169 upstream sent too big header while reading response header from upstream | ||
| + | proxy_buffer_size | ||
| + | proxy_buffers | ||
| + | proxy_busy_buffers_size | ||
| + | proxy_connect_timeout | ||
| + | proxy_send_timeout | ||
| + | proxy_read_timeout | ||
| + | fastcgi_send_timeout 1200s; | ||
| + | fastcgi_read_timeout 1200s; | ||
| + | | ||
| + | # mitigate https:// | ||
| + | fastcgi_param HTTP_PROXY ""; | ||
| + | |||
| + | |||
| + | tcp_nopush on; | ||
| + | tcp_nodelay on; | ||
| + | #tcp_nopush off; # -> 0,1s - 0,3s slower | ||
| + | keepalive_timeout 5; # instead of 65 - less ressources, same performance | ||
| Line 35: | Line 91: | ||
| https:// | https:// | ||
| + | |||
| + | |||
| + | ===== rewrites ===== | ||
| + | |||
| + | URL-Encoding with Umlauten is a problem. Here is howto fix it: | ||
| + | |||
| + | rewrite (*UTF8)^/ | ||
| + | |||
| + | |||
| + | ===== microcaching ===== | ||
| + | |||
| + | Cache PHP output for a very short time on busy sites to reduce php load: | ||
| + | |||
| + | Vhost config top: | ||
| + | |||
| + | fastcgi_cache_path /home/cache levels=1:2 keys_zone=MYAPP: | ||
| + | fastcgi_cache_key " | ||
| + | |||
| + | |||
| + | server { | ||
| + | .... | ||
| + | | ||
| + | location ~ \.php$ { | ||
| + | |||
| + | # Setup var defaults | ||
| + | set $no_cache ""; | ||
| + | # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie | ||
| + | if ($request_method !~ ^(GET|HEAD)$) { | ||
| + | set $no_cache " | ||
| + | } | ||
| + | # Drop no cache cookie if need be | ||
| + | # (for some reason, add_header fails if included in prior if-block) | ||
| + | if ($no_cache = " | ||
| + | | ||
| + | | ||
| + | } | ||
| + | # Bypass cache if no-cache cookie is set | ||
| + | if ($http_cookie ~* " | ||
| + | set $no_cache " | ||
| + | } | ||
| + | # Bypass cache if flag is set | ||
| + | fastcgi_no_cache $no_cache; | ||
| + | fastcgi_cache_bypass $no_cache; | ||
| + | fastcgi_cache microcache; | ||
| + | fastcgi_cache_key $server_name|$request_uri; | ||
| + | fastcgi_cache_valid 404 30m; | ||
| + | fastcgi_cache_valid 200 10s; | ||
| + | fastcgi_max_temp_file_size 1M; | ||
| + | fastcgi_cache_use_stale updating; | ||
| + | fastcgi_pass_header Set-Cookie; | ||
| + | fastcgi_pass_header Cookie; | ||
| + | fastcgi_ignore_headers Cache-Control Expires Set-Cookie; | ||
| + | |||
| + | ====== Security ====== | ||
| + | |||
| + | |||
| + | ===== Block Bots, SQL Injections, etc ===== | ||
| + | |||
| + | Howto Block Bots in nginx.conf or included config. Here's an extensive List: | ||
| + | |||
| + | server { ... | ||
| + | | ||
| + | if ($http_user_agent ~* (AspiegelBot|MegaIndex|heritrix|panscient|HubSpot|libwww-perl|OpenVAS-VT|masscan|Linguee|Nimbostratus|Seekport|SMTBot|SEOkicks|SeobilityBot|360Spider|AhrefsBot|BLEXBot|MJ12bot|BUbiNG|Findxbot|Morfeus|larbin|ZmEu|Toata|talktalk|Baiduspider|webalta|nikto|wkito|pikto|scan|acunetix|morfeus|webcollage|youdao|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|SemrushBot|GetWeb!|GetRight|Go!Zilla|Download\Demon|Go-Ahead-Got-It|TurnitinBot|GrabNet|Indy\ Library) ) { | ||
| + | | ||
| + | # Connection Closed Without Response | ||
| + | # A non-standard status code used to instruct nginx to close the connection without sending a response to the client, | ||
| + | # most commonly used to deny malicious or malformed requests. | ||
| + | | ||
| + | return 444; | ||
| + | } | ||
| + | ... | ||
| + | } | ||
| + | |||
| + | |||
| + | |||
| + | https:// | ||
| + | |||
| + | |||
| + | |||
linux/webserver/nginx.1421832227.txt.gz · Last modified: 2015/01/21 10:23 by tkilla
