fr33.info

User Tools

Site Tools

linux:webserver:nginx

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:webserver:nginx [2016/08/10 21:31]
tkilla 		linux:webserver:nginx [2020/11/13 04:12] (current)
tkilla [Block Bots, SQL Injections, etc]
Line 3: Line 3:
 ====== Performance ====== ====== Performance ======
  
-  * uninstall nginx-full from wheezy (nginx is just an empty meta-package), instead install nginx-extras from dotdeb. this version is much faster! +  * uninstall nginx-full (nginx is just an empty meta-package), instead install nginx-extras from dotdeb. this version includes pagespeed and everything 
-  * nginx.conf optimizations: +  * try nginx-light -> it'faster (ca. 0,2sec), but few modules 
-    worker_processes 4;   we have 4 cores +  * always use latest versions from dotdeb repo 
-    worker_connections 4096+ 
-    multi_accept on;  +**nginx.conf optimizations:** 
-    access_log /var/log/nginx/access.log main buffer=16k; # log buffer (reduce slow disc writes) +** 
-    # gzip enabled +  use the number of** logical cores / threads: 
-    # Cache information about frequently accessed files enabled+  worker_processes 8; 
 +  worker_connections 1024
 + 
 +  multi_accept on;  
 +   
 +  # log buffer (reduce slow disc writes) 
 +  access_log /var/log/nginx/access.log main buffer=16k; 
 + 
 +  # gzip config 
 +  gzip on; 
 +  gzip_disable "msie6"; 
 +  gzip_min_length 1400; 
 +  gzip_vary on; 
 +  gzip_proxied any; 
 +  gzip_comp_level 6; 
 +  gzip_buffers 16 8k; 
 +  gzip_http_version 1.1; 
 +  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; 
 + 
 +  # Cache information about frequently accessed files 
 +  open_file_cache max=2000 inactive=20s; 
 +  open_file_cache_valid 60s; 
 +  open_file_cache_min_uses 5; 
 +  open_file_cache_errors off; 
 + 
 +  # buffers optimzed: 
 +  client_max_body_size 20m; 
 +  client_body_buffer_size 128k; 
 +  # fix 169 upstream sent too big header while reading response header from upstream 
 +  proxy_buffer_size   128k; 
 +  proxy_buffers   4 256k; 
 +  proxy_busy_buffers_size   256k; 
 +  proxy_connect_timeout  1200s; 
 +  proxy_send_timeout  1200s; 
 +  proxy_read_timeout  1200s; 
 +  fastcgi_send_timeout 1200s; 
 +  fastcgi_read_timeout 1200s; 
 +   
 +  # mitigate https://httpoxy.org: 
 +  fastcgi_param HTTP_PROXY ""; 
 + 
 + 
 +  tcp_nopush on; 
 +  tcp_nodelay on; 
 +  #tcp_nopush off; # -> 0,1s - 0,3s slower 
 +  keepalive_timeout 5;   # instead of 65 - less ressources, same performance
  
  
Line 53: Line 98:
  
   rewrite (*UTF8)^/[öüäÖÜÄßa-zA-Z][a-zA-Z]/index.php(.*)$ /index.php$1;   rewrite (*UTF8)^/[öüäÖÜÄßa-zA-Z][a-zA-Z]/index.php(.*)$ /index.php$1;
 +
 +
 +===== microcaching =====
 +
 +Cache PHP output for a very short time on busy sites to reduce php load:
 +
 +Vhost config top:
 +
 +  fastcgi_cache_path /home/cache levels=1:2 keys_zone=MYAPP:100m inactive=60m;
 +  fastcgi_cache_key "$scheme$request_method$host$request_uri";
 +
 +
 +server {
 +  ....
 +  
 +  location ~ \.php$ {
 +
 +  # Setup var defaults
 +  set $no_cache "";
 +  # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie
 +  if ($request_method !~ ^(GET|HEAD)$) {
 +       set $no_cache "1";
 +  }
 +  # Drop no cache cookie if need be
 +  # (for some reason, add_header fails if included in prior if-block)
 +  if ($no_cache = "1") {
 +       add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
 +       add_header X-Microcachable "0";
 +  }
 +  # Bypass cache if no-cache cookie is set
 +  if ($http_cookie ~* "_mcnc") {
 +       set $no_cache "1";
 +  }
 +  # Bypass cache if flag is set
 +  fastcgi_no_cache $no_cache;
 +  fastcgi_cache_bypass $no_cache;
 +  fastcgi_cache microcache;
 +  fastcgi_cache_key $server_name|$request_uri;
 +  fastcgi_cache_valid 404 30m;
 +  fastcgi_cache_valid 200 10s;
 +  fastcgi_max_temp_file_size 1M;
 +  fastcgi_cache_use_stale updating;
 +  fastcgi_pass_header Set-Cookie;
 +  fastcgi_pass_header Cookie;
 +  fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 +
 +====== Security ======
 +
 +
 +===== Block Bots, SQL Injections, etc =====
 +
 +Howto Block Bots in nginx.conf or included config. Here's an extensive List:
 +
 +  server { ...
 +  
 +    if ($http_user_agent ~* (AspiegelBot|MegaIndex|heritrix|panscient|HubSpot|libwww-perl|OpenVAS-VT|masscan|Linguee|Nimbostratus|Seekport|SMTBot|SEOkicks|SeobilityBot|360Spider|AhrefsBot|BLEXBot|MJ12bot|BUbiNG|Findxbot|Morfeus|larbin|ZmEu|Toata|talktalk|Baiduspider|webalta|nikto|wkito|pikto|scan|acunetix|morfeus|webcollage|youdao|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|SemrushBot|GetWeb!|GetRight|Go!Zilla|Download\Demon|Go-Ahead-Got-It|TurnitinBot|GrabNet|Indy\ Library) ) {
 +    
 +        # Connection Closed Without Response
 +        # A non-standard status code used to instruct nginx to close the connection without sending a response to the client, 
 +        # most commonly used to deny malicious or malformed requests.
 +        
 +        return 444;
 +    }
 +  ...
 +  }
 +
 +
 +
 +https://www.howtoforge.com/nginx-how-to-block-exploits-sql-injections-file-injections-spam-user-agents-etc
 +
 +
  
linux/webserver/nginx.1470857479.txt.gz · Last modified: 2016/08/10 21:31 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki