This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:webserver:nginx [2016/09/24 22:04] tkilla |
linux:webserver:nginx [2020/11/13 04:12] (current) tkilla [Block Bots, SQL Injections, etc] |
||
---|---|---|---|
Line 101: | Line 101: | ||
===== microcaching ===== | ===== microcaching ===== | ||
- | TBD | + | |
+ | Cache PHP output for a very short time on busy sites to reduce php load: | ||
+ | |||
+ | Vhost config top: | ||
+ | |||
+ | fastcgi_cache_path /home/cache levels=1:2 keys_zone=MYAPP: | ||
+ | fastcgi_cache_key " | ||
+ | |||
+ | |||
+ | server { | ||
+ | .... | ||
+ | |||
+ | location ~ \.php$ { | ||
+ | |||
+ | # Setup var defaults | ||
+ | set $no_cache ""; | ||
+ | # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie | ||
+ | if ($request_method !~ ^(GET|HEAD)$) { | ||
+ | set $no_cache " | ||
+ | } | ||
+ | # Drop no cache cookie if need be | ||
+ | # (for some reason, add_header fails if included in prior if-block) | ||
+ | if ($no_cache = " | ||
+ | | ||
+ | | ||
+ | } | ||
+ | # Bypass cache if no-cache cookie is set | ||
+ | if ($http_cookie ~* " | ||
+ | set $no_cache " | ||
+ | } | ||
+ | # Bypass cache if flag is set | ||
+ | fastcgi_no_cache $no_cache; | ||
+ | fastcgi_cache_bypass $no_cache; | ||
+ | fastcgi_cache microcache; | ||
+ | fastcgi_cache_key $server_name|$request_uri; | ||
+ | fastcgi_cache_valid 404 30m; | ||
+ | fastcgi_cache_valid 200 10s; | ||
+ | fastcgi_max_temp_file_size 1M; | ||
+ | fastcgi_cache_use_stale updating; | ||
+ | fastcgi_pass_header Set-Cookie; | ||
+ | fastcgi_pass_header Cookie; | ||
+ | fastcgi_ignore_headers Cache-Control Expires Set-Cookie; | ||
+ | |||
+ | ====== Security ====== | ||
+ | |||
+ | |||
+ | ===== Block Bots, SQL Injections, etc ===== | ||
+ | |||
+ | Howto Block Bots in nginx.conf or included config. Here's an extensive List: | ||
+ | |||
+ | server { ... | ||
+ | |||
+ | if ($http_user_agent ~* (AspiegelBot|MegaIndex|heritrix|panscient|HubSpot|libwww-perl|OpenVAS-VT|masscan|Linguee|Nimbostratus|Seekport|SMTBot|SEOkicks|SeobilityBot|360Spider|AhrefsBot|BLEXBot|MJ12bot|BUbiNG|Findxbot|Morfeus|larbin|ZmEu|Toata|talktalk|Baiduspider|webalta|nikto|wkito|pikto|scan|acunetix|morfeus|webcollage|youdao|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|SemrushBot|GetWeb!|GetRight|Go!Zilla|Download\Demon|Go-Ahead-Got-It|TurnitinBot|GrabNet|Indy\ Library) ) { | ||
+ | |||
+ | # Connection Closed Without Response | ||
+ | # A non-standard status code used to instruct nginx to close the connection without sending a response to the client, | ||
+ | # most commonly used to deny malicious or malformed requests. | ||
+ | |||
+ | return 444; | ||
+ | } | ||
+ | ... | ||
+ | } | ||
+ | |||
+ | |||
+ | |||
+ | https:// | ||