Nginx access control and parameter tuning methods

Nginx global variables

There are many global variables in Nginx, which can be used through $variable name. Here are some commonly used global variables:

Nginx location

Location

The location directive is used to execute different applications based on the URI requested by the user. That is, matching is performed according to the website address URL requested by the user, and corresponding operations are performed if the match is successful.

grammar
The syntax of location is: location [=|~|~*|^~] /uri/ { … }
The variable that location matches is $uri
Description of several characters

Rule Priority

= higher than^~ higher than~* equal to~ higher than/

Example 1

location = "/12.jpg" { ... }
like:
www.syushin.com/12.jpg matches www.syushin.com/abc/12.jpg does not match location ^~ "/abc/" { ... }
like:
www.syushin.com/abc/123.html matches www.syushin.com/a/abc/123.jpg but does not match location ~ "png" { ... }
like:
www.syushin.com/aaa/bbb/ccc/123.png matches www.syushin.com/aaa/png/123.html matches location ~* "png" { ... }
like:
www.syushin.com/aaa/bbb/ccc/123.PNG matches www.syushin.com/aaa/png/123.html matches location /admin/ { ... }
like:
www.syushin.com/admin/aaa/1.php matches www.syushin.com/123/admin/1.php does not match

Notice:

Some information on location support does not match!~ For example: location !~ 'png'{ ... }

This is wrong, location is not supported!~

If there is such a requirement, it can be implemented through if (location priority is less than if), such as: if ($uri !~ 'png') { ... }

Access Control

In the web2.0 era, many websites are user-centric and allow users to publish content to the server. Since the upload function is open to users, there are great security risks, such as hackers uploading Trojan programs and so on. Therefore, it is necessary to configure access control.

deny and allow

It is easy to understand literally as rejection and permission.

The deny and allow directives of Nginx are provided by the ngx_http_access_module module, which is built-in by default in Nginx installation.

grammar

Syntax: allow/deny address | CIDR | unix: | all

It means to allow/deny access to a certain IP or an IP segment. If unix: is specified, socket access will be allowed.

Note: This feature is newly added in Unix 1.5.1.

In nginx, allow and deny rules are executed in sequence.

Example 1:

location /
{
  allow 192.168.0.0/24;
  allow 127.0.0.1;
  deny all;
}

Note: This configuration value allows requests from the 192.168.0.0/24 network segment and 127.0.0.1, and rejects all other source IP addresses.

Example 2:

location ~ "admin"
{
  allow 192.168.30.7;
  deny all
}

Note: The accessed URI contains admin requests, and only requests from the IP 192.168.30.7 are allowed.

Location-based access control

In daily life, access control is basically configured in conjunction with location. Let’s take a direct example.

Example 1:

location /blog/
{
  deny all;
}

Note: For the /blog/ directory, all access is prohibited. The deny all; here can be changed to return 403;.

Example 2

location ~ ".bak|\.ht"
{
  return 403;
}

Note: If the accessed URI contains .bak or .ht, the 403 status code will be returned directly.

Test link example:

• www.syushin.com/abc.bak
• www.syushin.com/blog/123/.htalskdjf

If the URL entered by the user is one of the above, 403 will be returned.

Example 3

location ~ (data|cache|tmp|image|attachment).*\.php$
{
  deny all;
}

Note: All requested URIs containing data, cache, tmp, image, attachment and ending with .php are prohibited from access.

Test link example:

• www.xxxxxx.com/aming/cache/1.php
• www.xxxxxxx.com/image/123.phps
• www.xxxxxx.com/aming/datas/1.php

$document_uri based access control

As mentioned earlier, the built-in variable $document_uri means the URI that does not contain instructions in the current request.

For example, the $document_uri of www.123.com/1.php?a=1&b=2 is 1.php, which does not include the following parameters.

We can do access control on this variable.

Example 1

if ($document_uri ~ "/admin/")
{
  return 403;
}

Note: When the requested URI contains /admin/, 403 is returned directly.

Note: allow and deny are not supported in the if structure.

Test Link:

1. www.xxxxx.com/123/admin/1.html matches
2. www.xxxxx.com/admin123/1.html does not match
3. www.xxxxx.com/admin.php does not match

Example 2

if ($document_uri = /admin.php)
{
  return 403;
}

Note: When the requested URI is /admin.php, a 403 status code is returned.

Test Link:

1. www.xxxxx.com/admin.php # matches
2. www.xxxxx.com/123/admin.php # does not match

Example 3

if ($document_uri ~ '/data/|/cache/.*\.php$')
{
  return 403;
}

Note: When the requested URI contains the data or cache directory and is PHP, a 403 status code is returned.

Test Link:

1. www.xxxxx.com/data/123.php # matches
2. www.xxxxx.com/cache1/123.php # does not match

$request_uri based access control

$request_uri has more request parameters than $docuemnt_uri. It mainly controls the parameters in the requested URI.

Example

if ($request_uri ~ "gid=\d{9,12}")
{
  return 403;
}

Note: \d{9,12} is a regular expression, which means 9 to 12 numbers. For example, gid=1234567890 meets the symbol requirement.

Test Link:

1. www.xxxxx.com/index.php?gid=1234567890&pid=111 matches
2. www.xxxxx.com/gid=123 does not match

Background knowledge:

There was a client's website that was attacked by CC. The other party initiated too many requests like this: /read-123405150-1-1.html
In fact, such a request is not a normal request. The website will throw a page indicating that the post does not exist.
Therefore, you can directly return a 403 status code for such requests.

Access control based on $http_user_agent (anti-crawler)

User_agent can be simply understood as a browser identifier. Some spider crawlers can also be identified by user_agent. If you observe the access logs, you will find that some search engine spiders visit your website very frequently, which is not friendly. In order to reduce the pressure on the server, you can actually block all spider crawlers except the mainstream search engine spiders.

Example

if ($user_agent ~ 'YisouSpider|MJ12bot/v1.4.2|YoudaoBot|Tomato')
{
  return 403;
}

Note: All requests with the above keywords in user_agent will return a 403 status code.

test:

1. curl -A "123YisouSpider1.0"
2. curl -A "MJ12bot/v1.4.1"

$http_referer based access control

In addition to the anti-hotlink function, $http_referer can also meet some special requirements.

for example:

The website was hacked and the web pages indexed by the search engine were problematic. When the website was clicked through the search engine, a gambling website was displayed.
Since it takes time to find Trojans and cannot be resolved immediately, in order not to affect the user experience, a special operation can be performed for such requests.
For example, you can directly return a 404 status code to the link accessed from Baidu, or return a piece of HTML code.

Example

if ($http_referer ~ 'baidu.com')
{
  return 404;
}

or

if ($http_referer ~ 'baidu.com')
{
  return 200 "<html><script>window.location.href='//$host$request_uri';</script></html>";
}

Nginx parameter optimization

As a high-performance web server, Nginx can handle a large number of concurrent requests even without adjusting the configuration parameters. Of course, configuration tuning will make Nginx performance more powerful, and the configuration parameters need to be combined with the server hardware performance as a reference.

Worker process optimization

worker_processes num;

This parameter indicates how many working processes are started. It is recommended to keep it consistent with the number of CPU cores on the local machine. Each CPU core processes one process. num indicates a number.

worker_rlimit_nofile

It indicates the maximum number of file descriptors available for Nginx. It needs to be matched with the maximum descriptor of the system. It is recommended to set it to 102400.
You also need to execute ulimit -n 102400 in the system.
You can also directly modify the configuration file /etc/security/limits.conf to modify and increase:
#* soft nofile 655350 (remove the leading #)
#* hard nofile 655350 (remove the leading #)

worker_connections

This parameter is used to configure the maximum number of connections that each Nginx worker process can handle.
This parameter also determines how many client requests the Nginx server can handle at most (worker_processes * worker_connections)
It is recommended to set this parameter to 10240, but not too large.

Optimize the number of http/tcp connections

Use epoll

Use the epoll event-driven model, which is the optimal model for Linux systems.

multi_accept on

Enables each worker process to handle multiple client requests simultaneously.

sendfile on

Using the kernel's FD file transfer function can reduce the switching between user mode and kernel mode, thereby improving server performance.

tcp_nopush on

When tcp_nopush is set to on, the tcp_cork method is called for data transmission.
Using this method will have the following effect: when the application generates data,
The kernel will not encapsulate the packet immediately, but will encapsulate and transmit it only when the amount of data accumulates to a certain amount.

tcp_nodelay on

Do not cache data-sends (turn off the Nagle algorithm), which can improve the real-time performance of high-frequency sending of small data packets.

(About Nagle's algorithm)

If you need to send small packets of data frequently, such as 1 byte, then each packet must be accompanied by a 40-byte header, using IPv4 as an example.
That is to say, out of a total of 41 bytes of data, only 1 byte is the data we need.
To solve this problem, Nagle's algorithm was developed.
It stipulates that if the size of the packet meets the MSS, it can be sent immediately, otherwise the data will be put into the buffer and can only be sent after the already sent packet is confirmed.
Through such regulations, the number of small packets in the network can be reduced, thereby improving network performance.

keepalive_timeout

Define the timeout period for long connections. 30s is recommended. Too short or too long may not be appropriate. Of course, it is best to dynamically adjust this parameter based on the business situation.

keepalive_requests

Defines the maximum number of requests each client can make when the client and server are in a long connection. It can be set to a large value, such as 50000.

reset_timeout_connection on

If set to on, the server is allowed to close the connection when the client no longer sends requests to the server.

client_body_timeout

If the client fails to load the body data within the specified time, the connection will be disconnected. The unit is seconds. The default value is 60 and can be set to 10.

send_timeout

This timeout is the timeout for sending a response, that is, the Nginx server sent a data packet to the client, but the client did not receive the data packet.
If a connection exceeds the timeout defined by send_timeout, Nginx will close the connection. The unit is seconds and can be set to 3.

compression

For plain text content, Nginx can use gzip compression. Using compression technology can reduce bandwidth consumption.

Supported by the ngx_http_gzip_module module

The configuration is as follows:

gzip on; //Enable gzip functiongzip_min_length 1024; //Set the requested resource to be compressed only when it exceeds this value, in bytesgzip_buffers 16 8k; //Set the buffer size used for compression, the first number is the number, the second is the size of each buffergzip_comp_level 6; //Set the compression level, ranging from 1-9, 9 is the highest compression level and consumes the most CPU resourcesgzip_types text/plain application/x-javascript text/css application/xml image/jpeg image/gif image/png; //Specify which types of files need to be compressedgzip_disable "MSIE 6\."; //IE6 browser does not enable compression

test:

curl -I -H "Accept-Encoding: gzip, deflate" http://www.xxxxx.com/1.css

log

• Increase the error log level, such as the crit level, and record as few insignificant logs as possible.
• For access logs, if you do not need to record logs, you can turn them off.
• Access log for static resources is disabled

Static file expiration

For static files, you need to set an expiration time so that these resources can be cached in the client browser.
Before the cache expires, the client no longer requests the same resource from the server, thus saving bandwidth and resource consumption.

The configuration example is as follows:

location ~* ^.+\.(gif|jpg|png|css|js)$                   
{
  expires 1d; //1d means 1 day, you can also use 24h to represent a day.
}

Access control and parameter tuning only record some parts, some of which may be used in work. I will make notes on SSL configuration later. The spring recruitment written test is very difficult, so study hard...

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.