Nginx server anti-CC attack settings
Nginx is a lightweight web server developed by Russian programmer Igor Developed by Sysoev, it was originally used by the large Russian portal and search engine Rambler. Its characteristic is that it occupies less memory and has strong concurrency capability. In fact, the concurrency capability of Nginx does perform better among the same type of web servers. Although Nginx can handle a larger number of connections than Apache, HTTP GET FLOOD is not only aimed at WEB servers, but also database servers. A large number of HTTP requests generate a large number of database queries, which can cause the database to stop responding within a few seconds, increase the system load, and eventually cause the server to crash. 1. Active suppression In order for Nginx to support more concurrent connections, adjust the number of worker threads and the maximum number of connections supported by each worker thread according to the actual situation. For example setting “worker_processes 10” and “worker_connections 1024”, then the maximum number of connections supported by this server is 10×1024=10240. worker_processes 10; events { use epoll; worker_connections 10240; } nginx 0.7 began to provide two modules that limit user connections: NginxHttpLimitZoneModule and NginxHttpLimitReqModule. NginxHttpLimitZoneModule can control the number…
Configure Nginx1.3+tomcat7 server environment in CentOS6.2 system
Experimental environment and software version: CentOS6.2, nginx-1.3.0.tar.gz, apache-tomcat-7.0.27.tar.gz, jdk-6u11-linux-i586-rpm.bin .gz 1. Install Tomcat and JDK 1. Upload the tar package to the /usr/local directory of the system 2. Unzip apache-tomcat-7.0.27.tar.gz, and change the name to tomcat7 (for convenience) #tar zxvf apache-tomcat-7.0.27.tar.gz #mv apache-tomcat-7.0.27 tomcat7 3. Unzip the JDK and install it (if you have already installed the java environment when you installed the system, steps 3 and 4 can be omitted) #gunzip jdk-6u11-linux-i586-rpm.bin.gz #./jdk-6u11-linux-i586-rpm.bin 4. Configure environment variables Edit the /etc/profile file (Note: develop a good habit of backing up before editing) #cd /etc/ #cp profile profile.bak Append the following content: JAVA_HOME=”/usr/java/jdk1.6.0_11″ CLASS_PATH=”$JAVA_HOME/lib:$JAVA_HOME/jre/lib” PATH=”.:$PATH:$JAVA_HOME/bin ” CATALINA_HOME=”/usr/local/tomcat7″ export JAVA_HOME CATALINA_HOME 5. Start Tomcat and check whether the installation is successful #cd /usr/local/tomcat7/bin/ #./startup.sh Enter in the browser: http://ip:8080/ to see if a cat appears. The premise is that your firewall must let go of the 8080 visit. 6. Set Tomcat’s service directory #cd /usr/local/tomcat7/conf/ Edit the server.xml file: find <Host name="localhost" appBase=”webapps” unpackWARs=”true” autoDeploy=”true”> Append after it: <Context path="" docBase="/var/www/html" debug="0" reloadable=”true”/> Replace “/var/www/html” with your own directory where the website is placed. Open http://ip:8080/ again to see if it is the page you want to visit. 2. Install Nginx 1.…
Detailed explanation of the installation and configuration process of Nginx+tomcat service under Linux system
#The user name and user group where nginx is running #user www www; #Start the number of processes worker_processes 8; #Global error log and PID file error_log /usr/local/nginx/logs/nginx_error.log crit; pid /usr/local/nginx/nginx.pid; #Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 65535; #Working mode and connection limit events { use epoll; worker_connections 65535; } #Set up the http server, use its reverse proxy function to provide load balancing support http { #Set mime type include mime.types; default_type application/octet-stream; include /usr/local/nginx/conf/proxy.conf; #charset gb2312; #Set request buffer server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 8m; sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; # fastcgi_connect_timeout 300; # fastcgi_send_timeout 300; # fastcgi_read_timeout 300; # fastcgi_buffer_size 64k; # fastcgi_buffers 4 64k; # fastcgi_busy_buffers_size 128k; # fastcgi_temp_file_write_size 128k; # gzip on; # gzip_min_length 1k; # gzip_buffers 4 16k; # gzip_http_version 1.0; # gzip_comp_level 2; # gzip_types text/plain application/x-Javascript text/css application/xml; # gzip_vary on; #limit_zone crawler $binary_remote_addr 10m; ###Forbid access to the site through ip server{ server_name _; return 404; } server { listen 80; server_name localhost; index index.html index.htm index.jsp;#Set the default home page address root /home/www/web/ROOT;#Set the resource storage path of the website #limit_conn crawler 20; location ~…
Linux system configuration Nginx+svn service
Because there is nothing to customize, svn is installed directly using the package management software that comes with the system. Taking the centos series as an example, the command is as follows: yum install subversion Then the installation of nginx: mkdir -p /opt/soft groupadd web useradd http -g web -s /sbin/nologin cd /opt/soft wget http://sourceforge.net/projects/pcre/files/pcre/8.12/pcre-8.12.tar.gz wget http://www.openssl.org/source/openssl-1.0.0d.tar.gz tar zxvf pcre-8.12.tar.gz tar zxvf openssl-1.0.0d.tar.gz tar zxvf nginx-0.8.54.tar.gz cd nginx-0.8.54 ./configure –prefix=/opt/nginx –user=http –group=web –with-http_stub_status_module –with-http_ssl_module –with-md5=/usr/lib/ –with-pcre=/opt/soft/pcre-8.12 –with-openssl=/opt/soft/openssl-1.0.0d make make install root assigned to /data/wwwroot vi /opt/nginx/conf/nginx.conf … Create svn warehouse: svnadmin create /data/svn Modify the configuration file: vi /data/svn/conf/authz [groups] admin=test #A member of the admin group [/] test = rw #The permission of the member to /directory: r read, w write vi /data/svn/conf/passwd [users] test = 123456 #password of user test vi /data/svn/conf/svnserve.conf anon-access = none auth-access = write password-db = passwd authz-db = authz realm = My First Repository start svnserv svnserve -d -r /data/svn You can also use the –listen-port parameter to specify the port to start multiple warehouses Import the project, if the project directory is svn://host/test Create a copy of the svn warehouse (nginx read directory) cd /data/wwwroot svn co svn://localhost/test –username test –password 123456…
Linux system compiles and installs Nginx+PHP+MySQL environment
Nginx is a high-performance HTTP and reverse proxy server, and it is also an IMAP/POP3/SMTP proxy server. The program is developed by Russia Rambler.ru Site development, Nginx is famous for its stable performance and low system resource consumption. In recent years, Nginx has become hot in China, such as Tencent, NetEase, 51CTO, Thunder, Dangdang, 51, Renren and many other large websites. Nginx has been used as a web server, so it is very necessary for us to learn how to use Nginx. Let’s take a look at how Nginx is built on the Linux platform. Before installation, first use the yum command to install and upgrade the required library yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers 1. Install MySQL the At present, web servers rarely run static pages. If you want to run dynamic websites, of course you cannot do without the database. Although I wrote how to install MySQL in the previous article, I feel that MySQL has not been installed for a long time. Now I…
Linux (CentOS) system Apache+Nginx+PHP+MySQL+memcached detailed installation
Last update time: 2012.3.21 ======================== Step 1: Apache installation (updated to 2.2.22) ======================== Download Go to http://www.apache.org to find a new one yourself http://httpd.apache.org/ There are many mirror points in China such as “Everyone” and “163” http://labs.renren.com/ Pay attention to find httpd, because there are many projects under apache, among which httpd is the web server http://labs.renren.com/ English documentation: http://httpd.apache.org/docs/2.2/ Chinese documentation: http://www.php100.com/manual/apache2/index.html ————————————————– #wget http://labs.renren.com/apache-mirror/httpd/httpd-2.2.22.tar.gz #tar zxvf httpd-2.2.22.tar.gz #cd ./httpd-2.2.22 #./configure –prefix=/usr/local/apache2/ –enable-proxy –enable-ssl –enable-cgi –enable-rewrite –enable-so –enable-module=so #make #make install Explanation: If make fails, then configure fails. For example, if you lack ssl components, you can remove –enable-ssl ———————————————– If “No recognized SSL/TLS toolkit detected” error #yum -y install openssl openssl-devel ———————— If Make: command not found Check if make is not installed # rpm -qa|grep make If there is no information, it means that make is not installed #yum install make ——————- Start manually # /usr/local/apache2/bin/apachectl start reboot # /usr/local/apache2/bin/apachectl restart If an error is reported: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName Need to modify /usr/local/apache2/conf/httpd.conf in #serverName www.example.com:80 Change this location to: serverName localhost:80 ————————– Startup of YUM automatic installation #service httpd restart Entering this will prompt an…
nginx uses limit_zone and limit_req_zone to limit connections
There are two modules on nginx that limit connections, one is limit_zone and the other is limie_req_zone, both can limit the connection, but what is the specific difference? The following is the explanation given on the nginx official website limit_req_zone Limit frequency of connections from a client. This module allows you to limit the number of requests for a given session, or as a special case, with one address. Restriction done using leaky bucket. limit_zone Limit simultaneous connections from a client. This module makes it possible to limit the number of simultaneous connections for the assigned session or as a special case, from one address. According to the literal understanding, the function of lit_req_zone is to limit the user’s connection frequency through the token bucket principle, (this module allows you to limit a single address Specify the number of requests for a session or special need ) The limit_zone function is to limit the number of concurrent connections of a client. (This module can limit the number of specified sessions of a single address or the number of concurrent connections in special cases) One is to limit concurrent connections and the other is to limit connection frequency. It seems that…
Nginx+php uses open_basedir to limit the site directory to prevent cross-site
The following three setting methods all require PHP version 5.3 or above. Method 1) Add to the Nginx configuration file fastcgi_param PHP_VALUE “open_basedir=$document_root:/tmp/:/proc/”; Usually, include fastcgi.conf; is used in the nginx site configuration file. In this way, it is OK to add this line to fastcgi.conf. If a site needs to set up an additional directory separately, write the above code in include fastcgi.conf; it will be OK under this line, and the settings in fastcgi.conf will be overwrite. The settings in this way need to restart nginx to take effect. Method 2) Add in php.ini: [HOST=www.server110.com] open_basedir=/home/www/www.server110.com:/tmp/:/proc/ [PATH=/home/www/www.server110.com] open_basedir=/home/www/www.server110.com:/tmp/:/proc/ This method needs to restart php-fpm to take effect. Method 3) Create .user.ini and write: open_basedir=/home/www/www.server110.com:/tmp/:/proc/ This way does not require restarting nginx or php-fpm services. For security reasons, the write permission of the .user.ini file should be canceled. About .user. The detailed description of the ini file: http://php.net/manual/zh/configuration.file.per-user.php When setting open_basedir, it is better to disable the function of executing commands, such as: shell_exec(‘ls /etc’) still sees the list of files in the /etc directory shell_exec(‘cat /etc/passwd’) can still view the contents of the /etc/passwd file The following functions are recommended to be banned: disable_functiOns= pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait,…
Notes on nginx security configuration in linux/vps environment
1. Delete unnecessary Nginx modules We may configure Nginx according to our needs. Of course, we can choose not to compile some unnecessary modules during compilation, such as simplifying the autoindex and SSI modules. The command is as follows: ./configure –without-http_autoindex_module –without-http_ssi_module make make install Of course, before compiling, you can use the following command to check which modules can be turned on or off: ./configure –help | less 2. Modify the Nginx server name and version number The famous NETCRAFT website can easily check the operating system and service program version of your server, or the HTTP Response Header can also disclose this information to us. In many cases, this information will provide a basis for hackers to attack, so we need to disguise it. To compile the Nginx source file src/http/ngx_http_header_filter_module.c, enter the following command: vi +48 src/http/ngx_http_header_filter_module.c Find the following two lines: static char ngx_http_server_string[] = “Server: nginx” CRLF; static char ngx_http_server_full_string[] = “Server: “NGINX_VER CRLF; Change it to the following, of course you can define what you want to display: static char ngx_http_server_string[] = “Server: NOYB” CRLF; static char ngx_http_server_full_string[] = “Server: NOYB” CRLF; 3. Modify Nginx configuration file 3.1 Avoid buffer overflow attacks Modify nginx.conf…
