Nginx作为一款开源,高性能,高并发,配置简单的网站服务器(Web Server),被相当多网站所采用,本文介绍Linux下Nginx的简单效能与安全优化方法。

NGINX Docs | Welcome to NGINX documentation
Welcome to NGINX documentation. NGINX is a free, open-source, high-performance HTTP server, reverse proxy, and IMAP/POP3 proxy server.

Nginx主配置nginx.conf

user nginx; #这个不用改,默认的就行(nginx新旧两套配置模板不一样)
worker_processes auto; #worker数量必须和CPU核心数量一样,选择auto可以自动设置

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
	worker_connections 3000; #决定每个Worker进程可以服务多少客户
	use epoll; #使用异步架构,一个线程可以服务许多客户
	multi_accept on; #同时接受尽可能多的连接
}

http {
    aio threads; #使用异步i/o,避免因为i/o问题导致Nginx阻塞
	charset UTF-8; #使用UTF-8避免中文乱码问题
	tcp_nodelay on; #不要缓存数据,尽可能快速发送
	tcp_nopush on; #将http headers一起发送,而非一个个分开发送
	server_tokens off; #不发送Nginx版本号,提高安全性

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	access_log /var/log/nginx/access.log;


	log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile on; #支持將數據從一個地方直接複製到另一個地方
	gzip on; #使用gzip压缩降低带宽占用

	include /etc/nginx/conf.d/*.conf;	
}

Nginx Server配置优化

server {
    listen 443 ssl http2 reuseport; #开启http2支持 reuseport对多核心处理器才有作用
    listen [::]:443 ssl http2 reuseport;
    ssl_certificate       /path/to/example.crt;
    ssl_certificate_key   /path/to/example.key;
    ssl_trusted_certificate /path/to/example.ca-bundle;
    ssl_protocols         TLSv1.3 TLSv1.2; #仅支持TLS1.2和TLS1.3
    ssl_prefer_server_ciphers on;
    ssl_early_data on; #开启tls1.3 0*rtt支持
    ssl_ciphers         'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256'; #指定服务器支持的cipher
    ssl_session_cache   shared:SSL:40m; #开启SSL缓存
    ssl_session_timeout 4h;
    ssl_session_tickets off; #关闭ssl ticket
    ssl_stapling on; #开启ocsp
    ssl_stapling_verify on;
    resolver 8.8.4.4; #指定ocsp解析的Dns服务器
    resolver_timeout 10s;
    ssl_dhparam /etc/nginx/nginx.pem; #指定DH密钥
    server_name           example.com;
    add_header X-Frame-Options SAMEORIGIN always; #仅允许本站内容
    add_header X-Content-Type-Options "nosniff" always; #禁止浏览器内容探测
    add_header X-XSS-Protection "1; mode=block" always; #启用XSS防跨站攻击保护
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; #内容安全策略,慎开
    add_header Referrer-Policy "no-referrer";
    add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;"; #功能标头
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; #HSTS标头
    if ($host != "example.com") {
        return 404;
    } #如果客户端握手时不提供要求的域名,返回404 not found
        location / {
            root /usr/share/nginx/html;
            index index.html;
        }
}

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _; #不提供正确的域名直接断开连接
    return 444;
}

相关链接

Analyse your HTTP response headers
Quickly and easily assess the security of your HTTP response headers
SSL Server Test (Powered by Qualys SSL Labs)
A comprehensive free SSL test for your public web servers.
Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd
Cipherli.st - Strong ciphers for Apache, nginx and Lighttpd
How to generate Diffie-Hellman (DH) parameters using OpenSSL
Best nginx configuration for improved security(and performance). Complete blog post here http://tautt.com/best-nginx-configuration-for-security/
Best nginx configuration for improved security(and performance). Complete blog post here http://tautt.com/best-nginx-configuration-for-security/ - nginx.conf
Thread Pools in NGINX Boost Performance 9x!
NGINX tuning for best performance
NGINX tuning for best performance. GitHub Gist: instantly share code, notes, and snippets.
NGINX — Disable direct access (via http and https) to a website using IP address
For the requirements wherein direct access to a website using IP address has to be disabled/blocked, following steps can be followed To disable/block direct access to IP for port 80 create a new or…