安装nginx
[root@proxy ~]# yum -y install gcc openssl-devel pcre-devel
[root@proxy ~]# tar -zxf nginx-1.12.2.tar.gz
[root@proxy ~]# useradd nginx
[root@proxy ~]# cd nginx-1.12.2/
[root@proxy nginx-1.12.2]# ./configure --user=nginx --group=nginx --without-http_autoindex_module --without-http_ssi_module
//禁用自动索引(autoindex)模块
[root@proxy nginx-1.12.2]# make
[root@proxy nginx-1.12.2]# make install
[root@proxy nginx-1.12.2]# ln -s /usr/local/nginx/sbin/nginx /sbin
修改版本信息,隐藏具体的版本号
[root@proxy ~]# curl -I 192.168.4.51
HTTP/1.1 200 OK
Server: nginx/1.12.2 //版本号
Date: Thu, 03 Jan 2019 01:44:00 GMT
...
[root@proxy ~]# vim /usr/local/nginx/conf/nginx.conf
...
35 server {
36 listen 80;
37 server_name localhost;
38 server_tokens off; //屏蔽版本号
39 #charset koi8-r;
40
[root@proxy ~]# nginx -s reload
[root@proxy ~]# curl -I 192.168.4.51
HTTP/1.1 200 OK
Server: nginx //版本号已经屏蔽
Date: Thu, 03 Jan 2019 01:44:12 GMT
...
[root@proxy nginx-1.12.2]# vim +48 src/http/ngx_http_header_filter_module.c
//+48 代表光标直接定位在48行
...
49 static u_char ngx_http_server_string[] = "http" CRLF; //改动源码不显示nginx
50 static u_char ngx_http_server_full_string[] = "Server:http " CRLF;
51 static u_char ngx_http_server_build_string[] = "Server: http" CRLF;
52
[root@proxy nginx-1.12.2]# ./configure --user=nginx --group=nginx --without-http_autoindex_module --without-http_ssi_module
[root@proxy nginx-1.12.2]# make && make install
[root@proxy nginx-1.12.2]# nginx -s stop
[root@proxy nginx-1.12.2]# nginx
[root@proxy nginx-1.12.2]# curl -I 192.168.4.51
HTTP/1.1 200 OK
http //显示的是我们修改的名字
Date: Thu, 03 Jan 2019 02:01:47 GMT
Content-Type: text/html
限制并发访问量
DDOS攻击者会发送大量的并发链接,占用服务器资源,比如连接数,带宽等,这样会导致正常用户处于等待无法访问服务器的状态
可以修改nginx的ngx_http_lmit_req_module模块,降低风险
[root@guo ~]# yum -y install httpd-tools
[root@guo ~]# ab -c 1000 -n 1000 http://192.168.4.51/ //修改之前,客户端压力访问
...
Finished 1000 requests
...
Concurrency Level: 1000
Time taken for tests: 0.227 seconds
Complete requests: 1000
Failed requests: 0
...
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
...
http {
include mime.types;
default_type application/octet-stream;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one burst=5;
//将ip信息存储到名称为one的共享内存,空间为10m(1m可以存8k的ip信息)没秒钟仅接受1个请求,多余的把5个放入漏斗。也就是每个ip处理六个
[root@proxy nginx-1.12.2]# nginx -t 测试配置文件是否正确
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@proxy nginx-1.12.2]# nginx
[root@guo ~]# ab -c 10 -n 10 http://192.168.4.51/ //客户端访问
...
Server Software:
Server Hostname: 192.168.4.51
Server Port: 80
Document Path: /
Document Length: 618 bytes
Concurrency Level: 10
Time taken for tests: 5.001 seconds
Complete requests: 10
Failed requests: 4 //可以看出,有四个失败了,总共处理了6个 =,所用时间5.001s
拒绝非法访问
http定义了很多方法,实际中一般仅用get和post
请求方法 | 功能描述 |
---|---|
GET | 请求指定的页面信息,并返回实体主体 |
HEAD | 类似于get请求,只不过返回的响应中没有具体的内容,用于获取报头 |
POST | 向指定资源提交数据进行处理请求(例如提交表单或者上传文件) |
DELETE | 请求服务器删除指定的页面 |
PUT | 向服务器特定位置上传资料 |
[root@proxy nginx-1.12.2]# curl -i -X GET http://192.168.4.51
HTTP/1.1 200 OK
http
Date: Thu, 03 Jan 2019 03:04:31 GMT
...
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
[root@proxy nginx-1.12.2]# curl -i -X HEAD http://192.168.4.51
HTTP/1.1 200 OK
http
Date: Thu, 03 Jan 2019 03:04:17 GMT
Content-Type: text/html
Content-Length: 618
Last-Modified: Thu, 03 Jan 2019 01:23:38 GMT
Connection: keep-alive
ETag: "5c2d641a-26a"
Accept-Ranges: bytes
...
[root@proxy nginx-1.12.2]# nginx -s stop
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
...
server {
listen 80;
server_name localhost;
...
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}
}
[root@proxy nginx-1.12.2]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@proxy nginx-1.12.2]# nginx
[root@proxy nginx-1.12.2]# curl -i -X HEAD http://192.168.4.51 //返回错误
curl: (52) Empty reply from server
[root@proxy nginx-1.12.2]# curl -i -X GET http://192.168.4.51
HTTP/1.1 200 OK
http
Date: Thu, 03 Jan 2019 03:11:41 GMT
Content-Type: text/html
防止buffer溢出
防止客户端请求数据溢出,有效降低dos攻击风险
[root@proxy nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
...
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 16k;
large_client_header_buffers 4 4k;
...
}
[root@proxy nginx-1.12.2]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful