Ƙarshen Jagora don Tabbatarwa, Taurare da Inganta Ayyukan Sabar Yanar Gizo na Nginx

Dangane da abubuwan ban mamaki da kuka ji game da Nginx, watakila kun yanke shawarar gwada shi. Wataƙila kuna son shi sosai waɗanda ke tunanin maye gurbin kayan aikin Apache ɗinku tare da Nginx bayan kun bi wasu labaran kan batun da muka buga akan wannan rukunin yanar gizon.

Idan haka ne, na tabbata za ku yi maraba da wannan jagorar tare da buɗe hannu tun da za mu rufe shawarwari 12 don haɓaka tsaro na sabar Nginx ɗinku (daga kiyaye Nginx har zuwa yau ta amfani da TLS da tura HTTP zuwa. HTTPS), kuma za ku lura cewa wasu daga cikinsu suna kama da abin da za ku yi da Apache.

Kar a rasa:

Za mu yi amfani da yanayi mai zuwa a cikin wannan jagorar:

1. Debian GNU/Linux 8.1 (jessie).
2. Adireshin IP: 192.168.0.25 (tecmintlovesnginx.com) da 192.168.0.26 (nginxmeanspower.com), kamar yadda aka bayyana a cikin sashin rukunin runduna na tushen IP a
   1. “Yadda ake Saita tushen Suna da Mai watsa shiri na tushen IP (Tsalolin Sabar) tare da Nginx”

   Da wannan a zuciya, bari mu fara.

   Tip #1: Ci gaba da Nginx sabuntawa

   A lokacin wannan rubutun, sabbin nau'ikan Nginx a cikin CentOS (a cikin EPEL) da wuraren ajiyar Debian sune 1.6.3 da 1.6.2-5, bi da bi.

   Kodayake shigar da software daga ma'ajin ya fi sauƙi fiye da haɗa shirin daga lambar tushe, wannan zaɓi na ƙarshe yana da fa'idodi guda biyu: 1) yana ba ku damar gina ƙarin kayayyaki zuwa Nginx (kamar mod_security), da 2) koyaushe zai samar da sabon salo. fiye da wuraren ajiya (1.9.9 kamar yau). Ana samun bayanin kula a koyaushe a cikin gidan yanar gizon Nginx.

   Kar a rasa:

   Tip #2: Cire Modulolin da ba dole ba a cikin Nginx

   Don cire kayayyaki a sarari daga Nginx yayin shigarwa daga tushe, yi:

   # ./configure --without-module1 --without-module2 --without-module3
   

   Misali:

   # ./configure  --without-http_dav_module --withouthttp_spdy_module 
   

   Kamar yadda wataƙila za ku yi tsammani, cire kayayyaki daga shigarwar Nginx da suka gabata daga tushe yana buƙatar sake yin tarin.

   Kalma na taka tsantsan: Ana ba da umarnin kanfigareshan ta samfura. Tabbatar cewa ba ku kashe tsarin da ya ƙunshi umarnin da za ku buƙaci saukar da hanya ba! Ya kamata ku bincika docs nginx don jerin umarnin da ake samu a cikin kowane nau'i kafin yanke shawara kan musaki kayayyaki.

   Tip #3: Kashe umarnin uwar garken_tokens a cikin Nginx

   Umarnin server_tokens yana gaya wa Nginx don nuna sigar sa na yanzu akan shafukan kuskure. Wannan ba kyawawa bane tunda ba kwa son raba wannan bayanin tare da duniya don hana kai hari a sabar gidan yanar gizon ku ta hanyar lahani da aka sani a cikin takamaiman sigar.

   Don kashe umarnin server_tokens, saita idan an kashe a cikin toshewar uwar garken:

   server {
       listen       192.168.0.25:80;
       server_tokens        off;
       server_name  tecmintlovesnginx.com www.tecmintlovesnginx.com;
       access_log  /var/www/logs/tecmintlovesnginx.access.log;
       error_log  /var/www/logs/tecmintlovesnginx.error.log error;
           root   /var/www/tecmintlovesnginx.com/public_html;
           index  index.html index.htm;
   }
   

   Sake kunna nginx kuma tabbatar da canje-canje:

   

   Tip #4: Ƙin Wakilan Masu Amfani da HTTP a cikin Nginx

   Wakilin mai amfani da HTTP software ce da ake amfani da ita don tattaunawar abun ciki akan sabar yanar gizo. Wannan kuma ya haɗa da bots na malware da crawlers waɗanda za su iya kawo ƙarshen tasirin sabar gidan yanar gizon ku ta hanyar ɓata albarkatun tsarin.

   Domin samun sauƙin kiyaye jerin wakilan masu amfani da ba a so, ƙirƙirar fayil (/etc/nginx/blockuseragents.rulesmisali) tare da abubuwan ciki masu zuwa:

   map $http_user_agent $blockedagent {
           default         0;
           ~*malicious     1;
           ~*bot           1;
           ~*backdoor      1;
           ~*crawler       1;
           ~*bandit        1;
   }
   

   Na gaba, sanya layin da ke gaba kafin ma'anar toshe uwar garken:

   include /etc/nginx/blockuseragents.rules;
   

   Kuma idan sanarwa don dawo da martani na 403 idan kirtan wakilin mai amfani yana cikin jerin baƙar fata da aka ayyana a sama:

   

   Sake kunna nginx, kuma duk wakilan masu amfani waɗanda kirtani suka yi daidai da na sama za a toshe su daga shiga sabar gidan yanar gizon ku. Sauya 192.168.0.25 tare da IP na uwar garken ku kuma ku ji 'yanci don zaɓar wani kirtani daban don canjin wget --wakilin mai amfani:

   # wget http://192.168.0.25/index.html
   # wget --user-agent "I am a bandit haha" http://192.168.0.25/index.html 
   

   

   Tip #5: Kashe hanyoyin HTTP maras so a cikin Nginx

   Hakanan aka sani da fi'ili, hanyoyin HTTP suna nuna matakin da ake so a ɗauka akan albarkatun Nginx. Don shafukan yanar gizo na gama-gari da aikace-aikace, yakamata ku ba da izinin GET, POST, da HEAD kawai kuma a kashe duk wasu.

   Don yin haka, sanya layin masu zuwa cikin toshe uwar garken. Amsar HTTP ta 444 tana nufin martani mara komai kuma galibi ana amfani dashi a cikin Nginx don yaudarar harin malware:

   if ($request_method !~ ^(GET|HEAD|POST)$) {
      return 444;
   }
   

   Don gwadawa, yi amfani da curl don aika buƙatun DELETE kuma kwatanta abin da ake fitarwa zuwa lokacin da kuka aika GET na yau da kullun:

   # curl -X DELETE http://192.168.0.25/index.html
   # curl -X POST http://192.168.0.25/index.html 
   

   

   NASIHA #6: Sanya Iyakancin Girman Buffer a cikin Nginx

   Don hana kai hari kan sabar gidan yanar gizon ku ta Nginx, saita umarni masu zuwa a cikin wani fayil daban (ƙirƙiri sabon fayil mai suna /etc/nginx/conf.d/buffer.conf, misali):

   client_body_buffer_size  1k;
   client_header_buffer_size 1k;
   client_max_body_size 1k;
   large_client_header_buffers 2 1k;
   

   Umurnin da ke sama za su tabbatar da cewa buƙatun da aka yi zuwa sabar gidan yanar gizon ku ba za su haifar da ambaliya a cikin tsarin ku ba. Har yanzu, koma zuwa takaddun don ƙarin cikakkun bayanai kan abin da kowannensu yake yi.

   Sannan ƙara haɗa umarni a cikin fayil ɗin sanyi:

   include /etc/nginx/conf.d/*.conf;
   

   

   Tip #7: Iyakance adadin Haɗin kai ta IP a cikin Nginx

   Domin iyakance haɗin kai ta IP, yi amfani da limit_conn_zone (a cikin mahallin http ko aƙalla a waje da toshe uwar garken) da kuma limit_conn (a cikin http, toshe uwar garken, ko mahallin wuri) umarni.

   Duk da haka, ka tuna cewa ba duk haɗin kai ake ƙidaya ba - amma kawai waɗanda ke da buƙatun da uwar garken ta sarrafa kuma an karanta duk abin da ake buƙata.

   Misali, bari mu saita matsakaicin adadin haɗin kai zuwa 1 (e, ƙari ne, amma zai yi aikin daidai a wannan yanayin) a cikin yanki mai suna addr (zaka iya saita wannan zuwa kowane abu). sunan da kuke so):

   limit_conn_zone $binary_remote_addr zone=addr:5m;
   limit_conn addr 1;
   

   

   Gwaji mai sauƙi tare da Apache Benchmark (Yi Nginx Load) inda ake yin 10 jimlar haɗin gwiwa tare da 2 buƙatun lokaci guda zai taimake mu mu nuna ma'anarmu:

   # ab -n 10 -c 2 http://192.168.0.25/index.html
   

   Duba tukwici na gaba don ƙarin cikakkun bayanai.

   Tip #8: Saita rajistan ayyukan saka idanu don Nginx

   Da zarar kun yi gwajin da aka kwatanta a cikin bayanin da ya gabata, duba kuskuren log ɗin da aka ayyana don toshe uwar garken:

   

   Kuna iya amfani da grep don tace rajistan ayyukan buƙatun da aka kasa yi zuwa yankin addr da aka ayyana a TIP #7:

   # grep addr /var/www/logs/tecmintlovesnginx.error.log --color=auto
   

   

   Hakanan, zaku iya tace bayanan shiga don bayanin sha'awa, kamar:

   1. IP abokin ciniki
   2. Nau'in Browser
   3. Nau'in buƙatun HTTP
   4. An nemi albarkatu
   5. Toshewar uwar garken yana amsa buƙatar (yana da amfani idan yawancin runduna masu kama da juna suna shiga cikin fayil iri ɗaya).

   Kuma ɗauki matakin da ya dace idan kun gano wani sabon abu ko wanda ba a so.

   Tip #9: Hana Haɗin Hoto a cikin Nginx

   Hoton hotlinking yana faruwa ne lokacin da mutum ya nuna a wani shafin hoton da aka shirya akan naka. Wannan yana haifar da karuwar amfani da bandwidth ɗin ku (wanda kuke biya) yayin da ɗayan ya nuna hoton da farin ciki kamar dai dukiyarsa ce. A takaice dai, hasara ce a gare ku.

   Misali, bari mu ce kuna da babban kundin adireshi mai suna img a cikin toshewar uwar garken ku inda kuke adana duk hotunan da aka yi amfani da su a cikin wannan rukunin yanar gizon. Don hana wasu rukunin yanar gizo yin amfani da hotunan ku, kuna buƙatar shigar da toshe wuri mai zuwa a cikin ma'anar runduna ta kama-da-wane:

   location /img/ {
     valid_referers none blocked 192.168.0.25;
      if ($invalid_referer) {
        return   403;
      }
   }
   

   Sannan a gyara fayil ɗin index.html a cikin kowane mai masaukin baki kamar haka:

   Yanzu bincika kowane rukunin yanar gizon kuma kamar yadda kuke gani, hoton yana nuna daidai a cikin 192.168.0.25 amma an maye gurbinsa da amsa 403 a cikin 192.168.0.26:

   

   Lura cewa wannan tukwici ya dogara ne akan mai binciken nesa wanda ke aika filin Mai duba.

   Tip #10: Kashe SSL kuma Kunna TLS kawai a cikin Nginx

   A duk lokacin da zai yiwu, yi duk abin da ake buƙata don guje wa SSL a cikin kowane nau'in sa kuma amfani da TLS maimakon. ssl_protocols mai zuwa yakamata a sanya shi a cikin uwar garken ko mahallin http a cikin fayil ɗin mai masaukin ku na kama-da-wane ko kuma wani fayil daban ta hanyar haɗaɗɗiyar umarni (wasu mutane suna amfani da fayil mai suna ssl.conf , amma gaba ɗaya ya rage naku):

   ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
   

   Misali:

   

   Tip #11: Ƙirƙiri Takaddun shaida a cikin Nginx

   Da farko, samar da maɓalli da takaddun shaida. Jin kyauta don amfani da wani nau'in ɓoyewa na daban idan kuna so:

   # openssl genrsa -aes256 -out tecmintlovesnginx.key 1024
   # openssl req -new -key tecmintlovesnginx.key -out tecmintlovesnginx.csr
   # cp tecmintlovesnginx.key tecmintlovesnginx.key.org
   # openssl rsa -in tecmintlovesnginx.key.org -out tecmintlovesnginx.key
   # openssl x509 -req -days 365 -in tecmintlovesnginx.csr -signkey tecmintlovesnginx.key -out tecmintlovesnginx.crt
   

   Sa'an nan ƙara wadannan layiyoyi a cikin keɓan shingen uwar garken don shirye-shiryen na gaba (http --> https turawa) kuma matsar da umarnin SSL zuwa sabon toshe kuma:

   server {
       listen 192.168.0.25:443 ssl;
       server_tokens off;
       server_name  tecmintlovesnginx.com www.tecmintlovesnginx.com;
       root   /var/www/tecmintlovesnginx.com/public_html;
       ssl_certificate /etc/nginx/sites-enabled/certs/tecmintlovesnginx.crt;
       ssl_certificate_key /etc/nginx/sites-enabled/certs/tecmintlovesnginx.key;
       ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
   }
   

   A tukwici na gaba za mu tabbatar da yadda rukunin yanar gizonmu ke amfani da takaddun sa hannu da kansa da TLS.

   Tip #12: Miyar da zirga-zirgar HTTP zuwa HTTPS a cikin Nginx

   Ƙara layin mai zuwa zuwa toshewar uwar garken farko:

   return 301 https://$server_name$request_uri;
   

   

   Umurnin da ke sama zai dawo da martani na 301 (Motsi na dindindin), wanda ake amfani da shi don juyar da URL na dindindin a duk lokacin da aka yi buƙatu zuwa tashar jiragen ruwa 80 na mai masaukin ku, kuma zai tura buƙatar zuwa toshe uwar garken da muka ƙara a tip na baya.

   Hoton da ke ƙasa yana nuna juyawa kuma yana tabbatar da gaskiyar cewa muna amfani da TLS 1.2 da AES-256 don ɓoyewa:

   

   Takaitawa

   A cikin wannan labarin mun raba ƴan shawarwari don kiyaye sabar gidan yanar gizon ku ta Nginx. Za mu so mu ji ra'ayin ku kuma, idan kuna da wasu shawarwari da kuke son rabawa ga sauran jama'a, ku ji daɗin sanar da mu ta hanyar aiko mana da bayanin kula ta amfani da fom ɗin sharhi a ƙasa.