Secure deployment and maintenance of Nginx in cloud environment

With the development of cloud computing, more and more applications and services are deployed in cloud environments. As a high-performance web server and reverse proxy server, Nginx is becoming more and more popular in cloud environments. This article will introduce the secure deployment and maintenance of Nginx in a cloud environment.

1. Nginx security configuration

In the cloud environment, the server faces a wider attack surface, so security configuration is particularly important. Here are some common Nginx security configurations.

1. Prevent DDoS attacks

DDoS attacks are a common network attack and can be prevented using Nginx’s limit_conn and limit_req modules. Among them, limit_conn can control the number of connections, and limit_req can control the request rate. The configuration of these two modules is as follows:

http {
    limit_conn_zone $binary_remote_addr zone=addr:10m; 
    limit_conn addr 10; # 对每个IP地址限制10个连接数 
    
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; 
    limit_req zone=one burst=5 nodelay;
    # 每秒只允许处理1个请求，最多允许5个请求在等待队列中等待
}

2. Disable unsafe HTTP methods

Some HTTP request methods are less secure, such as DELETE, TRACE, CONNECT, etc. You can use Nginx's limit_except directive to limit the use of unsafe HTTP methods, as shown below:

location / {
    limit_except GET POST {
        deny all;
    }
}

3. Prohibit server information leakage

An attacker can locate server vulnerabilities and weaknesses by obtaining server information , so prohibiting server information leakage is also an important security configuration. You can use Nginx's server_tokens directive to control whether to display server information in the HTTP response header, as shown below:

http {
    server_tokens off; # 禁止在HTTP响应头中显示服务器信息
}

2. Nginx performance optimization

Web applications in cloud environments usually need to process a large number of Concurrent requests, so performance optimization is also an important task. Here are some common Nginx performance optimization methods.

1. Turn on caching

For some static resources, such as images, CSS, JS, etc., you can use Nginx's cache to improve access speed. You can set the cache path and cache size through Nginx's proxy_cache_path directive, as shown below:

http {
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;
    
    server {
        location /assets/ {
            proxy_cache my_cache;
            proxy_pass http://backend/;
        }
    }
}

2. Use Gzip compression

Gzip compression can reduce the amount of data transmitted over the network and improve the website access speed. You can use Nginx's gzip command to enable Gzip compression, as shown below:

http {
    gzip on;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
}

3. Configure the scheduling algorithm

When Nginx is used as a load balancer, configuring the scheduling algorithm is also important Task. Nginx provides a variety of scheduling algorithms, such as Round Robin, Least Connections, IP Hash, etc. You can use Nginx's upstream block to configure the scheduling algorithm, as shown below:

http {
    upstream backend {
        server backend1;
        server backend2;
        
        # 使用IP Hash调度算法
        ip_hash;
    }
}

3. Nginx log management

In a cloud environment, log management is also very important. Nginx provides a variety of log options, including access_log, error_log, etc. You can use these logging options to record server access, error messages, and more. Here are some commonly used logging options.

1.access_log

access_log is a log option that records the access status of each request. You can use Nginx's access_log directive to enable access logging, as shown below:

http {
    access_log /var/log/nginx/access.log;
}

2.error_log

error_log is a log option for recording error information. You can use Nginx's error_log command to enable error logging, as shown below:

http {
    error_log /var/log/nginx/error.log;
}

3. Log cutting

When the log file is too large, you can use Nginx's log cutting function to split the log. Files for easy management. You can use the logrotate tool to cut log files regularly, as shown below:

/var/log/nginx/*.log {
    daily
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    create 0640 nginx root
    sharedscripts
    postrotate
        /usr/sbin/nginx -s reopen
    endscript
}

The above is an introduction to the safe deployment and maintenance methods of Nginx in a cloud environment. Of course, there are many other security configuration, performance optimization and log management methods, which need to be configured and optimized according to the actual situation. Hope this article can be helpful to everyone.

The above is the detailed content of Secure deployment and maintenance of Nginx in cloud environment. For more information, please follow other related articles on the PHP Chinese website!