Nginx secure deployment: start with server configuration

Nginx is an excellent HTTP and reverse proxy server that can provide high performance, stability and scalability. To ensure the security and stability of the Nginx server, secure deployment is required. This article will start with server configuration and introduce in detail the installation, configuration, optimization and security deployment of Nginx.

1. Server configuration

Before installing Nginx, you need to perform basic configuration of the server. It is recommended to use the Linux operating system and install the latest system updates and security patches. In addition, the server should have sufficient memory and processor power to ensure the high performance of the Nginx server.

2. Installing Nginx

Nginx can download the latest stable version from the official website https://nginx.org/en/download.html. After the download is complete, use the following command to install:

tar -zxvf nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure
make
sudo make install

3. Configuring Nginx

The main configuration file of Nginx is located in /etc/nginx/nginx.conf. When making changes, make sure to back up the original files. The following is an example of a default Nginx configuration file:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log main;
    sendfile on;
    # ...
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /usr/share/nginx/html;
        index index.html;
        server_name _;
        location / {
            try_files $uri $uri/ =404;
        }
        # ...
    }
}

This file includes user and worker process configuration, log format, access log location, file transfer configuration and a default HTTP server block. The listen directive defines the port that the server block should listen on. Port 80 in this example is defined as the default server port. If the user accesses it using the IP address in the browser, Nginx will access the default file on the server and return it to the client.

4. Optimize Nginx configuration

The performance of Nginx depends on many factors, including server configuration and network environment. In order to optimize the performance of Nginx, you can do the following:

• Enable Nginx's caching function. This will speed up response times for requests for static files, such as CSS files, JavaScript files, and image files. Taking the standard HTTP caching mechanism as an example, the following is an example configuration:

http {
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;
    server {
        location ~* .(png|jpg|jpeg|gif|ico)$ {
            proxy_cache my_cache;
            proxy_pass http://backend;
        }
    }
}

• Improve performance by increasing the number of worker_processes. The number of worker_processes should be equal to the number of CPU cores available on the server. For example, if the server has four CPU cores, worker_process should be set to 4.
• Enable TCP nopush and nodelay functions. This will reduce latency and packet loss in the TCP protocol. The following is an example configuration:

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    # ...
}

5. Secure Deployment

The security of Nginx is very important. Here are some suggestions for a secure deployment:

• Use the HTTPS protocol to encrypt data transfers, especially sensitive data transfers such as bank account information or credit card numbers. Using certificates ensures that data transmission is not tampered with or stolen during transmission.
• Limit the request rate to protect the website from DDoS attacks. For example, use Nginx's limit_req_zone directive to set the request rate.

http {
    limit_req_zone $binary_remote_addr zone=my_zone:10m rate=1r/s;
    server {
        location / {
            limit_req zone=my_zone burst=5 nodelay;
            # ...
        }
    }
}

• Limit file upload size to prevent malicious file uploads. Use Nginx's client_max_body_size directive to set file size limits.

http {
    client_max_body_size 10M;
    server {
        location /upload {
            # ...
        }
    }
}

• Close unnecessary services in the system. For example, if your server does not require mail services, you should turn off mail services to reduce risk.
• Regularly update systems and software to ensure security. Updates should be applied to servers promptly after they are released.

This article introduces the installation, configuration, optimization and safe deployment of Nginx in detail. These steps can ensure the high performance, security and stability of the Nginx server.

The above is the detailed content of Nginx secure deployment: start with server configuration. For more information, please follow other related articles on the PHP Chinese website!