一、Nginx基本安全优化
1、隐藏Nginx版本号
修改之前:
[root@node-a conf]# curl -I 47.93.209.191 HTTP/1.1 200 OK Server: nginx/1.17.4 Date: Thu, 10 Nov 2022 09:01:05 GMT Content-Type: text/html Content-Length: 18 Last-Modified: Tue, 11 Oct 2022 08:46:38 GMT Connection: keep-alive ETag: "63452d6e-12" Accept-Ranges: bytes
修改之后:
[root@node-a sbin]# curl -I 47.93.209.191 HTTP/1.1 200 OK Server: nginx Date: Thu, 10 Nov 2022 09:05:07 GMT Content-Type: text/html Content-Length: 18 Last-Modified: Tue, 11 Oct 2022 08:46:38 GMT Connection: keep-alive ETag: "63452d6e-12" Accept-Ranges: bytes
2、修改源码隐藏Nginx软件名称及版本号
3、更改Nginx服务的默认用户
4、优化Nginx服务的worker进程个数
5、关闭不需要的服务
6、优化写磁盘操作
7、优化资源限制
[root@node-a nginx-1.23.3]# ulimit -u 6943 [root@node-a nginx-1.23.3]# ulimit -n 65535 [root@node-a nginx-1.23.3]# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 6943 max locked memory (kbytes, -l) 64 max memory size (kbytes, -m) unlimited open files (-n) 65535 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 6943 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited
修改文件:
[root@node-a nginx-1.23.3]# vi /etc/security/limits.conf * soft nofile 65535 * hard nofile 65535
重新启动系统才会生效
8、优化内核TCP选项1