面试题：Nginx 的优化思路有哪些？网站的防盗链如何做？

---

前言

这道题就是：Nginx 的优化思路有哪些？网站的防盗链如何做？实际工作中有哪些类似的安全经验？结果支支吾吾半天没讲到重点，结果就可想而知了。。。

所以，今天就带大家来一起重新复习一下这方面的知识点。

---

拓扑图

推荐步骤

1、在Centos01上安装Nginx，设置网站根目录/www使用域名www.huhu.com访问
2、在Centos02上安装DNS使用域名访问Centos01上使用域名www.huhu.com访问，Centos03使用yum安装apache使用域名www.huyan.com访问
3、在www.huhu.com域名的网站隐藏Nginx版本、查看Nginx管理用户、设置网页缓存、配置日志切割、配置Nginx日志切割、设置超时时间
4、在www.huhu.com网站配置防盗链防止www.huyan.com盗 www.huhu.com的连接

在Centos01上安装Nginx，设置网站根目录/www使用域名www.huhu.com访问

挂载Centos7系统光盘

[root@centos01 ~]# mount /dev/cdrom /mnt/  

mount: /dev/sr0 写保护，将以只读方式挂载

创建nginx管理账户

[root@centos01 ~]# useradd -M -s /sbin/nologin nginx  

传输nginx1.16.1文件

[root@centos01 ~]# rz  
z waiting to receive.**B0100000023be50 

安装依赖文件

[root@centos01 ~]# yum -y install pcre-devel zlib-devel  

解压nginx配置文件

[root@centos01 ~]# yum -y install pcre-devel zlib-devel  

修改源代码程序

[root@centos01 ~]# vim /usr/src/nginx-1.16.1/src/core/nginx.h  
13 #define NGINX_VERSION    "7.0"  
14 #define NGINX_VER      "IIS/" NGINX_VERSION  
22 #define NGINX_VAR      "IIS"  

修改Nginx数据包请求头部

[root@centos01 ~]# vim/usr/src/nginx-1.16.1/src/http/ngx_http_header_filter_module.c  
  
49 static u_char ngx_http_server_string[] = "Server: IIS" CRLF;li  

配置Nginx

[root@centos01 ~]# cd /usr/src/nginx-1.16.1/  
[root@centos01 nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module  
#编译安装Nginx  
[root@centos01 nginx-1.16.1]# make && make install  
  
# 优化命令  
[root@centos01 nginx-1.16.1]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin/  
[root@centos01 nginx-1.16.1]# cd  
[root@centos01 ~]# nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful  
  
# 创建网站根目录www 设置网站主页  
[root@centos01 ~]# mkdir /www/  
[root@centos01 ~]# echo "www.huhu.com" > /www/index.html  
在 Centos03 上安装 DNS 使用域名访问 Centos01 上使用域名http://www.bdqn.com/访问，Centos02 使用 yum 安装 apache 使用域名http://www.benet.com/访问。

配置DNS

centos01配置DNS，重启网卡服务

[root@centos01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32  
[root@centos01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32  
TYPE=Ethernet  
BOOTPROTO=static  
NAME=ens32  
DEVICE=ens32  
ONBOOT=yes  
IPADDR=192.168.100.10  
NATMACK=255.255.255.0  
DNS1=192.168.100.30  
  
[root@centos01 ~]# systemctl restart network  
[root@centos01 ~]# cat /etc/resolv.conf   
# Generated by NetworkManager  
nameserver 192.168.100.30  

centos02配置DNS 重启网卡服务

[root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32  
[root@centos02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32  
TYPE=Ethernet  
BOOTPROTO=static  
NAME=ens32  
DEVICE=ens32  
ONBOOT=yes  
IPADDR=192.168.100.20  
NATMACK=255.255.255.0  
DNS1=192.168.100.30  
  
[root@centos02 ~]# systemctl restart network  
[root@centos02 ~]# cat /etc/resolv.conf   
# Generated by NetworkManager  
nameserver 192.168.100.30  

centos03配置DNS 重启网卡服务

[root@centos03 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32  
[root@centos03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32  
TYPE=Ethernet  
BOOTPROTO=static  
NAME=ens32  
DEVICE=ens32  
ONBOOT=yes  
IPADDR=192.168.100.30  
NATMACK=255.255.255.0  
DNS1=192.168.100.30  
[root@centos03 ~]# systemctl restart network  
[root@centos03 ~]# cat /etc/resolv.conf   
# Generated by NetworkManager  
nameserver 192.168.100.30  

挂载centos7系统光盘 安装DNS

[root@centos03 ~]# mount /dev/cdrom /mnt/  
mount: /dev/sr0 写保护，将以只读方式挂载  
[root@centos03 ~]# ls /mnt/  
CentOS_BuildTag  EULA  images   LiveOS   repodata        RPM-GPG-KEY-CentOS-Testing-7  
EFI        GPL  isolinux  Packages  RPM-GPG-KEY-CentOS-7  TRANS.TBL  
root@centos03 ~]# rpm -ivh /mnt/Packages/bind-9.9.4-50.el7.x86_64.rpm   
[root@centos03 ~]# rpm -ivh /mnt/Packages/bind-chroot-9.9.4-50.el7.x86_64.rpm 

配置DNS主配置文件

[root@centos03 ~]# echo "" > /etc/named.conf  
[root@centos03 ~]# vim /etc/named.conf  
options {  
    listen-on port 53 { any; };  
    directory "/var/named/";  
};  
zone "huhu.com" IN {  
    type master;  
    file "/var/named/huhu.com.zone";  
};  
zone "huyan.com" IN {  
    type master;  
    file "/var/named/huyan.com.zone";  
};  

配置DNS区域配置文件第一台服务器

[root@centos03 ~]# vim /var/named/huhu.com.zone  
$TTL       86400  
@        SOA       huhu.com.    root.huhu.com. (  
        2023021015  
        1H  
        15M  
        1W  
        1D  
)  
@        NS        centos03.huhu.com.  
centos03     A        192.168.100.30  
www       A        192.168.100.10  
[root@centos03 ~]# named-checkzone huhu.com /var/named/huhu.com.zone  
zone huhu.com/IN: loaded serial 2023021015  
OK  

配置第二台DNS区域配置文件

[root@centos03 ~]# vim /var/named/huyan.com.zone  
$TTL       86400  
@        SOA       huyan.com.    root.huyan.com. (  
        2023021015  
        1H  
        15M  
        1W  
        1D  
)  
@        NS        centos03.huyan.com.  
centos03     A        192.168.100.30  
www       A        192.168.100.20  
[root@centos03 ~]# named-checkzone huyan.com /var/named/huyan.com.zone  
zone huyan.com/IN: loaded serial 2023021015  
OK  

启动DNS服务监听端口

[root@centos03 ~]# systemctl stop named  
[root@centos03 ~]# systemctl start named  
[root@centos03 ~]# netstat -anptu | grep named  
tcp     0    0 192.168.100.30:53    0.0.0.0:*        LISTEN    2430/named        
tcp     0    0 127.0.0.1:53       0.0.0.0:*        LISTEN    2430/named        
tcp     0    0 127.0.0.1:953      0.0.0.0:*        LISTEN    2430/named        
tcp6    0    0 ::1:953         :::*           LISTEN    2430/named        
udp     0    0 192.168.122.1:53     0.0.0.0:*              2430/named        
udp     0    0 192.168.100.30:53    0.0.0.0:*              2430/named        
udp     0    0 127.0.0.1:53       0.0.0.0:*              2430/named  

验证访问 www.huhu.com

挂centos7系统光盘 yum安装apache

[root@centos02 ~]# mount /dev/cdrom /mnt/  
mount: /dev/sr0 写保护，将以只读方式挂载  
[root@centos02 ~]# ls mn  
ls: 无法访问mn: 没有那个文件或目录  
[root@centos02 ~]# ls /mnt/  
CentOS_BuildTag  EFI  EULA  GPL  images  isolinux  LiveOS  Packages  repodata  RPM-GPG-KEY-CentOS-7  RPM-GPG-KEY-CentOS-Testing-7  TRANS.TBL  
[root@centos02 ~]# yum -y install httpd  

设置开机自启 设置网站主页

[root@centos02 ~]# systemctl restart httpd  
[root@centos02 ~]# systemctl enable httpd  
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.  
[root@centos02 ~]# echo "www.huyan.com" > /var/www/html/index.html  

验证访问www.huyan.com

在www.huhu.com域名的网站隐藏Nginx版本、查看Nginx管理用户、设置网页缓存、配置日志切割、配置Nginx日志切割、设置超时时间。

#隐藏版本和优化管理Nginx进程用户 修改Nginx主配置文件  
vim /usr/local/nginx/conf/nginx.conf  
user  nginx;  
worker_processes  1;  
pid     logs/nginx.pid;  
events {  
  worker_connections  1024;  
}  
http {  
  include    mime.types;  
  default_type  application/octet-stream;  
  sendfile     on;  
  keepalive_timeout  65;  
  server_tokens Off;  
  server {  
    listen    192.168.100.10:80;  
    server_name  www.huhu.com;  
    charset utf-8;  
    access_log  logs/www.huhu.com.access.log;  
    location / {  
      root  /www/;  
      index  index.html index.htm;  
        }  
    }  
}  
[root@centos01 ~]# nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful  
  
#查看Nginx进程  
[root@centos01 ~]# ps -ef | grep nginx  
root    5469    1  0 00:03 ?     00:00:00 nginx: master process nginx  
nginx    5470  5469  0 00:03 ?     00:00:00 nginx: worker process  
root    5472  1186  0 00:03 pts/0   00:00:00 grep --color=auto nginx  

验证隐藏版本

# 设置网页缓存时间 修改Nginx主配置文件支持图片缓存  
[root@centos01 ~]# vim /usr/local/nginx/conf/nginx.conf  
user  nginx;  
worker_processes  1;  
pid     logs/nginx.pid;  
events {  
  worker_connections  1024;  
}  
http {  
  include    mime.types;  
  default_type  application/octet-stream;  
  sendfile     on;  
  keepalive_timeout  65;  
  server_tokens Off;  
  server {  
    listen    192.168.100.10:80;  
    server_name  www.huhu.com;  
    charset utf-8;  
    access_log  logs/www.huhu.com.access.log;  
    location ~ \.(gif|jpg|png|jpeg|bmp|swf)$ {  
      root /www;  
    expires 1d;  
    }  
    location / {  
      root  /www;  
      index  index.html index.htm;  
        }  
    }  
}  
[root@centos01 ~]# nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful  
  
#设置网页加载图片  
[root@centos01 ~]# cd /www/  
[root@centos01 www]# rz  
[root@centos01 www]# ls  
index.html  logo.jpg  
  
#重启Nginx服务  
[root@centos01 www]# killall nginx  
[root@centos01 www]# killall nginx  
nginx: no process found  
[root@centos01 www]# nginx  
[root@centos01 www]# cd  

验证网页缓存

#配置Nginx日志切割、设置超时时间 创建存储日志切割目录  
[root@centos01 ~]# mkdir /nginx_log  
  
#编写日志切割脚本  
[root@centos01 ~]# vim /opt/nginx_log_.sh  
#!/bin/bash  
d=$(date -d "-1 day" "+%Y%m%d")  
logs_path="/nginx_log/"  
pid_path="/usr/local/nginx/logs/nginx.pid"  
[ -d $logs_path ] || mkdir -p $logs_path  
mv /usr/local/nginx/logs/www.huhu.com.access.log ${logs_path}/www.huhu.com-access.log-$d  
kill -USR1 $(cat $pid_path)   
find $logs_path -mtime +30 |xargs rm -rf  
  
#添加执行权限  
[root@centos01 ~]# chmod +x /opt/nginx_log_.sh  
  
#执行脚本  
[root@centos01 ~]# sh /opt/nginx_log_.sh  
  
#验证切割  
[root@centos01 ~]# ls /nginx_log/  
www.huhu.com-access.log-20230210  
  
#编辑计划任务，十分钟切割一次  
[root@centos01 ~]# crontab -e  
*/10   *    *    *    *    /opt/nginx_log_.sh  

验证Nginx日志切割

#优化Nginx保持连接 修改Nginx主配置文件  
[root@centos01 ~]# vim /usr/local/nginx/conf/nginx.conf  
user  nginx;  
worker_processes  2;  
pid     logs/nginx.pid;  
events {  
  worker_connections  2048;  
}  
http {  
  include    mime.types;  
  default_type  application/octet-stream;  
  sendfile     on;  
  keepalive_timeout  5;  
  server_tokens Off;  
  client_header_timeout 5;  
  client_body_timeout 5;  
  server {  
    listen    192.168.100.10:80;  
    server_name  www.huhu.com;  
    charset utf-8;  
    access_log  logs/www.huhu.com.access.log;  
    location ~ \.(gif|jpg|png|jpeg|bmp|swf)$ {  
      root /www;  
      expires 1d;  
    }  
    location / {  
      root  /www;  
      index  index.html index.htm;  
        }  
    }  
}  
  
#重新启动Nginx  
[root@centos01 ~]# killall nginx  
[root@centos01 ~]# killall nginx  
nginx: no process found  
[root@centos01 ~]#   
[root@centos01 ~]# nginx  
  
#验证优化Nginx保持连接  
[root@centos01 ~]# curl -I www.huhu.com  
HTTP/1.1 200 OK  
Server: IIS  
Date: Fri, 10 Feb 2023 16:45:44 GMT  
Content-Type: text/html; charset=utf-8  
Content-Length: 13  
Last-Modified: Fri, 10 Feb 2023 14:56:16 GMT  
Connection: keep-alive  
ETag: "63e65b10-d"  
Accept-Ranges: bytes  

在www.huhu.com网站配置防盗链防止www.huyan.com盗www.huhu.com的连接

#上传错误图片  
[root@centos01 ~]# cd /www/  
[root@centos01 www]# ls  
index.html  logo.jpg  
[root@centos01 www]# rz  
z waiting to receive.**B0100000023be50  
[root@centos01 www]# ls  
error.png  index.html  logo.jpg  
  
#修改Nginx主配置文件  
user  nginx;  
worker_processes  2;  
pid     logs/nginx.pid;  
events {  
  worker_connections  2048;  
}  
http {  
  include    mime.types;  
  default_type  application/octet-stream;  
  sendfile     on;  
  server {  
    listen    192.168.100.10:80;  
    server_name  www.huhu.com;  
    charset utf-8;  
    access_log  logs/www.huhu.com.access.log;  
    location ~* \.(gif|jpg|swf)$ {  
        valid_referers none blocked *.huhu.com huhu.com;  
        if ($invalid_referer) {  
        rewrite ^/ http://www.huhu.com/error.png;  
    }  
}  
    location / {  
      root  /www;  
      index  index.html index.htm;  
        }  
    }  
}  
[root@centos01 ~]# nginx -t  
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok  
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful  
  
#重新启动Nginx  
[root@centos01 ~]# killall nginx  
[root@centos01 ~]# killall nginx  
nginx: no process found  
[root@centos01 ~]#   
[root@centos01 ~]# nginx  
  
#centos02模拟盗取centos01链接  
[root@centos02 ~]# vim /var/www/html/index.html  
www.huyan.com  
<img src="http://www.huhu.com/logo.jpg" />  

重启服务

[root@centos02 ~]# systemctl restart httpd  

验证防盗链

centos01图片