面试官问：Nginx优化思路有哪些？网站如何实现防盗链？

前几天，有个读者向我吐槽，找了很久的工作，好不容易熬到到了二面（技术面，如果过了就基本定了）。谁知道没有准备充分，被一道题给直接挂掉了。

这道题就是：Nginx 的优化思路有哪些？网站的防盗链如何做？实际工作中有哪些类似的安全经验？结果支支吾吾半天没讲到重点，结果就可想而知了。。。

所以，今天就带大家来一起重新复习一下这方面的知识点。

拓扑图

推荐步骤 1、在Centos01上安装Nginx，设置网站根目录/www使用域名www.huhu.com访问

2、在Centos02上安装DNS使用域名访问Centos01上使用域名www.huhu.com访问，Centos03使用yum安装apache使用域名www.huyan.com访问

3、在www.huhu.com域名的网站隐藏Nginx版本、查看Nginx管理用户、设置网页缓存、配置日志切割、配置Nginx日志切割、设置超时时间

4、在www.huhu.com网站配置防盗链防止www.huyan.com盗 www.huhu.com的连接

一、在Centos01上安装Nginx，设置网站根目录/www使用域名www.huhu.com访问

挂载Centos7系统光盘

[root@centos01 ~]# mount /dev/cdrom /mnt/


mount: /dev/sr0 写保护，将以只读方式挂载

创建nginx管理账户

[root@centos01 ~]# useradd -M -s /sbin/nologin nginx传输nginx1.16.1文件[root@centos01 ~]# rz
z waiting to receive.**B0100000023be50
安装依赖文件[root@centos01 ~]# yum -y install pcre-devel zlib-devel
解压nginx配置文件[root@centos01 ~]# yum -y install pcre-devel zlib-devel
修改源代码程序[root@centos01 ~]# vim /usr/src/nginx-1.16.1/src/core/nginx.h
13 #define NGINX_VERSION "7.0"
14 #define NGINX_VER "IIS/" NGINX_VERSION
22 #define NGINX_VAR "IIS"
修改Nginx数据包请求头部[root@centos01 ~]# vim/usr/src/nginx-1.16.1/src/http/ngx_http_header_filter_module.c

49 static u_char ngx_http_server_string[] = "Server: IIS" CRLF;li配置Nginx[root@centos01 ~]# cd /usr/src/nginx-1.16.1/
[root@centos01 nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module
#编译安装Nginx
[root@centos01 nginx-1.16.1]# make && make install

# 优化命令
[root@centos01 nginx-1.16.1]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin/
[root@centos01 nginx-1.16.1]# cd
[root@centos01 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

# 创建网站根目录www 设置网站主页
[root@centos01 ~]# mkdir /www/
[root@centos01 ~]# echo "www.huhu.com" > /www/index.html


二、在 Centos03 上安装 DNS 使用域名访问 Centos01 上使用域名http://www.bdqn.com/访问，Centos02 使用 yum 安装 apache 使用域名http://www.benet.com/访问。

配置DNS

1）centos01配置DNS，重启网卡服务

[root@centos01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32
[root@centos01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
BOOTPROTO=static
NAME=ens32
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.100.10
NATMACK=255.255.255.0
DNS1=192.168.100.30

[root@centos01 ~]# systemctl restart network
[root@centos01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.30
2）centos02配置DNS 重启网卡服务[root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32
[root@centos02 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
BOOTPROTO=static
NAME=ens32
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.100.20
NATMACK=255.255.255.0
DNS1=192.168.100.30

[root@centos02 ~]# systemctl restart network
[root@centos02 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.30
3）centos03配置DNS 重启网卡服务[root@centos03 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32
[root@centos03 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens32
TYPE=Ethernet
BOOTPROTO=static
NAME=ens32
DEVICE=ens32
ONBOOT=yes
IPADDR=192.168.100.30
NATMACK=255.255.255.0
DNS1=192.168.100.30
[root@centos03 ~]# systemctl restart network
[root@centos03 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.30
挂载centos7系统光盘 安装DNS[root@centos03 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 写保护，将以只读方式挂载
[root@centos03 ~]# ls /mnt/
CentOS_BuildTag EULA images LiveOS repodata RPM-GPG-KEY-CentOS-Testing-7
EFI GPL isolinux Packages RPM-GPG-KEY-CentOS-7 TRANS.TBL
root@centos03 ~]# rpm -ivh /mnt/Packages/bind-9.9.4-50.el7.x86_64.rpm
[root@centos03 ~]# rpm -ivh /mnt/Packages/bind-chroot-9.9.4-50.el7.x86_64.rpm
配置DNS主配置文件[root@centos03 ~]# echo "" > /etc/named.conf
[root@centos03 ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
directory "/var/named/";
};
zone "huhu.com" IN {
type master;
file "/var/named/huhu.com.zone";
};
zone "huyan.com" IN {
type master;
file "/var/named/huyan.com.zone";
};
配置DNS区域配置文件第一台服务器[root@centos03 ~]# vim /var/named/huhu.com.zone
$TTL 86400
@ SOA huhu.com. root.huhu.com. (
2023021015
1H
15M
1W
1D
)
@ NS centos03.huhu.com.
centos03 A 192.168.100.30
www A 192.168.100.10
[root@centos03 ~]# named-checkzone huhu.com /var/named/huhu.com.zone
zone huhu.com/IN: loaded serial 2023021015
OK
配置第二台DNS区域配置文件[root@centos03 ~]# vim /var/named/huyan.com.zone
$TTL 86400
@ SOA huyan.com. root.huyan.com. (
2023021015
1H
15M
1W
1D
)
@ NS centos03.huyan.com.
centos03 A 192.168.100.30
www A 192.168.100.20
[root@centos03 ~]# named-checkzone huyan.com /var/named/huyan.com.zone
zone huyan.com/IN: loaded serial 2023021015
OK
启动DNS服务监听端口[root@centos03 ~]# systemctl stop named
[root@centos03 ~]# systemctl start named
[root@centos03 ~]# netstat -anptu | grep named
tcp 0 0 192.168.100.30:53 0.0.0.0:* LISTEN 2430/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2430/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2430/named
tcp6 0 0 ::1:953 :::* LISTEN 2430/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 2430/named
udp 0 0 192.168.100.30:53 0.0.0.0:* 2430/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2430/named
验证访问 www.huhu.com

挂centos7系统光盘 yum安装apache[root@centos02 ~]# mount /dev/cdrom /mnt/
mount: /dev/sr0 写保护，将以只读方式挂载
[root@centos02 ~]# ls mn
ls: 无法访问mn: 没有那个文件或目录
[root@centos02 ~]# ls /mnt/
CentOS_BuildTag EFI EULA GPL images isolinux LiveOS Packages repodata RPM-GPG-KEY-CentOS-7 RPM-GPG-KEY-CentOS-Testing-7 TRANS.TBL
[root@centos02 ~]# yum -y install httpd
设置开机自启 设置网站主页[root@centos02 ~]# systemctl restart httpd
[root@centos02 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@centos02 ~]# echo "www.huyan.com" > /var/www/html/index.html
验证访问www.huyan.com

三、在www.huhu.com域名的网站隐藏Nginx版本、查看Nginx管理用户、设置网页缓存、配置日志切割、配置Nginx日志切割、设置超时时间。

#隐藏版本和优化管理Nginx进程用户 修改Nginx主配置文件
vim /usr/local/nginx/conf/nginx.conf
user nginx;
worker_processes 1;
pid logs/nginx.pid;
events {
worker_connections 1024;
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens Off;
server {
listen 192.168.100.10:80;
server_name www.huhu.com;
charset utf-8;
access_log logs/www.huhu.com.access.log;
location / {
root /www/;
index index.html index.htm;

[root@centos01 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

#查看Nginx进程
[root@centos01 ~]# ps -ef | grep nginx
root 5469 1 0 00:03 ? 00:00:00 nginx: master process nginx
nginx 5470 5469 0 00:03 ? 00:00:00 nginx: worker process
root 5472 1186 0 00:03 pts/0 00:00:00 grep --color=auto nginx


验证隐藏版本

# 设置网页缓存时间 修改Nginx主配置文件支持图片缓存
[root@centos01 ~]# vim /usr/local/nginx/conf/nginx.conf
user nginx;
worker_processes 1;
pid logs/nginx.pid;
events {
worker_connections 1024;
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens Off;
server {
listen 192.168.100.10:80;
server_name www.huhu.com;
charset utf-8;
access_log logs/www.huhu.com.access.log;
location ~ \.(gif|jpg|png|jpeg|bmp|swf)$ {
root /www;
expires 1d;
location / {
root /www;
index index.html index.htm;

[root@centos01 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

#设置网页加载图片
[root@centos01 ~]# cd /www/
[root@centos01 www]# rz
[root@centos01 www]# ls
index.html logo.jpg

#重启Nginx服务
[root@centos01 www]# killall nginx
[root@centos01 www]# killall nginx
nginx: no process found
[root@centos01 www]# nginx
[root@centos01 www]# cd


验证网页缓存

#配置Nginx日志切割、设置超时时间 创建存储日志切割目录
[root@centos01 ~]# mkdir /nginx_log

#编写日志切割脚本
[root@centos01 ~]# vim /opt/nginx_log_.sh
#!/bin/bash
d=$(date -d "-1 day" "+%Y%m%d")
logs_path="/nginx_log/"
pid_path="/usr/local/nginx/logs/nginx.pid"
[ -d $logs_path ] || mkdir -p $logs_path
mv /usr/local/nginx/logs/www.huhu.com.access.log ${logs_path}/www.huhu.com-access.log-$d
kill -USR1 $(cat $pid_path)
find $logs_path -mtime +30 |xargs rm -rf

#添加执行权限
[root@centos01 ~]# chmod +x /opt/nginx_log_.sh

#执行脚本
[root@centos01 ~]# sh /opt/nginx_log_.sh

#验证切割
[root@centos01 ~]# ls /nginx_log/
www.huhu.com-access.log-20230210

#编辑计划任务，十分钟切割一次
[root@centos01 ~]# crontab -e
*/10 * * * * /opt/nginx_log_.sh
验证Nginx日志切割

#优化Nginx保持连接 修改Nginx主配置文件
[root@centos01 ~]# vim /usr/local/nginx/conf/nginx.conf
user nginx;
worker_processes 2;
pid logs/nginx.pid;
events {
worker_connections 2048;
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 5;
server_tokens Off;
client_header_timeout 5;
client_body_timeout 5;
server {
listen 192.168.100.10:80;
server_name www.huhu.com;
charset utf-8;
access_log logs/www.huhu.com.access.log;
location ~ \.(gif|jpg|png|jpeg|bmp|swf)$ {
root /www;
expires 1d;
location / {
root /www;
index index.html index.htm;



#重新启动Nginx
[root@centos01 ~]# killall nginx
[root@centos01 ~]# killall nginx
nginx: no process found
[root@centos01 ~]#
[root@centos01 ~]# nginx

#验证优化Nginx保持连接
[root@centos01 ~]# curl -I www.huhu.com
HTTP/1.1 200 OK
Server: IIS
Date: Fri, 10 Feb 2023 16:45:44 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 13
Last-Modified: Fri, 10 Feb 2023 14:56:16 GMT
Connection: keep-alive
ETag: "63e65b10-d"
Accept-Ranges: bytes
四、在www.huhu.com网站配置防盗链防止www.huyan.com盗www.huhu.com的连接#上传错误图片
[root@centos01 ~]# cd /www/
[root@centos01 www]# ls
index.html logo.jpg
[root@centos01 www]# rz
z waiting to receive.**B0100000023be50
[root@centos01 www]# ls
error.png index.html logo.jpg

#修改Nginx主配置文件
user nginx;
worker_processes 2;
pid logs/nginx.pid;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
server {
listen 192.168.100.10:80;
server_name www.huhu.com;
charset utf-8;
access_log logs/www.huhu.com.access.log;
location ~* \.(gif|jpg|swf)$ {
valid_referers none blocked *.huhu.com huhu.com;
if ($invalid_referer) {
rewrite ^/ http://www.huhu.com/error.png;
}
}
location / {
root /www;
index index.html index.htm;
}
}
}
[root@centos01 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

#重新启动Nginx
[root@centos01 ~]# killall nginx
[root@centos01 ~]# killall nginx
nginx: no process found
[root@centos01 ~]#
[root@centos01 ~]# nginx

#centos02模拟盗取centos01链接
[root@centos02 ~]# vim /var/www/html/index.html
www.huyan.com
"http://www.huhu.com/logo.jpg" />


重启服务

[root@centos02 ~]# systemctl restart httpd


验证防盗链

centos01图片

作者：蔚蓝的珊瑚海 https://blog.51cto.com/u_15829479/6076322

公众号“Java精选”所发表内容注明来源的，版权归原出处所有（无法查证版权的或者未注明出处的均来自网络，系转载，转载的目的在于传递更多信息，版权属于原作者。如有侵权，请联系，笔者会第一时间删除处理！

最近有很多人问，有没有读者交流群！加入方式很简单，公众号Java精选，回复“加群”，即可入群！

https://www.yoodb.com：3000+道面试题，包含Java基础、并发、JVM、线程、MQ系列、Redis、Spring系列、Elasticsearch、Docker、K8s、Flink、Spark、架构设计等，在线随时刷题！

特别推荐：专注分享最前沿的技术与资讯，为弯道超车做好准备及各种开源项目与高效率软件的公众号，「大咖笔记」，专注挖掘好东西，非常值得大家关注。点击下方公众号卡片关注。

文章有帮助的话，点在看，转发吧！