nginx

隐藏Nginx版本号

服务器需要隐藏nginx版本号
1 修改/etc/nginx/nginx.conf

http {
...
        server_tokens off;
...
}

2 修改/etc/nginx/fastcgi_params

fastcgi_param  SERVER_SOFTWARE        nginx;

Tags:

星期一, 六月 4th, 2012 服务器 没有评论

解决nginx+FastCGI经常报502的问题

1查看php4-cgi打开数量

sudo netstat -anpo | grep “php5-cgi” | wc -l

2设置nginx.conf参数
http
{
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}

Tags:

星期二, 四月 3rd, 2012 服务器 没有评论

迅速修复nginx fcgi方式配置漏洞

2010年5月20日,80后爆nginx 0day漏洞,上传图片可入侵100万服务器。目前已经有好几个大型互联网公司被入侵了,公司类型包括电子商务、游戏、SNS等。

现在看来,这个漏洞不属于Nginx的漏洞. 是配置的问题, 现在到处都在说是Nginx的Bug,关闭fix_pathinfo(默认是开启的).就可以解决

临时修复方法如下,可3选其一。

1、设置php.ini的cgi.fix_pathinfo为0,重启php。最方便,但修改设置的影响需要自己评估。

2、给nginx的vhost配置添加如下内容,重启nginx。vhost较少的情况下也很方便。

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

3、禁止上传目录解释PHP程序。不需要动webserver,如果vhost和服务器较多,短期内难度急剧上升;建议在vhost和服务器较少的情况下采用。

› Continue reading

Tags: ,

星期五, 五月 21st, 2010 服务器 没有评论

nginx的stub_status状态信息解释

打开nginx的stub_status可以通过页面链接看到如下信息

Active connections: 353
server accepts handled requests
 532423 532423 3283276
Reading: 1 Writing: 1 Waiting: 351

他们是啥意思呢,解释如下
active connections:353 #nginx 正处理的活动连接数 353个。
server accepts handled requests
nginx启动到现在共处理了 532423个连接 ,
nginx启动到现在共成功创建 532423 次握手 ,
请求丢失数=(握手-连接),可以看出,我们没丢请求
总共处理了3283276 次请求。
Reading :nginx 读取到客户端的 Header 信息数。
Writing : nginx 返回给客户端的 Header 信息数。
Waiting : Nginx 已经处理完正在等候下一次请求指令的驻留连接。开启 keep-alive 的情况下,这个值等于 active – (reading + writing)。

Tags: ,

星期五, 四月 2nd, 2010 服务器 没有评论

Nginx的防盗链模块NginxHttpAccessKeyModule

1 下载

bear@njava:/$wget http://wiki.nginx.org/images/5/51/Nginx-accesskey-2.0.3.tar.gz

2 配置

bear@njava:/$tar -xzvf Nginx-accesskey-2.0.3.tar.gz
bear@njava:/$vi ../nginx-accesskey-2.0.3/config
USE_MD5=YES
USE_SHA1=YES
ngx_addon_name=ngx_http_accesskey_module
#HTTP_MODULES="$HTTP_MODULES $HTTP_ACCESSKEY_MODULE"
HTTP_MODULES="$HTTP_MODULES ngx_http_accesskey_module"
NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_accesskey_module.c"

3 重编译nginx

bear@njava:~/nginx-0.8.34# ./configure --conf-path=/etc/nginx/nginx.conf \--error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --with-debug --with-http_stub_status_module --with-http_flv_module --with-http_ssl_module --with-http_dav_module --with-http_gzip_static_module --with-mail --with-mail_ssl_module --with-ipv6 --with-http_realip_module --with-http_geoip_module --with-http_xslt_module --with-http_image_filter_module --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --add-module=../gnosek-nginx-upstream-fair-2131c73 --add-module=../nginx-accesskey-2.0.3

4 配置NginxHttpAccessKeyModule

bear@njava:~/nginx-0.8.34$ vi /etc/nginx/sites-available/njava
       location /test {
         accesskey             on;
         accesskey_hashmethod  md5;
         accesskey_arg         "abc";
         accesskey_signature   "njavakey$remote_addr";
         }

5 重启nginx

6 使用
使用的时候参考代码如下:

function get_acc_url($url){
  return $url."?abc=" . md5('njavakey' . $_SERVER['REMOTE_ADDR']);
}

7 代码测试
http://www.njava.com/a.php

Tags: , ,

星期二, 三月 30th, 2010 服务器 没有评论

隐藏nginx的版本号

1 设置nginx.conf的http段参数server_tokens;

bear@njava:~/nginx-0.8.34# sudo vi /etc/nginx/nginx.conf

user www-data;
worker_processes  2;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    # multi_accept on;
}

http {
    include       /etc/nginx/mime.types;

    server_tokens off;
.....

2 重新编译nginx
修改nginx的代码,重新编译

bear@njava:~/nginx-0.8.34/src/http# vi ngx_http_header_filter_module.c 
/*
static char ngx_http_server_string[] = "Server: nginx" CRLF;
static char ngx_http_server_full_string[] = "Server: " NGINX_VER CRLF;
*/
static char ngx_http_server_string[] = "Server: njava/4.1.6" CRLF;
static char ngx_http_server_full_string[] = "Server: njava server /4.1.6" CRLF;

Tags: , , ,

星期二, 三月 30th, 2010 服务器 没有评论

在ubuntu9.10下用awstats分析nginx日志

1 下载awstats
sudo apt-get install awstats 弄下来的版本在执行awstats_configure.pl时候找不到wwwroot目录结构,所以重新直接下载awstats了

bear@njava:~$axel http://prdownloads.sourceforge.net/awstats/awstats-6.95.tar.gz
bear@njava:~$tar xzvf awstats-6.95.tar.gz

2 执行配置脚本
先把 awstats目录复制到/usr/local/awstats,脚本是按照这个目录结构去执行的,如果不是在这/usr/local/awstats里,运行时回提示的

bear@njava:/usr/local/awstats/tools$ sudo ./awstats_configure.pl 
[sudo] password for bear: 

----- AWStats awstats_configure 1.0 (build 1.8) (c) Laurent Destailleur -----
This tool will help you to configure AWStats to analyze statistics for
one web server. You can try to use it to let it do all that is possible
in AWStats setup, however following the step by step manual setup
documentation (docs/index.html) is often a better idea. Above all if:
- You are not an administrator user,
- You want to analyze downloaded log files without web server,
- You want to analyze mail or ftp log files instead of web log files,
- You need to analyze load balanced servers log files,
- You want to 'understand' all possible ways to use AWStats...
Read the AWStats documentation (docs/index.html).

-----> Running OS detected: Linux, BSD or Unix

-----> Check for web server install

Enter full config file path of your Web server.
Example: /etc/httpd/httpd.conf
Example: /usr/local/apache2/conf/httpd.conf
Example: c:\Program files\apache group\apache\conf\httpd.conf
Config file path ('none' to skip web server setup):
> none     #因为没法自动配置nginx,所以none

Your web server config file(s) could not be found.
You will need to setup your web server manually to declare AWStats
script as a CGI, if you want to build reports dynamically.
See AWStats setup documentation (file docs/index.html)

-----> Update model config file '/usr/local/awstats/wwwroot/cgi-bin/awstats.model.conf'
  File awstats.model.conf updated.

-----> Need to create a new config file ?
Do you want me to build a new AWStats config/profile
file (required if first install) [y/N] ? y  

-----> Define config file name to create
What is the name of your web site or profile analysis ?
Example: www.mysite.com
Example: demo
Your web site, virtual server or profile name:
> www.njava.com   #配置名字

-----> Define config file path
In which directory do you plan to store your config file(s) ?
Default: /etc/awstats
Directory path to store config file(s) (Enter for default):
> 

-----> Create config file '/etc/awstats/awstats.www.njava.com.conf'
 Config file /etc/awstats/awstats.www.njava.com.conf created.

-----> Add update process inside a scheduler
Sorry, configure.pl does not support automatic add to cron yet.
You can do it manually by adding the following command to your cron:
/usr/local/awstats/wwwroot/cgi-bin/awstats.pl -update -config=www.njava.com
Or if you have several config files and prefer having only one command:
/usr/local/awstats/tools/awstats_updateall.pl now
Press ENTER to continue... 


A SIMPLE config file has been created: /etc/awstats/awstats.www.njava.com.conf
You should have a look inside to check and change manually main parameters.
You can then manually update your statistics for 'www.njava.com' with command:
> perl awstats.pl -update -config=www.njava.com
You can also build static report pages for 'www.njava.com' with command:
> perl awstats.pl -output=pagetype -config=www.njava.com

Press ENTER to finish...

bear@njava:/usr/local/awstats/tools$ 

3 修改awstats配置文件
修改awstats.conf

bear@njava:/usr/local/awstats/tools$ sudo vi /etc/awstats/awstats.conf
# LogFormat = 1
# LogFormat = "%host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
#
# Example for IIS:
# LogFormat = 2
#
LogFormat =1  #继续使用apache的默认格式

AllowToUpdateStatsFromBrowser=1 #允许浏览器刷新,njava的流量小,这个可以有

Include "/etc/awstats/awstats.www.njava.com.conf" #包含njava的配置

4 修改nginx的日志格式

bear@njava:/etc/awstats$sudo  vi /etc/nginx/nginx.conf
user www-data;
worker_processes  2;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    # multi_accept on;
}

http {
    include       /etc/nginx/mime.types;

    #main 把nginx的输出日志定义成了apache格式的日志
     log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for';

    access_log  /var/log/nginx/access.log main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    tcp_nodelay        on;

    gzip  on;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

4 修改awstats.www.njava.com.conf

bear@njava:/usr/local/awstats/tools$ sudo vi /etc/awstats/awstats.conf
LogFile="/var/log/nginx/www.njava.access.log"

要看相应域名下的日志使用
http://awstats.njava.com/awstats.pl?config=cdn.njava.com

5 配置nginx
先确保了nginx已经代理了nginx-fcgi,可以参看 xxx

bear@njava:/etc/awstats$ vi /etc/nginx/sites-enabled/awstats.njava.com  

server {
        listen   80;
        server_name awstats.njava.com;

        access_log   /var/log/nginx/awstats.log main;
        error_log    /var/log/nginx/awstats_error.log;

        root /usr/local/awstats/wwwroot;
        #auth_basic   "Restricted";
       #auth_basic_user_file  /etc/nginx/conf/awstats;

        location / {
             rewrite ^ /awstats.pl?config=freshventure.info;
        }

        location ~ .*(\.cgi|\.pl?)$ {
               gzip off; #gzip makes scripts feel slower since they have to complete before getting gzipped
               root /usr/local/awstats/wwwroot/cgi-bin;
               #fastcgi_pass 127.0.0.1:8000;
                fastcgi_pass   unix:/tmp/nginx-fcgi.sock;
                fastcgi_index awstats.pl;
               fastcgi_param SCRIPT_FILENAME            $document_root$fastcgi_script_name;
               include        fastcgi_params;
        }

         location /icon {
                alias /usr/local/awstats/wwwroot/icon;
  location /icon {
                alias /usr/local/awstats/wwwroot/icon;
        }
  location /js {
                alias /usr/local/awstats/wwwroot/js;
        }

  location /css {
                alias /usr/local/awstats/wwwroot/css;
        }

  location /classes {
                alias /usr/local/awstats/wwwroot/classes;
        }
}

为目录添加用户验证

bear@njava:/etc/nginx/conf$ sudo htpasswd -c awstats admin
New password: 
Re-type new password: 
Adding password for user admin
bear@njava:/etc/nginx/conf$

可以把/etc/nginx/sites-enabled/awstats.njava.com中出现的这个注释掉了
#auth_basic “Restricted”;
#auth_basic_user_file /etc/nginx/conf/awstats;

Tags: , ,

星期一, 三月 29th, 2010 服务器 没有评论

nginx目录验证

建立一个密码文件,然后设置nginx设置

bear@njava:/$ sudo mkdir /etc/nginx/conf
bear@njava:/$ sudo htpasswd -c /etc/nginx/conf/passwd njava
bear@njava:/$ sudo vi /etc/nginx/sites-available/njava
location ~ ^/xxx/  {
      root    /data/htdocs/xxx;
      auth_basic              "input your username and password";
      auth_basic_user_file /etc/nginx/conf/passwd;
}

Tags: ,

星期日, 三月 28th, 2010 服务器 没有评论

nginx限制并发连接

做法:定义一个叫“limit”的记录区,总容量为 10M,以变量 $binary_remote_addr 作为会话的判断基准

修改nginx配置

bear@njava:/$ sudo vi /etc/nginx/sites-available/njava

limit_zone   limit  $binary_remote_addr  10m;
server {
location /download/ {
limit_conn   limit  1;
}

Tags: ,

星期日, 三月 28th, 2010 服务器 没有评论

在ubuntu9.10下用cacti监控nginx运行

Cacti 在英文中的意思是仙人掌的意思,Cacti是一套基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具。它通过snmpget来获取数据,使用 RRDtool绘画图形,而且你完全可以不需要了解RRDtool复杂的参数。它提供了非常强大的数据和用户管理功能,可以指定每一个用户能查看树状结 构、host以及任何一张图,还可以与LDAP结合进行用户验证,同时也能自己增加模板,功能非常强大完善。http://www.cacti.net/

1 安装cacti

bear@njava:/$  sudo apt-get install cacti-cactid 

2 下载cacti-nginx脚本

bear@njava:/$ wget http://forums.cacti.net/download.php?id=12676
bear@njava:/$ tar -xzvf cacti-nginx.tar.gz
bear@njava:/$ sudo cp cacti-nginx/get_nginx_socket_status.pl /usr/share/cacti/site/scripts
bear@njava:/$ sudo cp cacti-nginx/get_nginx_clients_status.pl /usr/share/cacti/site/scripts
bear@njava:/$ sudo chmod 755 /usr/share/cacti/site/scripts/get_nginx*

3 检查脚本

bear@njava:/$ /usr/share/cacti/site/scripts/get_nginx_socket_status.pl http://www.njava.com/nginx_status

4 配置cacti的nginx虚拟主机

 
bear@njava:$ sudo vi /etc/nginx/sites-available/cacti
server {
        listen   80;
        server_name cacti.njava.com;
        access_log  /var/log/nginx/cacti.access.log;

        location / {
                root   /usr/share/cacti/site;
                index  index.html index.htm index.php;
        }

        location ~ \.php$ {
                fastcgi_pass unix:/tmp/php-cgi.njava.sock;
                fastcgi_index index.php;
                set $path_info "/";
                set $real_script_name $fastcgi_script_name;
                if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
                    set $real_script_name $1;
                    set $path_info $2;
                }
               fastcgi_param SCRIPT_FILENAME /usr/share/cacti/site/$real_script_name;
               fastcgi_param script_name $real_script_name;
               fastcgi_param path_info $path_info;
               include /etc/nginx/fastcgi_params;
        }
}

bear@njava:$ sudo ln -s /etc/nginx/sites-available/cacti  /etc/nginx/sites-enable/cacti

bear@njava:$ sudo /etc/init.d/nginx reload

5 从cacti的UI上传cacti模板

cacti_graph_template_nginx_clients_stat.xml
cacti_graph_template_nginx_sockets_stat.xml

Tags: , ,

星期日, 三月 28th, 2010 服务器 没有评论
Pages: 1 2 Next
1LMooBmUE153Wnd3zDryWvDyXxQudbFxDr