wordpress建站 发表于 2021-8-31 00:23:01

PHP+NGINX服务器性能安全优化

本文适用于 php7.4+NGINX环境,适用于运行 wordpress 环境
一、更新服务器

sudo apt update二、命令快捷缩写设置

通过ssh登录服务器,在用户目次下执行以下命令
sudo nano .bashrcalias ngt='sudo nginx -t'alias ngr='sudo systemctl reload nginx'alias fpmr='sudo systemctl reload php7.4-fpm'alias rr='sudo systemctl restart redis'alias mdr='sudo systemctl restart mariadb'alias rb='sudo reboot'alias fup='sudo apt-get -y update;sudo apt-get -y full-upgrade;sudo apt-get -y autoremove; sudo apt-get -y autoclean'按CTRL+S生存, CTRL+X退出
执行
source .bashrc重启服务器使简化命令见效
后面要重启 nginx 或者 重载 nginx 只需要执行 ngt 或者 ngr 即可!
三、设置 nginx.conf

通常位于 /etc/nginx 目次下
# HTTP Header Server Delete for information leakload_module modules/ngx_http_headers_more_filter_module.so;# Run as a unique, less privileged user for security reasons.# Default: nobody nobodyuser www-data www-data;# Sets the worker threads to the number of CPU cores available in the system for best performance.# Should be > the number of CPU cores.# Maximum number of connections = worker_processes * worker_connections# Default: 1worker_processes auto;# Maximum number of open files per worker process.# Should be > worker_connections.# Default: no limitworker_rlimit_nofile 15000;events {        # If you need more connections than this, you start optimizing your OS.        # That&#39;s probably the point at which you hire people who are smarter than you as this is *a lot* of requests.        # Should be < worker_rlimit_nofile.        # Default: 512        worker_connections 4096;      multi_accept on;      use epoll;}# Log errors to this file# This is only used when you don&#39;t override it on a server{} level# Default: logs/error.log errorerror_log /var/log/nginx/error.log error;# The file storing the process ID of the main process# Default: nginx.pidpid      /var/run/nginx.pid;http {        # Basic Settings        server_tokens off;        more_clear_headers &#39;Server&#39;;        server_names_hash_bucket_size 64;        # Webp Map Directives        map $http_accept $webp_suffix {        default "";        "~*webp" ".webp";        }        # Specify MIME types for files.        include       mime.types;        # Rate Limit        limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;                # Default: text/plain        default_typeapplication/octet-stream;        # Update charset_types to match updated mime.types.        # text/html is always included by charset module.        # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml        charset_types                text/css                text/plain                text/vnd.wap.wml                application/javascript                application/json                application/rss+xml                application/xml;        # Include $http_x_forwarded_for within default format used in log files        log_format main &#39;$remote_addr - $remote_user [$time_local] "$request" &#39;                                        &#39;$status $body_bytes_sent "$http_referer" &#39;                                        &#39;"$http_user_agent" "$http_x_forwarded_for"&#39;;        # Log access to this file        # This is only used when you don&#39;t override it on a server{} level        # Default: logs/access.log combined      # access_log /var/log/nginx/access.log main;        access_log none;        # How long to allow each connection to stay idle.        # Longer values are better for each individual client, particularly for SSL,        # but means that worker connections are tied up longer.        # Default: 75s        keepalive_timeout 100s;      keepalive_requests 1000;        # Timeout for reading client request body.        # Default: 60s        client_body_timeout 3m;        # Timeout for reading client request header.        # Default: 60s        client_header_timeout 3m;        # Timeout for transmitting reponse to client.        # Default: 60s        send_timeout 3m;        # Set the maximum allowed size of client request body. This should be set        # to the value of files sizes you wish to upload to the server.        # You may also need to change the values `upload_max_filesize` and `post_max_size` within        # your php.ini for the changes to apply.        # Default: 1mB        client_max_body_size 64m;        client_body_buffer_size 10k;        client_header_buffer_size 1k;        large_client_header_buffers 4 32k;        # Some WP plugins that push large amounts of data via cookies        # can cause 500 HTTP erros if these values aren&#39;t increased.        # Default: 8 4k|8k;        fastcgi_buffers 16 16k;                # Default: 4k|8k        fastcgi_buffer_size 32k;                # Some other Fastcgi configs        fastcgi_busy_buffers_size 64k;        fastcgi_temp_file_write_size 64k;        fastcgi_read_timeout 300;                # File Handler Cache        open_file_cache max=1500 inactive=30s;        open_file_cache_valid 30s;        open_file_cache_min_uses 5;        open_file_cache_errors off;                # Speed up file transfers by using sendfile() to copy directly        # between descriptors rather than using read()/write().        # For performance reasons, on FreeBSD systems w/ ZFS        # this option should be disabled as ZFS&#39;s ARC caches        # frequently used files in RAM by default.        # Default: off        sendfile      on;        # Don&#39;t send out partial frames; this increases throughput        # since TCP frames are filled up before being sent out.        # Default: off        tcp_nopush      on;        # Enable gzip compression.        # Default: off        gzip on;        gzip_disable "msie6";        gzip_buffers 16 8k;        gzip_http_version 1.1;        # Compression level (1-9).        # 5 is a perfect compromise between size and CPU usage, offering about        # 75% reduction for most ASCII files (almost identical to level 9).        # Default: 1        gzip_comp_level    5;        # Don&#39;t compress anything that&#39;s already small and unlikely to shrink much        # if at all (the default is 20 bytes, which is bad as that usually leads to        # larger files after gzipping).        # Default: 20        gzip_min_length    256;        # Compress data even for clients that are connecting to us via proxies,        # identified by the "Via" header (required for CloudFront).        # Default: off        gzip_proxied       any;        # Tell proxies to cache both the gzipped and regular version of a resource        # whenever the client&#39;s Accept-Encoding capabilities header varies;        # Avoids the issue where a non-gzip capable client (which is extremely rare        # today) would display gibberish if their proxy gave them the gzipped version.        # Default: off        gzip_vary          on;        # Compress all output labeled with one of the following MIME-types.        # text/html is always compressed by gzip module.        # Default: text/html        gzip_types                application/atom+xml                application/javascript                application/json                application/ld+json                application/manifest+json                application/rss+xml                application/vnd.geo+json                application/vnd.ms-fontobject                application/x-font-ttf                application/x-web-app-manifest+json                application/xhtml+xml                application/xml                font/opentype                image/bmp                image/svg+xml                image/x-icon                text/cache-manifest                text/css                text/plain                text/vcard                text/vnd.rim.location.xloc                text/vtt                text/x-component                text/x-cross-domain-policy;        # This should be turned on if you are going to have pre-compressed copies (.gz) of        # static files available. If not it should be left off as it will cause extra I/O        # for the check. It is best if you enable this in a location{} block for        # a specific directory, or on an individual server{} level.        # gzip_static on;        # Include files in the sites-enabled folder. server{} configuration files should be        # placed in the sites-available folder, and then the configuration should be enabled        # by creating a symlink to it in the sites-enabled folder.        # See doc/sites-enabled.md for more info.        include sites-enabled/*;}四、设置站点nginx设置 [防止攻击]

位置通常位于 /etc/nginx/sites-available/{{domain}}/server
1、新建 block-agent.conf
sudo nano block-agent.conf#### BLOCK USER AGENTS###set $block_user_agents 0;if ($http_user_agent ~ "Screaming Frog SEO Spider") {    set $block_user_agents 1;}if ($http_user_agent ~ "Indy Library") {    set $block_user_agents 1;}if ($http_user_agent ~ "libwww-perl") {    set $block_user_agents 1;}if ($http_user_agent ~ "GetRight") {    set $block_user_agents 1;}if ($http_user_agent ~ "GetWeb!") {    set $block_user_agents 1;}if ($http_user_agent ~ "Go!Zilla") {    set $block_user_agents 1;}if ($http_user_agent ~ "Download Demon") {    set $block_user_agents 1;}if ($http_user_agent ~ "Go-Ahead-Got-It") {    set $block_user_agents 1;}if ($http_user_agent ~ "TurnitinBot") {    set $block_user_agents 1;}if ($http_user_agent ~ "GrabNet") {    set $block_user_agents 1;}if ($http_user_agent ~ "dirbuster") {    set $block_user_agents 1;}if ($http_user_agent ~ "nikto") {    set $block_user_agents 1;}if ($http_user_agent ~ "SF") {    set $block_user_agents 1;}if ($http_user_agent ~ "sqlmap") {    set $block_user_agents 1;}if ($http_user_agent ~ "fimap") {    set $block_user_agents 1;}if ($http_user_agent ~ "nessus") {    set $block_user_agents 1;}if ($http_user_agent ~ "whatweb") {    set $block_user_agents 1;}if ($http_user_agent ~ "Openvas") {    set $block_user_agents 1;}if ($http_user_agent ~ "jbrofuzz") {    set $block_user_agents 1;}if ($http_user_agent ~ "libwhisker") {    set $block_user_agents 1;}if ($http_user_agent ~ "webshag") {    set $block_user_agents 1;}if ($http_user_agent ~ "Acunetix-Product") {    set $block_user_agents 1;}if ($http_user_agent ~ "Acunetix") {    set $block_user_agents 1;}if ($block_user_agents = 1) {    return 403;}2.新建 protext-sql-exploit-spam.conf
sudo nano protext-sql-exploit-spam.conf#### SQL INJECTIONS###set $block_sql_injections 0;if ($query_string ~ "union.*select.*\(") {    set $block_sql_injections 1;}if ($query_string ~ "union.*all.*select.*") {    set $block_sql_injections 1;}if ($query_string ~ "concat.*\(") {    set $block_sql_injections 1;}if ($block_sql_injections = 1) {    return 403;}#### COMMON EXPLOITS###set $block_common_exploits 0;if ($query_string ~ "(|%3E)") {    set $block_common_exploits 1;}if ($query_string ~ "GLOBALS(=|\[|\%{0,2})") {    set $block_common_exploits 1;}if ($query_string ~ "_REQUEST(=|\[|\%{0,2})") {    set $block_common_exploits 1;}if ($query_string ~ "proc/self/environ") {    set $block_common_exploits 1;}if ($query_string ~ "mosConfig_{1,21}(=|\%3D)") {    set $block_common_exploits 1;}if ($query_string ~ "base64_(en|de)code\(.*\)") {    set $block_common_exploits 1;}if ($block_common_exploits = 1) {    return 403;}#### BLOCK SPAM###set $block_spam 0;if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {    set $block_spam 1;}if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {    set $block_spam 1;}if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {    set $block_spam 1;}if ($query_string ~ "\b(lipitor|phentermin|proac|sandyauer|tramadol|troyhamby)\b") {    set $block_spam 1;}if ($block_spam = 1) {    return 403;}3、新建 rate-limit.conf
#### Rate Limit for wp-login.php#### domain1不带.com后缀# domain2 完备域名location = /wp-login.php {limit_req zone=one burst=2 nodelay;limit_req_status 444;include fastcgi.conf;fastcgi_pass unix:/run/php/php7.4-{{domain1}}.sock;include sites-available/{{domain2}}/location/*;}五、设置 redis

通常位于 /etc/redis/redis.conf
maxmemory 1024mb        maxmemory-policy allkeys-lru六、设置 wp-config.php

/* Memory */define( &#39;WP_MEMORY_LIMIT&#39;, &#39;1024M&#39; );/* Undertstand which query */define(&#39;SAVEQUERIES&#39;, true);/* Disable WP Cron */define( &#39;DISABLE_WP_CRON&#39;, true );/* Auto Update */define( &#39;WP_AUTO_UPDATE_CORE&#39;, false );/* Debuging */define( &#39;WP_DEBUG&#39;, true );define( &#39;WP_DEBUG_DISPLAY&#39;, false );define( &#39;WP_DEBUG_LOG&#39;, true );/* Dont Allow File Edit */define( &#39;DISALLOW_FILE_EDIT&#39;, true );

关于PHP设置,由于代码太长,不方便贴出来。下一遍我们将会把以上代码做成sh文件,一键自动执行优化。

馕博万 发表于 2021-8-31 07:57:11

block-agent.conf不是这样搞的,能用一行代码就不要用n个if

时间是贼md 发表于 2021-8-31 01:28:10

转发了

印迹 发表于 2021-8-31 07:17:16

转发了

Mirby 发表于 2021-8-31 08:17:02

转发了

南瓜绿豆汤 发表于 2021-8-31 06:56:40

转发了
页: [1]
查看完整版本: PHP+NGINX服务器性能安全优化