▍Nginx¶
Тюнинг конфига Nginx¶
sudo nano /etc/nginx/nginx.conf
worker_processes auto;
worker_rlimit_nofile 200000;
pid /var/run/nginx.pid;
events {
worker_connections 4000;
use epoll;
multi_accept on;
accept_mutex off;
}
http {
server_name_in_redirect off;
server_tokens off;
# Caches information about open FDs, freqently accessed files.
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
include /etc/nginx/mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$host" "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" -> $upstream_response_time';
# to boost I/O on HDD we can disable access logs
access_log off;
sendfile on;
sendfile_max_chunk 512k;
# send headers in one piece, it is better than sending them one by one
tcp_nopush on;
# don't buffer data sent, good for small data bursts in real time
tcp_nodelay on;
# Timeout for keep-alive connections. Server will close connections after this time.
keepalive_timeout 30;
# Number of requests a client can make over the keep-alive connection.
keepalive_requests 100;
# Allow the server to close the connection after a client stops responding.
reset_timedout_connection on;
# Send the client a "request timed out" if the body is not loaded by this time.
client_body_timeout 10;
# If the client stops reading data, free up the stale client connection after this much time.
send_timeout 2;
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; # Запрещаем сжатие ответа методом gzip для IE4-6
gzip_comp_level 6;
gzip_min_length 512;
gzip_proxied any;
gzip_buffers 16 128k;
gzip_vary on; #Разрешаем выдавать в ответе строку заголовка "Vary: Accept-Encoding"
gzip_static on; # Запрещаем проверку наличие готового сжатого файла.
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
client_max_body_size 5000m;
client_body_buffer_size 128k;
# LIMITS
limit_conn_zone $binary_remote_addr zone=addr:10m;
}
Выбор upstream на основе версии протокола SSL¶
map $ssl_preread_protocol $upstream {
"" ssh.example.ru:22;
"TLSv1.2" new.example.ru:443;
default tls.example.ru:443;
}
# ssh и https на одном порту
server {
listen 192.168.0.1:443;
proxy_pass $upstream;
ssl_preread on;
}
Проверка конфигов на уязвимости через Gixy¶
$ docker run --rm --volumes-from nginx yandex/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0