Nginx 优化笔记

Mon 08 June 2020

Brotli支持 项目地址:https://github.com/google/ngx_brotli

brotli要比gzip压缩比高得多,压缩时间也要稍长些。

brotli只有部分浏览器支持。

在http块中配置

brotli_static on; brotli on;
brotli_comp_level 6;
brotli_buffers 32 4k;
brotli_min_length 20;
brotli_types text/plain text/javascript text/css text/xml text/x-component text/x-json application/javascript application/x-javascript application/xml application/json application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject application/x-web-app-manifest+json image/svg+xml image/x-icon font/opentype text/html; systemd脚本 在没有编译安装的时候没有启动脚本,自己创建一个[参考NginxWiki]

保存在:/lib/systemd/system/nginx.service

[Unit] Description=The NGINX HTTP and reverse proxy server After=syslog.target network.target remote-fs.target nss-lookup.target

[Service] Type=forking PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx ExecReload=/usr/sbin/nginx -s reload ExecStop=/bin/kill -s QUIT $MAINPID PrivateTmp=true

[Install] WantedBy=multi-user.target

pagespeed模块 https://github.com/apache/incubator-pagespeed-ngx

Header server_tokens off;

add_header X-XSS-Protection "1; mode=block";

add_header X-Frame-Options "SAMEORIGIN";

SSL 安全

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

ssl_ecdh_curve secp384r1; 缓存

ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off;

算法

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

OCSP Stapling

resolver 8.8.8.8 8.8.4.4; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/chain.crt;

dhparam

openssl dhparam -out dhparam.pem 2048

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

HSTS

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

防盗链 强制ssl WEBP Event块 events { use epoll; multi_accept on; }

Http块 http { sendfile on; tcp_nopush on; tcp_nodelay on; }

Category: 编程