Nginx Service Optimizes Web Page Compression and Anti-theft Chain

Keywords: Linux Nginx vim Javascript DNS

Configure Nginx for Web Page Compression

Nginx's ngx_http_gzip_module compression module provides the ability to compress file content, allowing the Nginx server to compress output content before sending it to the client, saving bandwidth on the site and improving the user's access experience. It is installed by default.Compression performance can be optimized by adding appropriate compression function parameters to the configuration file.

Explanation of compression function parameters

  1. gzip on: turn on gzip compressed output
  2. gzip_min_length 1k: Sets the minimum number of bytes of pages that are allowed to compress
  3. gzip_buffers 4 16k: Indicates that four units of 16K memory are requested for the compression result stream cache. The default value is to request the same size of memory as the original data to store the gzip compression result
  4. zip_http_version 1.0: Used to set the recognition HTTP protocol version, default is 1.1. Most browsers currently support gzip decompression, but it is the slowest to process and consumes server CPU resources
  5. gzip_comp_level 2: used to specify gzip compression ratio, 1 compression ratio is the smallest, processing speed is the fastest; 9 compression ratio is the largest, transmission speed is fast, but processing speed is the slowest, use the default
  6. gzip_types text/plain: Compression type, which enables compression on which web documents
  7. Gzip_vary: Option lets the front-end cache server cache gzip-compressed pages

1. Turn off firewalls and enhance security

[root@localhost ~]# systemctl stop firewalld.service //close firewall
[root@localhost ~]# setenforce 0 //Turn off enhanced security features
[root@localhost ~]# 

2. Access the nginx service with the win10 virtual machine and grab the package with the fiddler tool (compression not turned on)

3. Modify profile to turn compression on

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

    gzip  on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain application/x-javascript text/css image/jpeg image/png image/gif application/xml text/javascript application/x-httpd-php application/javasrcipt application/json;
    gzip_disable "MSIE [1-6]\.";   //IE Browser Version 6+ Enable Compression
    gzip_vary on;
[root@localhost ~]# service nginx restart //restart service
[root@localhost ~]# 

4. Access the nginx service again with the win10 virtual machine and grab the package with the fiddler tool (compression turned on)


Configure Nginx to implement anti-theft chain

  • In the service of enterprise website, anti-theft chain should be configured to avoid illegal usurpation of website content and economic losses.
  • Nginx anti-theft chains are also very powerful.By default, anti-theft chains can be handled by simple configuration

1. Copy site pictures and anti-theft chain pictures to site directory

[root@localhost ~]# mkdir /mnt/tools
[root@localhost ~]# mount.cifs //192.168.100.50/tools /mnt/tools/
Password for root@//192.168.100.50/tools:  
[root@localhost ~]# Cp/mnt/tools/forbid.png/usr/local/nginx/html/ //anti-theft chain picture
[root@localhost ~]# CP picture.jpg/usr/local/nginx/html/ //website picture
[root@localhost ~]# cd /usr/local/nginx/html/
[root@localhost html]# ls
50x.html  forbid.png  index.html  picture.jpg
[root@localhost html]# 

2. Add picture references to the first page file

[root@localhost html]# vim index.html
<h1>Welcome to nginx!</h1>
<img src="picture.jpg"/>   //Add to
[root@localhost html]# 

3. Install dns Service

[root@localhost html]# yum install bind -y
..........//Omit installation process
[root@localhost html]# 

4. Modify the main profile

[root@localhost html]# vim /etc/named.conf 
options {
        listen-on port 53 { any; };   //Change 127.0.0.1 to any
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };   //Change localhost to any
[root@localhost html]# 

5. Modify Zone Profile

[root@localhost html]# vim /etc/named.rfc1912.zones

zone "abc.com" IN {   //Add Area
type master;
file "abc.com.zone";
allow-update { none; };
};
[root@localhost html]#

6. Modify Zone Data Profile

[root@localhost html]# cd /var/named/
[root@localhost named]# ls
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
[root@localhost named]# Cp-p named.localhost abc.com.zone //Copy a template and rename
[root@localhost named]#

$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
www IN  A       192.168.52.131   //Add Resolved Address
[root@localhost named]# systemctl start named //start service
[root@localhost named]#

7. Enter the following into a new text document on the win10-1 host and rename it index.html

<html>
 <head>
  <title>Stolen Chain Website</title>
 </head>
 <body>
  <h1>this is test web</h1>
  <img src="http:www.abc.com/picture.jpg"/>   //Stolen link path
 </body>
</html>


8. Follow these steps to start the web service for the win10-1 system




9. Move the file index.html to the subdirectory wwwroot of the inetpub directory on the C drive

10. Change the dns addresses of win10-1 hosts and test hosts win10-2 that build stolen chain websites to Linux virtual machine addresses, respectively

11. View the IP address of the win10-1 host

12. Use win10-2 host to access web services of nginx service site and win10-1 host respectively, successfully steal pictures of nginx service site


13. Modify nginx service configuration file to turn on anti-theft chain function

[root@localhost named]# vim /usr/local/nginx/conf/nginx.conf

        location ~*\.(jpg|gif|swf)$ {
                valid_referers none blocked *.abc.com abc.com;
                if ( $invalid_referer ) {
                   rewrite ^/ http://www.abc.com/forbid.png;
                }
        }
[root@localhost named]# service nginx restart 
[root@localhost named]#

14. Use win10-2 host again to access the web services of nginx service site and win10-1 host respectively, and successfully open theft chain function

Posted by faraco on Sun, 17 Nov 2019 13:51:12 -0800