EExcel 丞燕快速查詢2

EExcel 丞燕快速查詢2
EExcel 丞燕快速查詢2 https://sandk.ffbizs.com/

nginx proxy pass [ best practices ]

1、/etc/nginx/nginx.conf

worker_processes 1; #auto;


events {
        worker_connections 3000;  #786;
        # multi_accept on;
}


http {

        server_tokens off;  #open this line
        resolver 8.8.8.8 8.8.4.4 valid=300s;  #resolver dns server

        proxy_cache_path          /var/cache/proxy-nginx levels=1:2 keys_zone=proxy-cache:10m max_size=3g inactive=1d use_temp_path=off;

        add_header X-Cache $upstream_cache_status; #讓Header顯示是否有Cache:HIT命中 MISS失敗  BYPASS略過

        proxy_headers_hash_max_size 51200;  #add this line
        proxy_headers_hash_bucket_size 6400;  #add this line

        log_format  main  '$remote_addr $status $request $body_bytes_sent [$time_local]  $http_user_agent $http_referer  $http_x_forwarded_for $upstream_addr $upstream_status $upstream_cache_status $upstream_response_time';
        access_log /var/log/nginx/access.log main buffer=1m;   #or maybe note # because disk space

        log_format cache_status '[$time_local] "$request" $upstream_cache_status';
        access_log /var/log/nginx/cache_access.log  cache_status;
        

        gzip_proxied any;  #open this line, because CDN




2、/etc/nginx/proxy_params      put all or maybe find document for practices

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;

client_max_body_size 100M;
client_body_buffer_size 1m;
proxy_intercept_errors on;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 256 16k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_max_temp_file_size 0;
proxy_read_timeout 300;

------------------
#slice 1m; # for slice_range
proxy_cache_key $scheme$host$proxy_host$request_uri;  # $slice_range
#proxy_cache_key "$scheme://$host$request_uri";
#proxy_cache_key $host:$server_port$uri$is_args$args; #通过key来hash,定义KEY的值

#proxy_cache_valid 15m;
proxy_cache_valid 200 301 302 304 1h; #206 -> slice_range
proxy_cache_valid 404 1m;
proxy_cache_valid any 1m;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
#proxy_set_header Range $slice_range; #for slice_range
proxy_cache_revalidate on;

# Set some good timeouts
proxy_connect_timeout       300;
proxy_send_timeout          300;
proxy_read_timeout          300;
send_timeout                300;

#proxy_cache_min_uses 3; #只要统一个url,在磁盘文件删除之前,总次数访问到达3次,就开始缓存。
proxy_cache_bypass $cookie_nocache $arg_nocache $arg_comment; # 如果任何一个参数值不为空,或者不等于0,nginx就不会查找缓存,直接进行代理转发

------------------
aio threads;
aio_write on;
------------------
open_file_cache max=10000;
open_file_cache_min_uses 2;
open_file_cache_errors on;



2.1、SSL
./etc/nginx/snippets/ssl-example.com.conf

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; #crt
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; #key


./etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
#resolver 8.8.8.8 8.8.4.4 valid=300s;  #move to nginx.conf http
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;


3、/etc/nginx/sites-available/default


# Default server configuration

#server1
server {
        set $ds_host_ip  'xxx.xxx.xxx.xxx';  #destination host ip
        set $ds_hostname 'ooo.ooo.ooo.ooo'; #destination hostname

        listen 80 reuseport;
        #listen [::]:80 default_server;

        #root /var/www/html;
        #index index.html index.htm index.nginx-debian.html;
        #server_name _;

        location / {
                proxy_pass http://$ds_host_ip:$server_port;
                proxy_pass http://$ds_hostname:$server_port;
                include /etc/nginx/proxy_params;
                
                #try_files $uri $uri/ =404;
        }


        location /nginx_status { 
                stub_status on; 
                access_log off; 
        }
}

server {
        set $ds_host_ip  'xxx.xxx.xxx.xxx';
        set $ds_hostname 'ooo.ooo.ooo.ooo';


    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com www.example.com;


        location / {
                proxy_pass http://$ds_host_ip:$server_port;
                proxy_pass http://$ds_hostname:$server_port;
                include /etc/nginx/proxy_params;
}

location /nginx_status {
stub_status on;
access_log off;
}

    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

}

#server2
server {
        set $ds_host_ip  'xxx.xxx.xxx.xxx';
        listen 8881 reuseport;

        location / {
                proxy_pass http://$ds_host_ip:$server_port;
                
                include /etc/nginx/proxy_params;
        }
}

#server3
server {
        set $ds_host_ip  'xxx.xxx.xxx.xxx';
        listen 3333 reuseport;

        location / {
                proxy_pass http://$ds_host_ip:$server_port;
                
                include /etc/nginx/proxy_params;
        }
}

server {
        set $ds_host_ip  'xxx.xxx.xxx.xxx';
        listen 81 reuseport;

        location / {
                proxy_pass http://$ds_host_ip:$server_port;
                
                include /etc/nginx/proxy_params;
        }
}                      

server {
        set $ds_host_ip  'xxx.xxx.xxx.xxx';
        listen 8080 reuseport;

        location / {
                proxy_pass http://$ds_host_ip:$server_port;
                include /etc/nginx/proxy_params;
        }
}


=====  =====
/etc/security/limits.conf
* soft nproc 65535 
* hard nproc 65535 
* soft nofile 65535 
* hard nofile 65535

echo "net.core.somaxconn=1024" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf


===== =====

iptables限制tcp连接和频率

#单个IP在60秒内只允许新建20个连接
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource

#控制单个IP的最大并发连接数为20
-I INPUT -p tcp --dport 80 -m connlimit  --connlimit-above 20 -j REJECT

#每个IP最多20个初始连接
-A INPUT -p tcp --syn -m connlimit --connlimit-above 20 -j DROP



http://seanlook.com/2015/05/17/nginx-location-rewrite/
http://xyz.cinc.biz/2016/06/nginx-if-and-host-get-variable.html
http://siwei.me/blog/posts/nginx-built-in-variables

https://www.52os.net/articles/nginx-anti-ddos-setting.html
https://www.52os.net/articles/nginx-anti-ddos-setting-2.html

https://gagor.pl/2016/01/optimize-nginx-for-performance/

------------------
https://gryzli.info/2017/05/09/nginx-configuring-reverse-proxy-caching/
https://www.nginx.com/blog/nginx-high-performance-caching/
https://guides.wp-bullet.com/how-to-configure-nginx-reverse-proxy-wordpress-cache-apache/
https://tweaked.io/guide/nginx-proxying/
http://www.jianshu.com/p/625c2b15dad5
http://phl.iteye.com/blog/2256857
https://gist.github.com/regadas/7381125


https://calomel.org/nginx.html

Building the Nginx Reverse Proxy example

make clean; ./configure --with-file-aio --without-http_autoindex_module --without-http_browser_module --without-http_geo_module --without-http_empty_gif_module --without-http_map_module --without-http_memcached_module --without-http_userid_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --without-http_split_clients_module --without-http_uwsgi_module --without-http_scgi_module --without-http_referer_module --without-http_upstream_ip_hash_module && make && make install



----------------------------------------------
.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

Deploying Brotli for static content
cloudflare/ngx_brotli_module  https://github.com/cloudflare/ngx_brotli_module

https://www.mobile01.com/topicdetail.php?f=506&t=5147355

--auto nginx mod CENTMIN MOD
https://centminmod.com/


.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/


https://cipherli.st/

On ssl_session_tickets dropbox & cipherli.st have different way............. maybe use cipherli.st

TLS
#ssl_session_tickets on;
#ssl_session_timeout 1h;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_curr;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_prev;
#ssl_session_ticket_key /run/nginx-ephemeral/nginx_session_ticket_next;
http://fangpeishi.com/optimizing-tls-record-size.html
http://fangpeishi.com/optimizing-tls-record-size.html


.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';

ssl_prefer_server_ciphers on;

AIO
aio threads;
aio_write on;
http://www.infoq.com/cn/articles/thread-pools-boost-performance-9x


.https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

Open file cache
open_file_cache max=10000;
open_file_cache_min_uses 2;
open_file_cache_errors on;
http://blog.justwd.net/snippets/nginx/nginx-open-file-cache/




.auto nginx mod CENTMIN MOD
https://centminmod.com/



======clern cache=======
https://leokongwq.github.io/2016/11/25/nginx-cache.html

Port Forwarding Gateway via iptables on Linux

1、
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATSG

1.1、Create instance form ami :ami-vpc-nat-hvm    choese best new
***NAT AMI***

1.2、

CheckIPv4 forwarding is enabled and ICMP redirects are disabled in /etc/sysctl.d/10-nat-settings.conf

IPv4 forwarding =1


Run.A script located at /usr/sbin/configure-pat.sh runs at startup and configures iptables IP masquerading.
Here have problem, so must delete  POSTROUTING

sudo iptables -t nat -D POSTROUTING 1


2、
https://holtstrom.com/michael/blog/post/400/Port-Forwarding-Gateway-via-iptables-on-Linux.html

eth0 10.0.0.219  52.78.165.129

eth1 10.0.1.149

web server 10.0.1.249

iptables -vxnL --line-numbers
iptables -t nat -vxnL --line-numbers

watch -n 1 sudo iptables -vxnL --line-numbers
watch -n 1 sudo iptables -t nat -vxnL --line-numbers

===Start===
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 10.0.0.219 --dport 888 \
     -j DNAT --to-destination 10.0.1.249:80

 iptables -t nat -A POSTROUTING -j MASQUERADE     //key point, can't use out eth0



===抓封包===
tcpdump -i eth0 -p tcp and port 888 -n -v

===刪除===
iptables -D INPUT 2
iptables -t nat -D PREROUTING 2
iptables -t nat -D POSTROUTING 2




===無用===
iptables -A FORWARD -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -d 10.0.1.249 -j ACCEPT

iptables -A FORWARD -d 10.0.1.249 -p tcp --dport 80 -j ACCEPT


iptables -t nat -A POSTROUTING -j SNAT --to-source 10.0.0.219
===無用===


===無用  這行解決 telnet localhost 888===
iptables -t nat -A OUTPUT -p tcp -o lo --dport 888 -j DNAT --to 10.0.1.249:80