Idinku fifuye olupin

Ninu nkan yii, a yoo ṣawari sinu idi ti ẹru olupin ti o pọ si waye ati jiroro lori awọn ọna pupọ lati mu awọn ilana fifuye giga pọ si. Ifarabalẹ pataki ni yoo fun ni iṣapeye koodu ni Apache/Nginx ati MySQL, a yoo sọrọ nipa caching bi ohun elo iranlọwọ, ati tun gbero awọn irokeke ita ti o ṣeeṣe, bii awọn ikọlu DDOS, ati awọn ọna lati ṣe idiwọ wọn.

Kí nìdí Server fifuye waye

Ṣaaju ki o to tẹsiwaju si iṣapeye olupin, o jẹ dandan lati ṣe itupalẹ pipe ti fifuye lọwọlọwọ lori awọn orisun. Eyi pẹlu wiwọn fifuye Sipiyu, lilo Ramu, iṣẹ nẹtiwọọki, ati awọn ipilẹ bọtini miiran. Agbọye awọn agbara ati awọn ẹru ti o ga julọ ngbanilaaye idanimọ awọn igo ati jipe ​​ipinfunni awọn orisun, nitorinaa jijẹ iduroṣinṣin ati iṣẹ ti awọn amayederun olupin.

Fun laasigbotitusita akọkọ fifuye olupin giga, a ṣeduro ṣiṣe a gbogboogbo server aisan. Ti eyi ko ba to, alaye diẹ sii igbekale ti oro jẹ dandan. Bi ohun elo iranlọwọ, ṣawari awọn awọn akọọlẹ ti Linux olupin le ṣe iranlọwọ, nitori eyi ni ibiti a ti rii orisun iṣoro ni ọpọlọpọ awọn ọran.

Iṣapeye Apache/Nginx Server

Ipilẹṣẹ olupin ti o pọ si Nitori Titọka

Ipilẹ ti o pọ si nitori itọka lori olupin le waye, fun apẹẹrẹ, nigbati awọn ẹrọ wiwa ṣawari nọmba nla ti awọn oju-iwe lori aaye rẹ. Eyi le ja si alekun lilo awọn orisun olupin ati, nitori naa, fa fifalẹ iṣẹ aaye naa. Idamo idi naa rọrun; o nilo lati ṣii faili ti o wa ni:

/var/www/httpd-logs/sitename.access.log

Nigbati a ba ṣe atọka nipasẹ awọn ẹrọ wiwa, olumulo yoo rii awọn titẹ sii ti ẹda atẹle:

11.22.33.44 - - [Date and Time] "GET /your-page-path HTTP/1.1" 200 1234 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Gẹgẹbi ojutu akọkọ lati dinku fifuye, o le lo eto ti awọn aami meta "noindex" ati "nofollow" lori awọn oju-iwe ti ko nilo itọka. Ojutu keji ni .htaccess faili, nibiti awọn titẹ sii ti o baamu si awọn ẹrọ wiwa kan pato nilo lati ṣafikun, fun apẹẹrẹ, lati tọju lati Yandex ati Google:

SetEnvIfNoCase User-Agent "^Yandex" search_bot
SetEnvIfNoCase User-Agent "^Googlebot" search_bot
Order Allow,Deny
Allow from all
Deny from env=search_bot

Bakanna, awọn atunṣe nilo lati ṣe fun awọn ẹrọ wiwa miiran. O yẹ ki o ṣe akiyesi pe awọn agbara ti .htaccess ko ni opin si kan dina titọka. A ṣeduro nini diẹ sii faramọ pẹlu awọn ẹya akọkọ rẹ ninu article.

Lilo caching Eto

Awọn eto caching ti ko tọ lori olupin le tun ja si fifuye giga. Lati mu paramita yii pọ si, awọn ayipada ti o baamu nilo lati ṣe ni awọn faili iṣeto ni tabi .htaccess. Ninu ọran ti Apache, aṣayan igbehin jẹ ayanfẹ, fun Nginx - iṣaaju.

Lori ohun afun olupin, o nilo lati ṣii .htacess faili ki o fi koodu atẹle sii:

<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf|doc|docx)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>

Lẹhinna, mu ṣiṣẹ naa Dopin module nipa lilo aṣẹ:

sudo a2enmod expires

Lẹhin eyi, tun bẹrẹ olupin wẹẹbu:

sudo service apache2 restart

Ati mu module ṣiṣẹ nipa sisọ:

ExpiresActive On

Lori Nginx olupin, o to lati ṣafikun koodu atẹle si faili iṣeto:

location ~* .(jpg|jpeg|gif|png|ico|css|swf|flv|doc|docx)$ {
root /var/www/yoursite.com;
}

Ki o si ṣe atungbejade iṣẹ kan:

sudo service nginx restart

Akiyesi pe pẹlu awọn eto, awọn gba ati Kọ awọn ilana yoo kọja.

Lilo Data funmorawon

Muu ṣiṣẹ funmorawon data nipa lilo gzip lori Apache ati awọn olupin wẹẹbu Nginx ṣe iranlọwọ lati dinku iye data ti a firanṣẹ laarin olupin ati alabara, eyiti o mu iṣẹ ṣiṣe dara ati dinku akoko ikojọpọ oju-iwe wẹẹbu.

Lati jeki gzip on afun, o nilo lati mu ṣiṣẹ mod_deflate modulu:

sudo a2enmod deflate

Lẹhinna, tun bẹrẹ olupin wẹẹbu naa:

sudo service apache2 restart

Ati nikẹhin, ṣafikun bulọọki atẹle si faili iṣeto tabi .htaccess:

<IfModule mod_deflate.c>
# Configure compression for specified file types
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript application/json

# If the browser matches the specified pattern, apply compression only to text/html files
BrowserMatch ^Mozilla/4 gzip-only-text/html

# If the browser matches the specified version patterns of Mozilla 4.0.6, 4.0.7, 4.0.8, disable compression
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# If the browser is MSIE (Internet Explorer), disable compression for all files except text/html
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# If the request contains the specified pattern (extensions of image files), disable compression
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip
</IfModule>

Iṣeto ni yi funmorawon fun awọn orisi ti awọn faili ati ki o disables o fun awọn aworan.

Boya a le Nginx, iṣeto ni waye ninu awọn http Àkọsílẹ ti iṣeto ni faili. Awọn koodu atẹle nilo lati ṣafikun:

gzip on;
gzip_disable "msie6";

# Adds the Vary header, indicating that the response may change depending on the Accept-Encoding header value
gzip_vary on;

# Enables compression for any proxy servers
gzip_proxied any;

# Sets the compression level. A value of 6 provides a good balance between compression efficiency and resource use
gzip_comp_level 6;

# Sets the size of the buffer for compressed data (16 buffers of 8 kilobytes each)
gzip_buffers 16 8k;

# Specifies that data compression should be used only for HTTP version 1.1 and higher
gzip_http_version 1.1;

# Sets the file types that can be compressed
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

Iru si afun, nibi awọn paramita funmorawon fun awọn iru awọn faili ti ṣeto. Lẹhin ṣiṣe awọn ayipada si eyikeyi awọn olupin wẹẹbu, a nilo atungbejade iṣẹ kan:

sudo service apache2 restart

Or

sudo service nginx restart

DDOS Attack lori olupin

Ẹru olupin giga le waye bi abajade ikọlu DDoS kan. Idanimọ wiwa ti ikọlu DDoS le ṣee ṣe nipasẹ mimojuto ilosoke lojiji ni ijabọ, awọn ibeere ajeji, ati iṣẹ ṣiṣe olupin ti n lọ silẹ. Ṣiṣayẹwo awọn akọọlẹ fun awọn ibeere leralera lati adiresi IP kan tabi wíwo ibudo tun le tọkasi ikọlu DDoS ti o ṣeeṣe. Ọpọlọpọ awọn ọna aabo wa, ṣugbọn a yoo jiroro awọn ipilẹ nikan.

Lilo CDN kan (Nẹtiwọki Ifijiṣẹ akoonu). CDN le ṣiṣẹ bi agbedemeji laarin olupin wẹẹbu rẹ ati awọn olumulo, pinpin ijabọ ati akoonu akoonu lati dinku ipa ti ikọlu DDoS kan. Awọn CDN tun le ni awọn ọna idabobo DDoS ti a ṣe sinu, pẹlu pinpin fifuye ati sisẹ ijabọ.

Ṣiṣeto awọn ogiriina ati awọn eto wiwa ifọle (IDS/IPS). Awọn ogiriina le jẹ tunto lati ṣe àlẹmọ ijabọ ti o da lori ọpọlọpọ awọn ibeere, gẹgẹbi awọn adirẹsi IP ati awọn ebute oko oju omi. IDS/IPS le ṣe awari ihuwasi ijabọ ajeji ati dina awọn asopọ ifura. Awọn irinṣẹ wọnyi le jẹ imunadoko ni titọpa ati didi awọn ijabọ irira.

Ṣiṣeto Apache ati awọn olupin wẹẹbu Nginx lati dinku ipa ti awọn ikọlu DDoS.

Bi awọn kan ojutu fun Apache, a jeki awọn mod_evasive module. Lati ṣe eyi, uncomment tabi fi awọn wọnyi ila ninu awọn httpd.conf or apache2.conf faili atunto:

LoadModule evasive20_module modules/mod_evasive.so

Ninu faili kanna, o nilo lati fi idinamọ eto kan kun:

<IfModule mod_evasive20.c>
# Hash table size for storing request information
DOSHashTableSize 3097

# Number of requests to one page before activating protection
DOSPageCount 2
DOSPageInterval 1

# Number of requests to all pages before activating protection
DOSSiteCount 50
DOSSiteInterval 1

# Blocking period in seconds for IP addresses
DOSBlockingPeriod 10
</IfModule>

Bakanna, a mu awọn mod_ratelimit modulu:

LoadModule ratelimit_module modules/mod_ratelimit.so

Ki o si fi awọn iṣeto ni:

<IfModule mod_ratelimit.c>
# Setting the output filter for rate limiting (Rate Limit)
SetOutputFilter RATE_LIMIT

# Beginning of the settings block for the location "/login"
<Location "/login">

# Setting the environment variable rate-limit with a value of 1
SetEnv rate-limit 1

# Ending of the settings block for the location "/login"
</Location>
</IfModule>

Awọn iṣeto ni fun Nginx jẹ iru si afun. Nínú nginx.conf faili iṣeto ni, awọn itọsọna wọnyi nilo lati lo:

http {
...
# Defining a zone for connection limits
limit_conn_zone $binary_remote_addr zone=addr:10m;

# Defining a zone for request limits
limit_req_zone $binary_remote_addr zone=req_zone:10m rate=1r/s;

server {
        ...
        # Configuring connection limits
        limit_conn addr 10;

        # Configuring request limits
        limit_req zone=req_zone burst=5;

        ...
    }
}

Lẹhin ṣiṣe awọn ayipada si ọkọọkan awọn iṣẹ naa, wọn nilo lati tun gbejade:

sudo systemctl restart apache2

Tabi:

sudo systemctl restart nginx

Awọn apẹẹrẹ wọnyi n pese iṣeto ipilẹ nikan, eyiti o le ṣe atunṣe siwaju si da lori awọn ibeere kan pato ati iru awọn ikọlu.

Nmu MySQL Awọn ibeere

Imudara awọn ibeere data MySQL lori olupin wẹẹbu le ṣee ṣe ni awọn ọna pupọ, ati ọkan ninu wọn ni iṣeto to dara ti faili iṣeto. Ni deede, faili yii ni orukọ mi.cnf or mi.ini ati ki o ti wa ni be ninu awọn / be be lo / or /ati be be lo/mysql/ liana. O nilo lati ṣii ati ṣe awọn ayipada wọnyi:

[mysqld]
# Location of the file for recording slow queries. Be sure to replace it with your path
log-slow-queries = /var/log/mariadb/slow_queries.log

# Threshold time for considering slow queries (in seconds)
long_query_time = 5

# Enabling recording of queries that do not use indexes
log-queries-not-using-indexes = 1

# Disabling query caching
query_cache_size = 0
query_cache_type = 0
query_cache_limit = 1M

# Size of temporary tables
tmp_table_size = 16M
max_heap_table_size = 16M

# Size of the thread cache
thread_cache_size = 16

# Disabling name resolving
skip-name-resolve = 1

# Size of the InnoDB buffer pool. Set to 50-70% of available RAM
innodb_buffer_pool_size = 800M

# Size of the InnoDB log file
innodb_log_file_size = 200M

Jẹ ki a tun gbero awọn iṣeduro afikun ti o le dẹrọ ibaraenisepo pẹlu data data olupin:

1. lo awọn ṢẸRẸ pipaṣẹ ṣaaju ibeere SQL lati ṣe itupalẹ ipaniyan rẹ. Eyi n gba ọ laaye lati gba ero ipaniyan fun ibeere naa ati pinnu iru awọn atọka ti a lo, awọn tabili wo ni a ṣayẹwo, ati bẹbẹ lọ.
2. Awọn atọka yiyara wiwa data, nitorinaa awọn atọka ti a ṣe apẹrẹ daradara le mu iṣẹ ṣiṣe ibeere pọ si ni pataki. San ifojusi si awọn ọwọn ti a lo nigbagbogbo ninu Nibo or JOIN awọn ipo.
3. Yago fun lilo Yan *. Pato awọn ọwọn wọnyẹn ti o ṣe pataki nitootọ fun ibeere rẹ, dipo yiyan gbogbo awọn ọwọn ninu tabili kan.
4. Yago fun lilo awọn iṣẹ ni Nibo awọn ipo. Lilo awọn iṣẹ (bii LATI, UPERP., osi, ọtun) ni Nibo awọn ipo le ṣe awọn atọka asan. Gbiyanju lati yago fun lilo taara wọn ni awọn ipo.
5. lilo akojọpọ da ibi ti o ti ṣee, bi o ti jẹ maa n siwaju sii daradara. Pẹlupẹlu, rii daju pe awọn ọwọn ti o baamu fun didapọ ni awọn atọka.
6. lilo OPIN lati ni ihamọ nọmba awọn ori ila ti o pada ti o ba nilo lati gba nọmba kan ti awọn abajade.
7. Wo awọn abajade ibeere caching, paapaa ti wọn ko ba yipada, lati dinku fifuye olupin.

Olupin Ifiranṣẹ Ṣẹda Ẹru giga lori olupin naa

Ni apakan yii, a yoo ṣawari bi a ṣe le pinnu pe olupin meeli n ni iriri ẹru giga ati awọn igbesẹ wo ni a le ṣe lati mu iṣẹ ṣiṣe rẹ pọ si, pẹlu ṣayẹwo isinyi ifiranṣẹ ati tunto awọn aye olupin. Bẹrẹ pẹlu ṣayẹwo isinyi ifiranṣẹ. Awọn mailq IwUlO le ṣe iranlọwọ pẹlu eyi, lati muu ṣiṣẹ, tẹ aṣẹ ti o baamu ni ebute naa:

mailq

Eyi yoo ṣe afihan atokọ ti awọn ifiranṣẹ ninu isinyi, ti o ba jẹ eyikeyi. Ifiranṣẹ kọọkan yoo ṣafihan pẹlu idamo alailẹgbẹ rẹ ati alaye nipa ipo fifiranṣẹ. Abajade ti o jọra ni a le gba nipasẹ atunwo awọn iforukọsilẹ alabara meeli.

Ni ọpọlọpọ igba, fifuye giga waye ni iṣẹlẹ ti iṣeduro olupin nigbati o bẹrẹ fifiranṣẹ àwúrúju. Bibẹẹkọ, ti o ba jẹ pe lẹhin ti o ba ṣayẹwo oluṣakoso naa ni igboya pe olupin naa ko ti kọlu lati ita ati pe awọn olumulo ko ṣe aifiyesi àwúrúju, o to akoko lati lọ siwaju si iṣapeye olupin meeli naa. Eyi ni awọn igbesẹ ti yoo ṣe iranlọwọ:

1. Rii daju pe awọn igbasilẹ DNS ti agbegbe rẹ ti tunto ni deede, pẹlu SPF, DKIM, Ati DMARC awọn igbasilẹ lati mu ilọsiwaju ifiweranṣẹ ati aabo lodi si àwúrúju. Awọn ti o tọ iṣeto ni ti sile le ri ninu awọn article lori mail server okunfa.
2. Ṣayẹwo awọn eto nẹtiwọọki, pẹlu iṣeto ogiriina ati awọn ofin ipa-ọna, lati yago fun awọn bulọọki ati yiyara ifijiṣẹ meeli.
3. Ṣe atunto awọn paramita isinyi ifiranṣẹ ni ibamu si fifuye olupin. Eyi le pẹlu tito iwọn isinyi ti o pọju ati awọn akoko ipari.
4. Gbé ojútùú tí a jíròrò nínú àpilẹ̀kọ yìí ṣáájú. Lẹsẹkẹsẹ mu ibi ipamọ data olupin meeli pọ si lati mu iṣẹ ṣiṣe dara si, lo awọn ọna ṣiṣe caching lati ṣe wiwa data ati ṣiṣe ni iyara, gẹgẹbi awọn ibeere DNS.
5. Ti olupin meeli ba tun pade ẹru giga nigbagbogbo, ronu awọn aṣayan iwọnwọn, gẹgẹbi lilo iṣupọ ti awọn olupin meeli tabi awọn ojutu awọsanma.

ipari

Alekun fifuye olupin taara ni ipa lori iyara ikojọpọ oju opo wẹẹbu, nikẹhin ni ipa iriri olumulo ati orukọ rere ninu awọn ẹrọ wiwa. Nitorinaa, ṣiṣe iṣakoso ẹru yii ni imunadoko ṣe ipa pataki ni idaniloju iṣẹ ṣiṣe ilọsiwaju ti orisun ati jijẹ iraye si fun awọn alejo.