How to Build a High‑Performance, Secure Nginx Web Server on CentOS
This guide walks through why Nginx is preferred over Apache, detailed steps to compile and install it on CentOS, and extensive configuration tweaks—including worker processes, kernel parameters, SELinux policies, and request‑filtering rules—to achieve high concurrency and robust security for production web services.
Abstract: Web services are the most exposed services on the Internet. Choosing the right software to build a web server that supports high concurrency and resists external attacks is a long‑term challenge. The author shares a practical, efficient, and secure Nginx web server solution.
Keywords: Nginx, efficient, high concurrency, web server
1. Why Choose Nginx for a Web Server
Apache and Nginx are the two most popular web servers. Apache, the older, is highly extensible but consumes more resources. Nginx, created by Igor Sysoev in 2004, is a high‑performance HTTP and reverse‑proxy server known for stability, rich features, and low resource usage.
In the early Internet, Apache could handle light traffic, but as traffic grew exponentially, Apache’s process‑based model struggled with memory‑intensive applications like PHP. Nginx was designed for high concurrency and reverse proxying, making it ideal for large sites.
As a Web server: Nginx uses fewer resources, supports more concurrent connections (up to 50,000), and employs epoll/kqueue.
As a load‑balancer: Nginx can proxy HTTP, support Rails and PHP, and offers better CPU efficiency than Perlbal.
Nginx installation is simple, configuration files are concise, and the server can run 24/7 with minimal restarts, allowing seamless version upgrades.
2. Installing Nginx
2.1 Installation Instructions
System: CentOS‑6.6
Software: nginx‑1.8.0.tar.gz
Installation method: Compile from source
Installation path: /opt/program/nginx-1.8.0
Download URL:
http://nginx.org/en/download.html2.2 Required Packages
<code># yum install gcc-c++
# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel
# find -name nginx
# ./nginx
# ./nginx/sbin/nginx
# ./nginx-1.2.6/objs/nginx</code>Check installed Nginx and remove previous versions:
<code># yum remove nginx</code>2.3 Compile and Install
Upload the source package to /opt/software and run:
<code># cd /opt/program
# mkdir nginx
# tar -zxvf ../software/nginx-1.8.0.tar.gz
# cd nginx-1.8.0
# ./configure --prefix=/opt/program/nginx
# make
# make install</code>2.4 Service Configuration
<code># vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# service iptables restart</code>2.5 Start Nginx
Method 1:
<code># /opt/program/nginx/sbin/nginx -c /opt/program/nginx/sbin/nginx/conf/nginx.conf</code>Method 2 (manage process):
<code># /opt/program/nginx/sbin/nginx
# ps -ef | grep nginx
# pkill -9 nginx
# /opt/program/nginx/sbin/nginx -s reload
# netstat -na|grep 80
# Test in browser: http://ip:80</code>3. Configuring Nginx for High Concurrency
3.1 General Optimizations
Edit
nginx.confand adjust:
<code>worker_processes 8;
worker_cpu_affinity 00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000;
worker_rlimit_nofile 65535;
worker_connections 65535;
client_header_buffer_size 4k;
open_file_cache max=65535 inactive=60s;
open_file_cache_valid 80s;
open_file_cache_min_uses 1;</code>3.2 Kernel Parameter Tuning
<code>net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30</code>4. Nginx Security Configuration
4.1 Remove Unnecessary Modules
<code># ./configure --without-http_autoindex_module --without-http_ssi_module
# make
# make install</code>4.2 Install SELinux Policy for Nginx
<code># yum -y install selinux-policy-targeted selinux-policy-devel
# cd /opt
# wget http://downloads.sourceforge.net/project/selinuxnginx/se-ngix_1_0_10.tar.gz?use_mirror=nchc
# tar -zxvf se-ngix_1_0_10.tar.gz
# cd se-ngix_1_0_10/nginx
# make
# /usr/sbin/semodule -i nginx.pp</code>4.3 Buffer Overflow Protection
<code>client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;</code>4.4 Limit Concurrent Connections
<code>limit_zone slimits $binary_remote_addr 5m;
limit_conn slimits 5;</code>4.5 Restrict Request Methods
<code>if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}</code>4.6 Block Malicious User‑Agents
<code>if ($http_user_agent ~* LWP::Simple|BBBike|wget) { return 403; }
if ($http_user_agent ~* Sosospider|YodaoBot) { return 403; }</code>4.7 Prevent Image Hotlinking
<code>location /images/ {
valid_referers none blocked www.example.com example.com;
if ($invalid_referer) { return 403; }
}</code>4.8 Firewall Connection Limits
<code># iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
# iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 15 -j DROP
# service iptables save</code>4.9 OS Permissions for Web Root
<code># find /nginx -user nginx
# find /usr/local/nginx/html -user nginx
# ls -l /usr/local/nginx/html/</code>5. Conclusion
The author built a customized, efficient, and secure Nginx web server based on personal needs. Nginx offers many more capabilities beyond basic web serving, inviting further exploration.
Efficient Ops
This public account is maintained by Xiaotianguo and friends, regularly publishing widely-read original technical articles. We focus on operations transformation and accompany you throughout your operations career, growing together happily.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.