Master Nginx Optimization: Hide Version, Tweak Users, Enable Caching & More

1. Nginx Service Optimization

(1) Hide Nginx version number

Hide the Nginx version to avoid exposing potential security vulnerabilities. Two approaches are available: editing the configuration file or recompiling the source.

server_tokens off; ## add, turn off version

nginx.h ## modify source

./configure --prefix=/usr/local/nginx \
    --user=nginx --group=nginx \
    --with-http_stub_status_module
make -j 2 && make install

(2) Change Nginx user and group

Nginx processes need a specific user and group to enforce file access permissions. By default Nginx runs as the nobody user and group.

Modify the user and group either during compilation or by editing the configuration file.

user <span>username</span> <span>groupname</span>;

(3) Configure Nginx page cache duration

After Nginx returns page data to the client, you can set an expiration time so that subsequent requests for the same content are served from cache, reducing load and speeding up access. Typically applied to static files; dynamic content is left uncached.

Add an expires directive in the http, server or location block.

expires <span>cache_time</span>;

(4) Implement Nginx log rotation

Log files grow over time; regular rotation keeps them manageable and aids monitoring. Nginx itself lacks built‑in log rotation, so a script triggered by Linux signals and scheduled via cron is used.

shell script + crontab

ctime (status time): updated when file permissions or attributes change.
atime (access time): updated on each file access.
mtime (modification time): updated when file content changes.

(5) Configure Nginx connection timeouts

To prevent a client from holding a connection indefinitely, set timeout parameters to control connection lifespan.

keepalive_timeout <span>server_timeout</span> <span>client_timeout</span>;

client_header_timeout <span>seconds</span>;

client_body_timeout <span>seconds</span>;

keepalive_timeout 60;
client_header_timeout 60;
client_body_timeout 60;

(6) Increase Nginx worker processes

In high‑concurrency scenarios, launching more worker processes improves responsiveness. Set worker_processes to the number of CPU cores (or twice that number for very busy servers).

cat /proc/cpuinfo | grep -c "physical id"   # view CPU core count
ps aux | grep nginx                         # view current Nginx processes
worker_processes auto;                    # or set to core count
worker_cpu_affinity <span>cpu_mask</span>;       # bind workers to specific CPUs

(7) Enable Nginx gzip compression

The ngx_http_gzip_module compresses responses before sending them to clients, saving bandwidth and improving load times. It is enabled by default; you can fine‑tune its parameters.

gzip on; # enable gzip compression

Note: Do not enable gzip for already compressed media (e.g., jpg, png, video) or very large files, as it wastes CPU cycles.

(8) Configure Nginx anti‑hotlinking

Prevent unauthorized sites from directly linking to your resources by checking the Referer header.

if ($invalid_referer) { rewrite ... }

~* \.(jpg|gif|swf)$   # match image/video extensions
valid_referers www.example.com *.example.com none blocked;
if ($invalid_referer) { return 403; }

(1) Lab demonstration

Example setup with a hotlink‑blocking host (IP 20.0.0.160) and a web source host (IP 20.0.0.150). Screenshots illustrate the configuration and testing process.

(9) Common Nginx modules

http_stub_status_module      # status statistics
http_gzip_module             # page compression
http_rewrite_module          # URL rewriting
http_ssl_module              # HTTPS encryption
http_auth_basic_module       # basic authentication
http_fastcgi_module          # FastCGI forwarding
http_image_filter_module     # image processing
http_mp4/flv_module          # MP4/FLV video handling
http_limit_req_module        # request rate limiting
http_limit_conn_module       # connection limiting
http_proxy_module            # proxy forwarding
http_upstream_*_module       # load balancing
stream                       # layer‑4 proxy