ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nginx 1.16.0 sii deynta

nginx 1.16.0 sii deynta

Sanad ka dib horumarka soo bandhigay laan cusub oo xasiloon oo ah server HTTP waxqabadka sare leh iyo server-ka proxy-ka badan nginx 1.16.0, kaas oo nuugay isbeddelada ku ururay laanta ugu weyn 1.15.x. Mustaqbalka, dhammaan isbeddelada laanta xasiloon ee 1.16 waxay la xiriiri doonaan ciribtirka khaladaadka halista ah iyo dayacanka. Qaybta ugu weyn ee nginx 1.17 ayaa dhawaan la samayn doonaa, taas oo horumarinta sifooyinka cusub ay sii wadi doonto. Isticmaalayaasha caadiga ah ee aan haysan hawsha hubinta ku habboonaanta qaybaha qolo saddexaad, waxaa lagu talinayaa Isticmaal laanta ugu weyn, iyadoo lagu saleynayo sii deynta badeecada ganacsiga ee Nginx Plus waxaa la sameeyaa seddexdii biloodba mar.

Horumarka ugu caansan ee lagu daray inta lagu jiro horumarinta laanta sare ee 1.15.x:

  • Waxaa lagu daray awoodda isticmaalka doorsoomayaasha ' dardaarankassl_shahaadad'iyo'ssl_certificate_key', kaas oo loo isticmaali karo in si firfircooni leh loogu shubo shahaadooyinka;
  • Lagu daray awoodda lagu shubayo shahaadooyinka SSL iyo furayaasha sirta ah doorsoomayaasha iyada oo aan la isticmaalin faylal dhexdhexaad ah;
  • In block"kheyraadΒ» dardaaran cusub oo la fuliyayΒ»random", iyadoo la kaashanayo taas oo aad ku abaabuli karto isku dheelitirka culeyska xulashada random ee server-ka gudbinta xiriirka;
  • In moduleka ngx_stream_ssl_hore doorsoome la fuliyay $ssl_preread_protocol,
    kaas oo qeexaya nooca ugu sarreeya ee borotokoolka SSL/TLS ee macmiilku taageerayo. Doorsoomuhu wuu ogolyahay samee habayn si aad u hesho iyada oo la adeegsanayo borotokool kala duwan oo leh iyo la'aan SSL iyada oo loo marayo hal deked oo shabakad ah marka la wakiil ka yahay taraafikada iyadoo la adeegsanayo qaybaha http iyo qulqulka. Tusaale ahaan, si loo abaabulo gelitaanka SSH iyo HTTPS iyada oo loo marayo hal deked, dekedda 443 waxaa loo gudbin karaa si caadi ah SSH, laakiin haddii nooca SSL la qeexo, u sii gudbi HTTPS.

  • Doorsoome cusub ayaa lagu daray moduleka sare"$upstream_bytes_sent", taas oo muujinaysa tirada bytes loo wareejiyay server kooxda;
  • Ku module durdur Hal fadhi gudaheed, awoodda lagu farsameeyo dhowr xog-ururin UDP ah oo ka imanaya macmiilka ayaa lagu daray;
  • dardaaranka"proxy_requests", waxay qeexaysaa tirada xogta laga helay macmiilka, marka la gaadho taas oo meesha laga saarayo xidhidhka u dhexeeya macmiilka iyo fadhiga UDP ee jira. Ka dib markii la helo tirada la cayimay ee xogta, xogta soo socota ee laga helay isla macmiilka ayaa bilaabeysa fadhi cusub;
  • Dardaaranka dhegeysiga hadda wuxuu awood u leeyahay inuu qeexo tirada dekedda;
  • Dardaaranka lagu daray"ssl_xogta horeΒ» si aad awood ugu yeelato habka 0-RTT markaad isticmaalayso TLSv1.3, kaas oo kuu ogolaanaya inaad kaydiso xuduudaha xidhiidhka TLS ee hore looga gorgortamay oo aad hoos u dhigto tirada RTTs ilaa 2 markaad dib u bilaabayso xiriir hore loo aasaasay;
  • Dardaaranno cusub ayaa lagu daray si loo habeeyo keepalive xidhiidhada baxaya (awood u siinaya ama curyaaminaya ikhtiyaarka SO_KEEPALIVE ee saldhigyada):

    • Β«proxy_socket_keepalive"- waxay habaysaa hab-dhaqanka "TCP keepalive" ee xidhiidhada baxaya ee serfarka gaarka ah;
    • Β«fastcgi_socket_keepalive"- waxay habaysaa habdhaqanka "TCP keepalive" ee xidhiidhada baxaya ee serverka FastCGI;
    • Β«grpc_socket_keepalive"- waxay habaysaa habdhaqanka "TCP keepalive" ee xidhiidhada baxaya ee server-ka gRPC;
    • Β«memcached_socket_keepalive"- waxay habaysaa habdhaqanka "TCP keepalive" ee xidhiidhada baxaya ee serfarka kaydsan;
    • Β«scgi_socket_keepalive"- waxay habaysaa habdhaqanka "TCP keepalive" ee xidhiidhada baxaya ee server-ka SCGI;
    • Β«uwsgi_socket_keepalive"- waxay habaysaa hab-dhaqanka "TCP keepalive" ee xidhiidhada baxaya ee serfarka uwsgi.
  • Dardaaranka ku jira"xadka_req" lagu daray halbeeg cusub "dib u dhac", kaas oo dejinaya xadka ka dib marka codsiyada aan loo baahnayn dib loo dhigo;
  • Awaamiirta cusub "keepalive_timeout" iyo "keepalive_requests" ayaa lagu daray qaybta "kor u kaca" si loo dejiyo xadka Keepalive;
  • Awaamiirta "ssl" waa la baabi'iyay, waxaana lagu bedelay halbeegga "ssl" ee dardaaranka "dhegeyso". Shahaadooyinka SSL ee maqan ayaa hadda lagu ogaadaa heerka tijaabada qaabeynta marka la isticmaalayo dardaaranka "dhegeyso" oo leh "ssl" halbeegga goobaha;
  • Markaad isticmaalayso dardaaranka reset_timedout_connection, xidhiidhadu hadda waxa lagu xidhaa 444 kood marka wakhtigu dhaco;
  • Khaladaadka SSL "Codsiga http", "Codsiga wakiillada https", "protocol aan la taageerin" iyo "nooca aad u hooseeya" ayaa hadda lagu soo bandhigay galka heerka "macluumaad" halkii "crit";
  • Taageero lagu daray habka ra'yi ururinta ee nidaamyada Windows marka la isticmaalayo Windows Vista iyo ka dib;
  • Suurtagalnimada isticmaalka TLSv1.3 Marka la dhisayo maktabadda BoringSSL, ma aha OpenSSL oo keliya.

Source: opennet.ru

Add a comment