Nginx Optimization, DNS Configuration, and Anti‑Hotlinking Setup on CentOS

This article begins with a real‑world interview scenario where a candidate failed to answer Nginx optimization and anti‑hotlinking questions, then provides a step‑by‑step tutorial to master those topics.

1. Install Nginx on CentOS01

[root@centos01 ~]# mount /dev/cdrom /mnt/

# mount: /dev/sr0 写保护，将以只读方式挂载

[root@centos01 ~]# useradd -M -s /sbin/nologin nginx

[root@centos01 ~]# yum -y install pcre-devel zlib-devel

[root@centos01 ~]# cd /usr/src/nginx-1.16.1/

[root@centos01 nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module

[root@centos01 nginx-1.16.1]# make && make install

Create the website root and a simple index page:

[root@centos01 ~]# mkdir /www/

[root@centos01 ~]# echo "www.huhu.com" > /www/index.html

2. Configure DNS on three CentOS machines

On each host edit /etc/sysconfig/network-scripts/ifcfg-ens32 to set a static IP and DNS server, then restart the network service:

# vim /etc/sysconfig/network-scripts/ifcfg-ens32

TYPE=Ethernet

BOOTPROTO=static

ONBOOT=yes

IPADDR=192.168.100.10   # CentOS01 example

DNS1=192.168.100.30

# systemctl restart network

Install BIND on CentOS03 and create /etc/named.conf and zone files for huhu.com and huyan.com :

# yum -y install bind bind-chroot

# echo "" > /etc/named.conf

# vim /etc/named.conf

options { listen‑on port 53 { any; }; directory "/var/named/"; };

zone "huhu.com" IN { type master; file "/var/named/huhu.com.zone"; };

zone "huyan.com" IN { type master; file "/var/named/huyan.com.zone"; };

Populate the zone files with A records for the servers and the www hosts, then verify with named-checkzone and start the service:

# named-checkzone huhu.com /var/named/huhu.com.zone

# systemctl start named

3. Harden Nginx

Hide the version string and set a dedicated user in /usr/local/nginx/conf/nginx.conf :

user  nginx;

worker_processes  1;

server_tokens Off;

listen 192.168.100.10:80;

server_name www.huhu.com;

Enable log rotation with a Bash script /opt/nginx_log_.sh that moves the current access log, signals Nginx with USR1 , and deletes logs older than 30 days. Add it to crontab to run every ten minutes.

4. Tune keep‑alive connections

Increase worker_processes to 2, raise worker_connections to 2048, and set short timeouts:

keepalive_timeout 5;

client_header_timeout 5;

client_body_timeout 5;

Verify the changes with curl -I www.huhu.com , which now returns Connection: keep-alive and the custom Server: IIS header.

5. Implement anti‑hotlinking

Add a location block that only allows referers from *.huhu.com and redirects invalid requests to an error image:

location ~* \.(gif|jpg|swf)$ {

valid_referers none blocked *.huhu.com huhu.com;

if ($invalid_referer) { rewrite ^/ http://www.huhu.com/error.png; }

}

After reloading Nginx, attempts to embed www.huhu.com/logo.jpg on www.huyan.com are blocked and the error image is served.

Finally, the article concludes with verification screenshots and a brief thank‑you note.