用了nginx有段时间了,今天总结一下包括80端口的配置 443端口 ssl配置
首先看防火墙,本地直接就关了吧,如果是服务器看看防火墙看的没,看的话看看端口开了没。参考centos添加端口白名单
nginx配置
进到目录 cd /usr/local/nginx/conf/
创建两个文件vhost(虚拟主机)和cert(证书)方便管理。
先把原来的备份了 mv nginx.conf nginx.conf.back
vim nginx.conf
#user nobody;
worker_processes auto;
worker_rlimit_nofile 51200;
#pid logs/nginx.pid;
events {
use epoll;
worker_connections 51200;
multi_accept on;
}
http
{
include mime.types;
default_type application/octet-stream;
server_tokens off; #nginx关掉版本号
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
#limit_conn_zone $binary_remote_addr zone=perip:10m;
##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.
#log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
include vhost/*.conf;
}
vhost里面专门放配置文件 进入vhost文件
例如:vim 80.conf
server {
listen 80;
server_name localhost;
#rewrite ^(.*)$ https://$host$1 permanent;
root html;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$query_string;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=$1 last; break;
}
}
location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
#access_log logs/80.access.log main;
#error_log logs/80.error.log info;
}443配置
server {
add_header Strict-Transport-Security "max-age=31536000";
server_name xxx.com www.xxx.com ;
listen 443;
root html;
ssl on;
ssl_certificate cert/xxx.com/full_chain.pem ;
ssl_certificate_key cert/xxx.com/private.key ;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_prefer_server_ciphers on;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$query_string;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=$1 last; break;
}
}
location ~ .php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /\.
{
deny all;
}
access_log logs/443.access.log main;
error_log logs/443.error.log info;
}
如果您的网站的评分已经达到A,那么没有被评到A+的最大的可能性就是没有使用HSTS,使用HSTS的方法很简单,只要在添加Strict-Transport-Security这个HTTP头部信息即可
add_header Strict-Transport-Security "max-age=31536000";如果您的服务器需要支持IE6这种古董级别的浏览器,那么就按照百度的做法,如果说对兼容性没有太大的需求,只要主流的浏览器能够访问那么就不要支持3DES系列的加密套件,如果说想要在保证安全性的同时,也要有最好的兼容性,那么就请按照淘宝的配置方式进行配置。
下面给出这三种配置情况:
类似百度
Nginx
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
类似淘宝
Nginx
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
最好的安全性
Nginx
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256::!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
但也有可能因为openssl版本的不同会导致相同的配置得到不同的检测结果。如果您的openssl处于较新的版本那么按照最好的安全性进行配置,得到一个A,应该是没有问题的。
参考:
HTTPS安全与兼容性配置指南
--------------------
location / {
rewrite ^/Mobile/(.*)$ /index.php?s=Mobile/$1 last;
rewrite ^/Admin/(.*)$ /index.php?s=Admin/$1 last;
rewrite ^/(.*)$ /index.php?s=Home/$1 last;
break;
}