用了nginx有段时间了,今天总结一下包括80端口的配置 443端口 ssl配置
首先看防火墙,本地直接就关了吧,如果是服务器看看防火墙看的没,看的话看看端口开了没。参考centos添加端口白名单
nginx配置
进到目录 cd /usr/local/nginx/conf/
创建两个文件vhost(虚拟主机)和cert(证书)方便管理。
先把原来的备份了 mv nginx.conf nginx.conf.back
vim nginx.conf
#user nobody; worker_processes auto; worker_rlimit_nofile 51200; #pid logs/nginx.pid; events { use epoll; worker_connections 51200; multi_accept on; } http { include mime.types; default_type application/octet-stream; server_tokens off; #nginx关掉版本号 server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 50m; sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 256k; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.1; gzip_comp_level 2; gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss; gzip_vary on; gzip_proxied expired no-cache no-store private auth; gzip_disable "MSIE [1-6]\."; #limit_conn_zone $binary_remote_addr zone=perip:10m; ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section. #log format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log off; include vhost/*.conf; }
vhost里面专门放配置文件 进入vhost文件
例如:vim 80.conf
server { listen 80; server_name localhost; #rewrite ^(.*)$ https://$host$1 permanent; root html; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?$query_string; if (!-e $request_filename) { rewrite ^(.*)$ /index.php?s=$1 last; break; } } location ~ .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } #access_log logs/80.access.log main; #error_log logs/80.error.log info; }
443配置
server { add_header Strict-Transport-Security "max-age=31536000"; server_name xxx.com www.xxx.com ; listen 443; root html; ssl on; ssl_certificate cert/xxx.com/full_chain.pem ; ssl_certificate_key cert/xxx.com/private.key ; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE; ssl_prefer_server_ciphers on; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?$query_string; if (!-e $request_filename) { rewrite ^(.*)$ /index.php?s=$1 last; break; } } location ~ .php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /\. { deny all; } access_log logs/443.access.log main; error_log logs/443.error.log info; }
如果您的网站的评分已经达到A,那么没有被评到A+的最大的可能性就是没有使用HSTS,使用HSTS的方法很简单,只要在添加Strict-Transport-Security这个HTTP头部信息即可
add_header Strict-Transport-Security "max-age=31536000";
如果您的服务器需要支持IE6这种古董级别的浏览器,那么就按照百度的做法,如果说对兼容性没有太大的需求,只要主流的浏览器能够访问那么就不要支持3DES系列的加密套件,如果说想要在保证安全性的同时,也要有最好的兼容性,那么就请按照淘宝的配置方式进行配置。
下面给出这三种配置情况:
类似百度
Nginx
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
类似淘宝
Nginx
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
最好的安全性
Nginx
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256::!MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
但也有可能因为openssl版本的不同会导致相同的配置得到不同的检测结果。如果您的openssl处于较新的版本那么按照最好的安全性进行配置,得到一个A,应该是没有问题的。
参考:
HTTPS安全与兼容性配置指南
--------------------
location / {
rewrite ^/Mobile/(.*)$ /index.php?s=Mobile/$1 last;
rewrite ^/Admin/(.*)$ /index.php?s=Admin/$1 last;
rewrite ^/(.*)$ /index.php?s=Home/$1 last;
break;
}
