[root@serv01 nginx]# cat nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
index index.php index.html index.htm;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
server_name localhost;
root /var/www/wordpress;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ =404;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443;
server_name home.local;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
root /var/www/wordpress;
index index.php index.htm index.html
}
}
我正在尝试为我的 wordpress 使用 https,http 工作正常,但是当我尝试添加 httpd 服务器块时,nginx 不会启动,我猜是它在错误的位置。任何帮助都将不胜感激。
答案1
不确定回答这个问题是否是一件好事大概“死亡和埋葬”的问题但我们开始吧......
基本配置(即嗯安全)
- 生成你的私钥(>= 2048 位)和证书。我假设你已经拥有它们,否则请查看letsencrypt.org. 确保您的证书包含完整的证书链(通常中间体/实体证书)。至于Diffie-Hellman参数,你可以通过运行来生成
openssl dhparam -out /path/to/dhparam.pem 2048。 按照以下设置 SSL 设置Mozilla SSL 配置生成器(中间的设置,截至 2016-06-30):
server { listen 443 ssl; listen [::]:443 ssl; server_name localhost; root /var/www/wordpress; ### SSL/TLS SETTINGS ### # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /path/to/signed_cert_plus_intermediates; ssl_certificate_key /path/to/private_key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /path/to/dhparam.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ### OCSP Stapling ### # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; resolver <IP DNS resolver>; include /etc/nginx/default.d/*.conf; location / { try_files $uri $uri/ =404; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
高级配置(即来找我吧,国家安全局!(好吧,不是,但是……))
采取基本配置并按如下方式调整:
- 生成证书和 Diffie-Hellman 参数时选择(至少)3072 位(是的,这需要一段时间,但值得)。
- 仅使用 TLS1.2:
ssl_protocols TLSv1.2; - 使用安全曲线:
ssl_ecdh_curve secp384r1; - 使用“现代”密码套件(截至 2016-06-30):
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; 对所有人强制实施 HTTPS:
重写您的“HTTP”
server块如下:server { listen 80; listen [::]:80; server_name mySuperServer; return 301 https://$server_name$request_uri; }使用 HSTS 标头强制访问者的导航器仅使用 HTTPS:
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload';
您的服务器还可以通过设置这些标头来保护您的网站(在一定程度上):
add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "default-src 'none';- 此处的一般最佳做法是:切勿使用
root来修改您的文件。sudo而应使用 。
奖金
- 如果您的服务器运行的是 nginx > 1.9.5,则可以通过添加指令来使用 HTTP/
http22listen。 - 你的服务器有 IPv6 地址(并且支持 HTTP/2)?很好!
listen [::]:443 ssl http2;在第一个listen指令下面添加。 - 您是否计划将服务器用于多个域?那么您应该为每个块设置
access_log和。error_logserver - 复制/粘贴很少会引起注意...您可以移动
### SSL/TLS SETTINGS ###文本文件中的块并将其包含在配置中。对 PHP 的 CGI 调用也是如此。 - 您可以使用 UNIX 套接字而不是监听环回接口来加快 nginx 和 PHP 解释器之间的通信速度:
fastcgi_pass unix:/var/run/php5-fpm.sock;。
因此,你的server块看起来应该像这样:
#HTTP server
server {
listen 80;
listen [::]:80;
server_name mySuperServer;
return 301 https://$server_name$request_uri;
}
# HTTPS server
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2;
server_name mySuperServer;
index index.php index.html index.htm;
root /path/to/your/files/mySuperServer;
access_log /var/log/nginx/mySuperServer/access.log;
error_log /var/log/nginx/mySuperServer/error.log;
### SSL/TLS SETTINGS ###
ssl on;
ssl_certificate /path/to/your/cert.pem;
ssl_certificate_key /path/to/your/privkey.pem;
ssl_dhparam /path/to/your/dh_parameters.pem;
include securityrules.inc;
include fastcgi.inc;
}
内容securityrules.inc:
ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
### HTTP HEADERS ###
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload';
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none';
内容fastcgi.inc:
location ~ \.php$ {
include fastcgi_params;
fastcgi_keep_conn on;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}