Пример настройки httpы сервера для сайта на php.
1. Генерация само подписанных ssl сертификатов:# cd /etc/nginx
# mkdir /certs
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/certs/nginx.key -out /etc/nginx/certs/nginx.crt
Везде можно нажимать enter.
Здесь можно ввести домен сайта:
Common Name (e.g. server FQDN or YOUR name) []:mysite.mydomain.com
2. Конфигурация nging /etc/nging/sites-enabled:
server {
include /etc/nginx/fcgiwrap.conf;
listen 443 ssl;
listen [::]:443 ssl;
server_name mysite.mydomain.com;
ssl on;
ssl_certificate /etc/nginx/cert/nginx.crt;
ssl_certificate_key /etc/nginx/cert/nginx.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security max-age=15768000;
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
# ssl_stapling on;
# ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /etc/nginx/cert/CA.pem
resolver 212.188.4.10;
location / {
root /v0/sites/mysite/;
index index.php index.html index.htm;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 600;
location ~ ^/(.+\.php)$ {
try_files $uri =404;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
#/var/run/php5-fpm.sock;
include /etc/nginx/fastcgi_params;
fastcgi_param HTTPS on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
location /mysite {
root /v0/;
index index.php index.html index.htm;
proxy_connect_timeout 600;
proxy_send_timeout 300;
proxy_read_timeout 300;
location ~ ^/(.+\.php)$ {
try_files $uri =404;
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
#/var/run/php5-fpm.sock;
include /etc/nginx/fastcgi_params;
fastcgi_param HTTPS on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
#fast cgi support
#include /etc/nginx/fcgiwrap.conf;
location ~ \.cgi$
{
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
#proxy_connect_timeout 600;
#proxy_send_timeout 600;
proxy_read_timeout 600;
}
location /smokeping/ {
# root /usr/share/smokeping
index smokeping.cgi;
gzip off;
proxy_read_timeout 600;
}
}
Безусловное перенаправление на ssl версию сайта:
server {
listen *:80;
server_name mysite.mydomain.com;
rewrite ^ https://$server_name$1 permanent;
}
Комментариев нет:
Отправить комментарий