Nginx httpS server配置

                                                                         Nginx httpS 配置                                                                        

 

 

配置同时支持http和httpS协议:

 


server { listen
80 default backlog=2048;
     #backlog:每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目。 listen
443 ssl; server_name ssl.joy4you.com; ssl_certificate /data/nginx/conf/server.crt; ssl_certificate_key /data/nginx/conf/server_nopwd.key; root /data/; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?$args; } location ~ .*\.(php|php5)?$ { # try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi.conf; } }

 

 

配置/data/http/使用http协议;/data/ssl/使用httpS协议:

 


server { listen
80; server_name 192.168.17.16; access_log /data/nginx/logs/php.joy4you.com.log main; root /data/http/; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?$args; } location ~ .*\.(php|php5)?$ { # try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi.conf; } } server { listen 443; ssl on; ssl_certificate /data/nginx/conf/server.crt; ssl_certificate_key /data/nginx/conf/server_nopwd.key; server_name 192.168.17.16; access_log /data/nginx/logs/php.joy4you.com.log main; root /data/ssl/; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?$args; } location ~ .*\.(php|php5)?$ { # try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi.conf; } }

 

把访问80端口的请求全部转发到443(https):

server { listen
80; server_name 192.168.17.16; rewrite ^(.*) https://$server_name$1 permanent; } server { listen 443; ssl on; ssl_certificate /data/nginx/conf/server.crt; ssl_certificate_key /data/nginx/conf/server_nopwd.key; server_name 192.168.17.16; access_log /data/nginx/logs/php.joy4you.com.log main; root /data/; location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?$args; } location ~ .*\.(php|php5)?$ { # try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi.conf; } }

 

 使用沃通的CA证书,他们推荐的https配置:

server {
 listen      443;
 server_name  localhost;
 
 #为一个server开启ssl支持
 ssl                  on;
 
 #为虚拟主机指定pem格式的证书文件
 ssl_certificate      /home/wangzhengyi/ssl/wangzhengyi.crt;
 
 #为虚拟主机指定私钥文件
 ssl_certificate_key  /home/wangzhengyi/ssl/wangzhengyi_nopass.key;
 
 #客户端能够重复使用存储在缓存中的会话参数时间
 ssl_session_timeout  5m;
 
 #指定使用的ssl协议
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
 #指定许可的密码描述
 ssl_ciphers  ALL:!ADH:!EXPORT56: -RC4+RSA:+HIGH:+MEDIUM: !EXP;
#ssl_ciphers ALL:!ADH:!EXPORT56: -RC4+RSA:+HIGH:+MEDIUM:-EXP; #SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码 ssl_prefer_server_ciphers on;

 

SLL参数:

ssl_session_timeout 5m;   ##设置客户端能够反复使用储存在缓存中的会话参数时间。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ##指定要开启的SSL协议。
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP; ##指出为建立安全连接,服务器所允许的密码格式列表,密码指定为OpenSSL支持的格式
ssl_prefer_server_ciphers on; ##依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码.

 

posted @ 2015-12-02 16:13  唐胜伟  阅读(2197)  评论(0编辑  收藏  举报