Nginx httpS 配置                                                                        

 

 

配置同时支持http和httpS协议：

 

server {        listen 80 default backlog=2048; 　　　　　#backlog：每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目。        listen 443 ssl;        server_name ssl.joy4you.com;        ssl_certificate  /data/nginx/conf/server.crt;        ssl_certificate_key  /data/nginx/conf/server_nopwd.key;        root /data/;        location / {        index index.php index.html index.htm;        try_files $uri $uri/ /index.php?$args;}         location ~ .*\.(php|php5)?$ {#            try_files $uri =404;             fastcgi_pass    127.0.0.1:9000;             fastcgi_index   index.php;#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;             include         fastcgi.conf;}        }

 

 

配置/data/http/使用http协议；/data/ssl/使用httpS协议:

 

server {        listen       80;        server_name  192.168.17.16;        access_log  /data/nginx/logs/php.joy4you.com.log  main;        root /data/http/;        location / {        index index.php index.html index.htm;        try_files $uri $uri/ /index.php?$args;}         location ~ .*\.(php|php5)?$ {#            try_files $uri =404;             fastcgi_pass    127.0.0.1:9000;             fastcgi_index   index.php;#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;             include         fastcgi.conf;}}server {        listen       443;        ssl     on;        ssl_certificate  /data/nginx/conf/server.crt;        ssl_certificate_key  /data/nginx/conf/server_nopwd.key;        server_name  192.168.17.16;        access_log  /data/nginx/logs/php.joy4you.com.log  main;        root /data/ssl/;        location / {        index index.php index.html index.htm;        try_files $uri $uri/ /index.php?$args;}         location ~ .*\.(php|php5)?$ {#            try_files $uri =404;             fastcgi_pass    127.0.0.1:9000;             fastcgi_index   index.php;#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;             include         fastcgi.conf;}}

 

把访问80端口的请求全部转发到443（https）:

server {        listen       80;        server_name  192.168.17.16;        rewrite ^(.*) https://$server_name$1 permanent;}server {        listen       443;        ssl     on;        ssl_certificate  /data/nginx/conf/server.crt;        ssl_certificate_key  /data/nginx/conf/server_nopwd.key;        server_name  192.168.17.16;        access_log  /data/nginx/logs/php.joy4you.com.log  main;        root /data/;        location / {        index index.php index.html index.htm;        try_files $uri $uri/ /index.php?$args;}         location ~ .*\.(php|php5)?$ {#            try_files $uri =404;             fastcgi_pass    127.0.0.1:9000;             fastcgi_index   index.php;#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;             include         fastcgi.conf;}}

 

 使用沃通的CA证书，他们推荐的https配置：

server { listen      443; server_name  localhost;  #为一个server开启ssl支持 ssl                  on;  #为虚拟主机指定pem格式的证书文件 ssl_certificate      /home/wangzhengyi/ssl/wangzhengyi.crt;  #为虚拟主机指定私钥文件 ssl_certificate_key  /home/wangzhengyi/ssl/wangzhengyi_nopass.key;  #客户端能够重复使用存储在缓存中的会话参数时间 ssl_session_timeout  5m;  #指定使用的ssl协议 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  #指定许可的密码描述 ssl_ciphers  ALL:!ADH:!EXPORT56: -RC4+RSA:+HIGH:+MEDIUM: !EXP; #ssl_ciphers  ALL:!ADH:!EXPORT56: -RC4+RSA:+HIGH:+MEDIUM:-EXP;  #SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码 ssl_prefer_server_ciphers  on;

 

SLL参数：

ssl_session_timeout 5m;   ##设置客户端能够反复使用储存在缓存中的会话参数时间。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  ##指定要开启的SSL协议。 ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP; ##指出为建立安全连接，服务器所允许的密码格式列表，密码指定为OpenSSL支持的格式 ssl_prefer_server_ciphers on;  ##依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码.