ini 基本的Nginx网关/应用程序设置。不要在没有理解内容的情况下简单地复制粘贴。

Posted 2021-05-24

http { 
  ...
  
  ## Support the X-Forwarded-Proto header with a nice variable.
  map $http_x_forwarded_proto $forwarded_https {
    default $https;
    http '';
    https on;
  }
}

server {
  listen 80;
  server_name www.wieni.be;
  return 301 https://www.wieni.be$request_uri; # Redirect all HTTP traffic to HTTPS
}

server {
  listen 443 ssl http2; # This is all that's needed on Nginx 1.9.5+ with OpenSSL 1.0.2 to enable HTTP/2.
  server_name www.wieni.be;

  # Mozilla's TLS settings for intermediate compatibility. See https://wiki.mozilla.org/Security/Server_Side_TLS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

  add_header Strict-Transport-Security max-age=23652000 always;

  ssl_certificate /etc/ssl/letsencrypt/wieni.be/fullchain.pem;
  ssl_certificate_key /etc/ssl/letsencrypt/wieni.be/privkey.pem;
  ssl_session_timeout 10m;
  ssl_session_cache shared:SSL:10m;

  ssl_dhparam /etc/nginx/dhparam-2048.pem;

  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/ssl/letsencrypt/wieni.be/chain.pem;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 10s;

  # The location below is used for our Let's Encrypt autorenewal.
  # location /.well-known {
  #   add_header Content-Type text/plain;
  #   proxy_pass http://internal-ip-of-letsencrypt-management-box;
  #   proxy_hide_header Content-Type;
  # }
  
  # We forward all other requests to our internal app server over plain HTTP (on a secure internal network).
  location / {
    proxy_pass http://internal-ip-of-app-server;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $remote_addr;
  }
}

server {

  # Listen on internal ports only. Do not expose this server directly.
  listen 127.0.0.1:80;
  listen 10.0.0.1:80; # Secure internal IP
  
  # Hosts
  server_name www.wieni.be;

  # Root
  root /wherever/this/site/lives;

  try_files $uri $uri/ =404;

  index index.html index.htm;

  error_page 404 /404.html;
  
  # Block hidden files
  location ~ (^|/)\. {
    return 403;
  }

  location ~ '\.php' {
    try_files $uri =404;
    include fastcgi_params;
    fastcgi_param HTTPS $forwarded_https if_not_empty;
    fastcgi_param SCRIPT_FILENAME $request_filename;
    fastcgi_pass unix:/var/run/www-wieni-php5-fpm.sock;
    fastcgi_index index.php;
  }

  location / {
    # We skip PHP for static content
    try_files $uri /index.php?$query_string;
  }

}