2个线上跑的https配置的例子 Laravel 框架
例子一
是 Laravel 框架 API 的
server {
#listen 80;
listen 443 ssl;
server_name api.tyunai.cn;
root /data/www/yiqicefu/public;
client_max_body_size 100m;
#设置长连接
keepalive_timeout 70;
#HSTS策略
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
#证书文件
ssl_certificate /usr/local/nginx/conf/cert/api.tyunai.cn_bundle.crt;
#私钥文件
ssl_certificate_key /usr/local/nginx/conf/cert/api.tyunai.cn.key;
#优先采取服务器算法
ssl_prefer_server_ciphers on;
#使用DH文件
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#定义算法
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !M
D5 !EXP !PSK !SRP !DSS !RC4";
#减少点击劫持
add_header X-Frame-Options DENY;
#禁止服务器自动解析资源类型
add_header X-Content-Type-Options nosniff;
#防XSS攻擊
add_header X-Xss-Protection 1;
#...
ssl_session_tickets off;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$query_string;
}
#ssl_certificate /usr/local/nginx/ssl/api.tyunai.cn_bundle.crt;
#ssl_certificate_key /usr/local/nginx/ssl/api.tyunai.cn.key;
#ssl_session_timeout 5m;
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_prefer_server_ciphers on;
location ~ \.php($|/) {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www/yiqicefu/public$fastcgi_script_name;
include fastcgi_params;
}
}
例子二
同样是 Laravel 框架,是图片的
server {
listen 80;
listen 443 ssl;
server_name img.tyunai.cn;
root /data/www/yiqicefu/storage/app/public;
#autoindex on;
ssl_certificate /usr/local/nginx/conf/cert/img.tyunai.cn_bundle.crt;
ssl_certificate_key /usr/local/nginx/conf/cert/img.tyunai.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}