nginx配置ssl

站点

server
{
    listen 80;
    listen 443 ssl http2;
    server_name lvtao.net www.lvtao.net;
    index index.php;
    root /www/wwwroot/lvtao.net/default/;

    if ($server_port !~ 443){
        rewrite ^(/.*)$ https://$host$1 permanent;
    }

    if ($host != 'lvtao.net'){
		return 301 https://lvtao.net$request_uri;
	}

    ssl_dhparam /cert/lvtao.net/dhparam.pem;
    ssl_certificate /cert/lvtao.net/fullchain.pem;
    ssl_certificate_key /cert/lvtao.net/privkey.pem;
    ssl_session_ticket_key /cert/lvtao.net/session_ticket.key;
    ssl_session_tickets on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL_LVTAO:10m;
    include ssl.conf;
    add_header Public-Key-Pins 'pin-sha256="xxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxx" max-age=2592000; includeSubDomains';
    ssl_trusted_certificate /cert/lvtao.net/ocsp.pem;


    location ~ .*.(gif|jpg|jpeg|png|bmp)$ {
        set $width  '-';
        set $height '-';
        #将参数赋值给宽和高
        set $width $arg_width;
        set $height $arg_height;
        #当未设置高度时，仅使用宽度来进行缩放，可以保证图片的正常比例（适用于文章）
        if ( $height = '' ) {
             set $height '-';
        }
        #当请求的是原图时（即不带参数），则设置宽高维度为”-”
        if ( $http_user_agent ~* '(Android|webOS|iPhone|iPad|iPod|BlackBerry)') {
           set $width 480;
        }
        if ( $width = '' ) {
            set $width '-';
            set $height '-';
        }
        #生成缩略图
        image_filter resize $width $height;
        image_filter_buffer 2M;
        image_filter_jpeg_quality 80;
        image_filter_transparency on;
        expires    max;
        access_log off;

        limit_rate_after 10k;
        limit_rate 100k;
    }
}

ssl.conf

# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:EECDH+AES256;
#ssl_ecdh_curve X25519:P-256:P-384;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 119.29.29.29 valid=300s;
resolver_timeout 5s;

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'self'; child-src 'none'; object-src 'none'; frame-ancestors 'none'";

吕滔博客

下一篇：fast-poster海报系统配置教程