TypeCodes

2015博客升级记(六):Nginx配置HTTPS和SPDY实战

这是《2015年博客升级记》系列文章的第六篇,主要记录如何在CentOS 7.1中Nginx如何配置HTTPS和SPDY。关于具体如何编译安装Nginx,可以查看文章《2015博客升级记(三):CentOS 7.1编译安装Nginx1.9.0》

1 重点:Nginx配置文件nginx.conf的具体内容
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
######
###  Description: The config file of Nginx with ssl, spdy, no-www redircting, gzip functions
###  Author:  vfhky  2015.05.05  https://typecodes.com/web/centos7nginxhttpsspdy.html
######
user  nginx nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

pid        /var/run/nginx/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #隐藏Nginx版本信息,禁止网站目录浏览
    server_tokens off;
    autoindex off;
    #当FastCGI后端服务器处理请求给出http响应码为4xx和5xx时,就转发给nginx
    fastcgi_intercept_errors on;

    #关于fastcgi的配置
    fastcgi_connect_timeout 300;    
    fastcgi_send_timeout 300;    
    fastcgi_read_timeout 300;    
    fastcgi_buffer_size 64k;    
    fastcgi_buffers 4 64k;    
    fastcgi_busy_buffers_size 128k;    
    fastcgi_temp_file_write_size 128k;

    #支持gzip压缩
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 16 64k;
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain application/x-javascript text/css application/javascript text/javascript image/jpeg image/gif image/png application/xml application/json;
    gzip_vary on;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

    #
    # 重定向所有带www请求到非www的请求
    #
    server {
        listen               *:80;
        listen               *:443 ssl spdy;
        server_name www.typecodes.com;
        # ssl证书配置见文章 https://typecodes.com/web/lnmppositivessl.html
        ssl_certificate /etc/nginx/ssl/typecodes.crt;
        # ssl密钥文件见文章 https://typecodes.com/web/lnmppositivessl.html
        ssl_certificate_key /etc/nginx/ssl/typecodes.key;
        # 不产生日志
        access_log off;

        # 访问favicon.ico和robots.txt不跳转(把这两个文件存放在上级目录html中)
        location ~* ^/(favicon.ico|robots.txt)$ {
            root html;
            expires max;
            log_not_found off;
            break;
        }

        location / {
            return 301 https://typecodes.com$request_uri;
        }
    }

    #
    # 将所有http请求重定向到https
    #
    server {
        listen               *:80;
        server_name          typecodes.com;
        # 不产生日志
        access_log off;

        # 访问favicon.ico和robots.txt不跳转(把这两个文件存放在上级目录html中)
        location ~* ^/(favicon.ico|robots.txt)$ {
            root html;
            expires max;
            log_not_found off;
            break;
        }

        location / {
            return 301 https://typecodes.com$request_uri;
        }
    }

    #
    # HTTPS server
    #
    server {
        listen               *:443 ssl spdy;
        server_name typecodes.com;

        # ssl证书配置见文章 https://typecodes.com/web/lnmppositivessl.html
        ssl_certificate /etc/nginx/ssl/typecodes.crt;
        # ssl密钥文件见文章 https://typecodes.com/web/lnmppositivessl.html
        ssl_certificate_key /etc/nginx/ssl/typecodes.key;
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 10m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #enables TLSv1, but not SSLv2, SSLv3 which is weak and should no longer be used.
        ssl_prefer_server_ciphers on;
        # 开启spdy功能
        add_header Alternate-Protocol 443:npn-spdy/3.1;
        # 严格的https访问
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

        #设置网站根目录
        root   /usr/share/nginx/html/typecodes;
        index  index.php index.html;

        charset utf-8;

        #access_log  /var/log/nginx/log/host.access.log  main;

        #设置css/javascript/图片等静态资源的缓存时间
        location ~ .*\.(css|js|ico|png|gif|jpg|json|mp3|mp4|flv|swf)(.*) {
            expires 60d;
        }

        # include /etc/nginx/default.d/*.conf;
        # 设置typecho博客的config文章不被访问,保证安全
        location = /config.inc.php{
            deny  all;
        }

        # keep the uploads directory safe by excluding php, php5, html file accessing. Applying to wordpress and typecho.
        # location ~ .*/uploads/.*\.(php|php5|html)$ {
        #   deny  all;
        # }

        # 设置wordpress和typecho博客中,插件目录无法直接访问php或者html文件
        location ~ .*/plugins/.*\.(php|php5|html)$ {
            deny  all;
        }

        #Rewrite的伪静态(针对wordpress/typecho),url地址去掉index.php
        location / {
            if (-f $request_filename/index.html){
                rewrite (.*) $1/index.html break;
            }
            if (-f $request_filename/index.php){
                rewrite (.*) $1/index.php;
            }
        if (!-f $request_filename){
                rewrite (.*) /index.php;
            }
        }

        #访问favicon.ico时不产生日志
        location = /favicon.ico {
            access_log off;
        }

        #设置40系列错误的应答文件为40x.html
        error_page  400 401 402 403 404  /40x.html;
        location = /40x.html {
                root   html;
                index  index.html index.htm;
        }

        #设置50系列错误的应答文件为50x.html
        #
        error_page   500 501 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
            index  index.html index.htm;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # 设置Nginx和php通信机制为tcp的socket模式,而不是直接监听9000端口
        location  ~ .*\.php(\/.*)*$ {
             fastcgi_split_path_info ^(.+\.php)(/.+)$;
             #fastcgi_pass   127.0.0.1:9000;
             # the better form of fastcgi_pass than before
             fastcgi_pass   unix:/var/run/php-fpm/php-fpm.sock;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
}
2 Nginx开启spdy功能

如下图所示,在chrome浏览器的地址栏中输入chrome://net-internals/#spdy抓取访问事件,然后新建一个页面打开自己的博客,这样就会被第一个页面抓取到了。

Nginx开启Google Chrome的SPDY功能

3 Nginx中url地址中,将带www的二级域名跳转到不带www顶级域名

博客目前将http访问全部定向到https,同时将https://www.typecodes.com重定向到https://typecodes.com上。前文《阿里云CentOS 6.5系统LNMP环境安装SSL证书》中,只做了http跳转到https。需要注意的是,在Nginx配置中最好不要包含过多的if判断语句;另外,处理不同的server_name时,官方建议写在多个server块中,就像小节1中的那样。

4 其他说明

由于LNMP配置比较繁琐,所以我建了一个关于Nginx、MySQL和PHP配置的git工程,方便查询。目前这个工程托管在GitHub和coding.net上,地址如下:

GitHub地址:https://github.com/vfhky/mylnmp

Coding地址:https://coding.net/u/vfhky/p/mylnmp/git

Comments »