devbox
weixin_40725706
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Nginx 的相关配置_nginx permissions-policy

作者:weixin_40725706 | 2024-04-17 00:02:43

nginx permissions-policy

使用tar解压新的压缩配置

tar -xzvf nginxconfig.io-example.com.tar.gz | xargs chmod 0644

  • 在您的服务器上运行此命令生成Diffie-Hellman keys:

      
    openssl dhparam -out /etc/nginx/dhparam.pem 2048

创建一个通用的ACME-challenge目录(用于 Let's Encrypt):

mkdir -p /var/www/_letsencrypt
chown www-data /var/www/_letsencrypt

  • 注释掉配置中的SSL相关指令:

    sed -i -r 's/(listen .*443)/\1; #/g; s/(ssl_(certificate|certificate_key|trusted_certificate) )/#;#\1/g; s/(server \{)/\1\n    ssl off;/g' /etc/nginx/sites-available/example.com.conf

  • 重新加载你的NGINX服务器:

    sudo nginx -t && sudo systemctl reload nginx

  • 使用Certbot从 Let's Encrypt 获得SSL证书:

    certbot certonly --webroot -d example.com --email info@example.com -w /var/www/_letsencrypt -n --agree-tos --force-renewal

  • 在配置中取消注释SSL相关指令:

    sed -i -r -z 's/#?; ?#//g; s/(server \{)\n    ssl off;/\1/g' /etc/nginx/sites-available/example.com.conf

  • 重新加载你的NGINX服务器:

    sudo nginx -t && sudo systemctl reload nginx

配置Certbot,当NGINX成功更新证书时重新加载:

echo -e '#!/bin/bash\nnginx -t && systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
sudo chmod a+x /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh

重新加载NGINX以载入新的配置:

sudo nginx -t && sudo systemctl reload nginx

配置文件

/etc/nginx/nginx.conf

  1. # Generated by nginxconfig.io
  2. # https://www.digitalocean.com/community/tools/nginx?global.app.lang=zhCN
  3.  
  4. user                 www-data;
  5. pid                  /run/nginx.pid;
  6. worker_processes     auto;
  7. worker_rlimit_nofile 65535;
  8.  
  9. # Load modules
  10. include              /etc/nginx/modules-enabled/*.conf;
  11.  
  12. events {
  13.     multi_accept       on;
  14.     worker_connections 65535;
  15. }
  16.  
  17. http {
  18.     charset                utf-8;
  19.     sendfile               on;
  20.     tcp_nopush             on;
  21.     tcp_nodelay            on;
  22.     server_tokens          off;
  23.     log_not_found          off;
  24.     types_hash_max_size    2048;
  25.     types_hash_bucket_size 64;
  26.     client_max_body_size   16M;
  27.  
  28.     # MIME
  29.     include                mime.types;
  30.     default_type           application/octet-stream;
  31.  
  32.     # Logging
  33.     access_log             /var/log/nginx/access.log;
  34.     error_log              /var/log/nginx/error.log warn;
  35.  
  36.     # SSL
  37.     ssl_session_timeout    1d;
  38.     ssl_session_cache      shared:SSL:10m;
  39.     ssl_session_tickets    off;
  40.  
  41.     # Diffie-Hellman parameter for DHE ciphersuites
  42.     ssl_dhparam            /etc/nginx/dhparam.pem;
  43.  
  44.     # Mozilla Intermediate configuration
  45.     ssl_protocols          TLSv1.2 TLSv1.3;
  46.     ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  47.  
  48.     # OCSP Stapling
  49.     ssl_stapling           on;
  50.     ssl_stapling_verify    on;
  51.     resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
  52.     resolver_timeout       2s;
  53.  
  54.     # Load configs
  55.     include                /etc/nginx/conf.d/*.conf;
  56.     include                /etc/nginx/sites-enabled/*;
  57. }

/etc/nginx/sites-available/example.com.conf

  1. server {
  2.     listen                  443 ssl http2;
  3.     listen                  [::]:443 ssl http2;
  4.     server_name             example.com;
  5.     set                     $base /var/www/example.com;
  6.     root                    $base/public;
  7.  
  8.     # SSL
  9.     ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
  10.     ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
  11.     ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
  12.  
  13.     # security
  14.     include                 nginxconfig.io/security.conf;
  15.  
  16.     # index.php
  17.     index                   index.php;
  18.  
  19.     # index.php fallback
  20.     location / {
  21.         try_files $uri $uri/ /index.php?$query_string;
  22.     }
  23.  
  24.     # additional config
  25.     include nginxconfig.io/general.conf;
  26.  
  27.     # handle .php
  28.     location ~ \.php$ {
  29.         fastcgi_pass unix:/var/run/php/php-fpm.sock;
  30.         include      nginxconfig.io/php_fastcgi.conf;
  31.     }
  32. }
  33.  
  34. # subdomains redirect
  35. server {
  36.     listen                  443 ssl http2;
  37.     listen                  [::]:443 ssl http2;
  38.     server_name             *.example.com;
  39.  
  40.     # SSL
  41.     ssl_certificate         /etc/letsencrypt/live/example.com/fullchain.pem;
  42.     ssl_certificate_key     /etc/letsencrypt/live/example.com/privkey.pem;
  43.     ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
  44.     return                  301 https://example.com$request_uri;
  45. }
  46.  
  47. # HTTP redirect
  48. server {
  49.     listen      80;
  50.     listen      [::]:80;
  51.     server_name .example.com;
  52.     include     nginxconfig.io/letsencrypt.conf;
  53.  
  54.     location / {
  55.         return 301 https://example.com$request_uri;
  56.     }
  57. }

/etc/nginx/nginxconfig.io/letsencrypt.conf

  1. # ACME-challenge
  2. location ^~ /.well-known/acme-challenge/ {
  3.     root /var/www/_letsencrypt;
  4. }

/etc/nginx/nginxconfig.io/security.conf

  1. # security headers
  2. add_header X-XSS-Protection          "1; mode=block" always;
  3. add_header X-Content-Type-Options    "nosniff" always;
  4. add_header Referrer-Policy           "no-referrer-when-downgrade" always;
  5. add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
  6. add_header Permissions-Policy        "interest-cohort=()" always;
  7. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  8.  
  9. # . files
  10. location ~ /\.(?!well-known) {
  11.     deny all;
  12. }

/etc/nginx/nginxconfig.io/general.conf

  1. # favicon.ico
  2. location = /favicon.ico {
  3.     log_not_found off;
  4.     access_log    off;
  5. }
  6.  
  7. # robots.txt
  8. location = /robots.txt {
  9.     log_not_found off;
  10.     access_log    off;
  11. }
  12.  
  13. # assets, media
  14. location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
  15.     expires    7d;
  16.     access_log off;
  17. }
  18.  
  19. # svg, fonts
  20. location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
  21.     add_header Access-Control-Allow-Origin "*";
  22.     expires    7d;
  23.     access_log off;
  24. }
  25.  
  26. # gzip
  27. gzip            on;
  28. gzip_vary       on;
  29. gzip_proxied    any;
  30. gzip_comp_level 6;
  31. gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

/etc/nginx/nginxconfig.io/php_fastcgi.conf

  1. # 404
  2. try_files                     $fastcgi_script_name =404;
  3.  
  4. # default fastcgi_params
  5. include                       fastcgi_params;
  6.  
  7. # fastcgi settings
  8. fastcgi_index                 index.php;
  9. fastcgi_buffers               8 16k;
  10. fastcgi_buffer_size           32k;
  11.  
  12. # fastcgi params
  13. fastcgi_param DOCUMENT_ROOT   $realpath_root;
  14. fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
  15. fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/weixin_40725706/article/detail/437139
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号