nginx.conf,ssl安全性A+

来源：互联网发布：淘宝商城女装秋装套装编辑：程序博客网时间：2024/06/05 07:57
nginx.conf
ssl配置https://www.ssllabs.com/ssltest/ 监测A+
# For more information on configuration, see:#   * Official English Documentation: http://nginx.org/en/docs/#   * Official Russian Documentation: http://nginx.org/ru/docs/user nginx;worker_processes auto;error_log /var/log/nginx/error.log;pid /run/nginx.pid;# Load dynamic modules. See /usr/share/nginx/README.dynamic.include /usr/share/nginx/modules/*.conf;events {    worker_connections 1024;}http {    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '                      '$status $body_bytes_sent "$http_referer" '                      '"$http_user_agent" "$http_x_forwarded_for"';    access_log  /var/log/nginx/access.log  main;    limit_req_zone  $binary_remote_addr  zone=req_one:10m rate=50r/s;    sendfile            on;    tcp_nopush          on;    tcp_nodelay         on;    keepalive_timeout   65;    types_hash_max_size 2048;    include             /etc/nginx/mime.types;    default_type        application/octet-stream;    # Load modular configuration files from the /etc/nginx/conf.d directory.    # See http://nginx.org/en/docs/ngx_core_module.html#include    # for more information.    include /etc/nginx/conf.d/*.conf;    server {        listen       80 default_server;        listen       [::]:80 default_server;        server_name  g.9ishell.com 9ishell.com;        root         /usr/share/nginx/html;        # Load configuration files for the default server block.        include /etc/nginx/default.d/*.conf;        location / {    limit_req   zone=req_one  burst=120;        }    location /test {        proxy_pass http://127.0.0.1:81;        allow 127.0.0.1;        deny all;    }        error_page 404 /404.html;            location = /40x.html {        }        error_page 500 502 503 504 /50x.html;            location = /50x.html {        }    }    server {        listen       81;        server_name  _;        root         /usr/share/nginx/htmltest;        # Load configuration files for the default server block.        location / {        }        error_page 404 /404.html;            location = /40x.html {        }        error_page 500 502 503 504 /50x.html;            location = /50x.html {        }    }# Settings for a TLS enabled server.#    server {        listen       443 ssl http2 default_server;        listen       [::]:443 ssl http2 default_server;        server_name  g.9ishell.com 9ishell.com;        root         /usr/share/nginx/html;    ssl on;        ssl_certificate "/etc/pki/nginx/server.pem";        ssl_certificate_key "/etc/pki/nginx/private/server.key";        ssl_session_timeout  5m;        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";            #ssl_ciphers HIGH:!aNULL:!MD5;        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_session_cache shared:SSL:10m;           ssl_stapling on;        ssl_stapling_verify on;        resolver 223.5.5.5 223.6.6.6 valid=300s;        resolver_timeout 10s;           ssl_dhparam "/etc/pki/nginx/dhparams.pem";            ssl_prefer_server_ciphers on;        add_header Strict-Transport-Security max-age=63072000;        add_header X-Frame-Options DENY;        add_header X-Content-Type-Options nosniff;        # Load configuration files for the default server block.        include /etc/nginx/default.d/*.conf;        location / {        }        error_page 404 /404.html;            location = /40x.html {        }        error_page 500 502 503 504 /50x.html;            location = /50x.html {        }    }}
阅读全文
0 0