Установка
Пример конфигурационного файла для хоста работающего под управлением Nginx.
Основной файл (/usr/local/nginx/conf/site.ru.conf), сайт-пример site.ru работает на протоколе https.
server {
listen 127.0.0.1:80;
server_name site.ru;
if ( $scheme != "https" ) {
rewrite ^(.*)$ https://site.ru$1 permanent;
}
include "vhosts/site.ru";
}
server {
listen 127.0.0.1:443;
server_name site.ru;
if ( $host !~* "^site.ru$" ) {
rewrite ^(.*)$ https://site.ru$1 permanent;
}
ssl on;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /var/ssl/site.ru/site.ru.crt;
ssl_certificate_key /var/ssl/site.ru/site.ru.key;
# Сгенерировать
# openssl dhparam -out /var/ssl/site.ru/dhparam.pem 4096
ssl_dhparam /var/ssl/site.ru/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# IP-адрес DNS-сервера.
# http://nginx.org/ru/docs/http/ngx_http_core_module.html#resolver
#resolver 127.0.0.2;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
include "vhosts/site.ru";
}
Дополнительный файл (/usr/local/nginx/conf/site.ru)
charset utf-8;
access_log logs/site.ru/access.log;
error_log logs/site.ru/error.log;
root /var/www/site.ru;
index index.php index.html;
# Полный запрет.
location ~* ^/internals/cache {
deny all;
return 404;
}
# Полный запрет.
location ~* ^/cp/internals/cache {
deny all;
return 404;
}
# Полный запрет.
location ~* ^/kernel/.*\.php$ {
deny all;
return 404;
}
# Полный запрет.
location ~* ^/internals/.*\.php$ {
deny all;
return 404;
}
# Полный запрет.
location ~* internals/.*\.php$ {
deny all;
return 404;
}
# Полный запрет.
location ~* ^/cp/internals/.*\.php$ {
deny all;
return 404;
}
#location ~ /\.ht {
location ~ /\. {
deny all;
return 404;
}
# Полный запрет.
location ~* /(kernel|internals|cp/internals)/.*\.(html|sql|tpl|log|txt|zip|gz|jar|bak|ser)$ {
deny all;
return 404;
location ~* ^/internals/uploads/archive {
allow all;
}
}
location ~* \.php$ {
# При ошибки.
# 400 Bad Request
# The plain HTTP request was sent to HTTPS port
fastcgi_param HTTPS on;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# https://developers.google.com/speed/pagespeed/module/configuration
# pagespeed ModifyCachingHeaders off;
}
location ~* ^.+\.(jpg|jpeg|gif|png|css|js|swf|ico|ttf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 1y;
}
location / {
if ( !-e $request_filename ) {
rewrite ^/(.*)$ /index.php?_sef=$1 last;
}
}
location ~* ^/cp/ {
auth_basic "Private Area";
auth_basic_user_file /var/www/.htpasswd;
if ( !-e $request_filename ) {
rewrite ^/cp/(.*)$ /cp/index.php?_sef=$1 last;
}
}
#location ~* \.(?:jpg|jpeg|gif|png|svg|bmp|ico|pdf|flv|swf|html|htm|txt|css|js|woff|woff2|ttf|webp|eot)$ {
location ~* ^.+\.(jpg|jpeg|gif|png|svg|bmp|ico|pdf|flv|swf|html|htm|txt|css|js|woff|woff2|ttf|webp|eot)$ {
# add_header Cache-Control public;
# add_header Cache-Control must-revalidate;
add_header Cache-Control "public, max-age=31536000";
expires max;
access_log off;
log_not_found off;
}
#pagespeed on;
#pagespeed FileCachePath "/var/cache/nginx_pagespeed/";
# https://developers.google.com/speed/pagespeed/module/config_filters
#pagespeed EnableFilters outline_css,rewrite_javascript_external,rewrite_javascript_inline,outline_javascript,move_css_above_scripts,fallback_rewrite_css_urls,prioritize_critical_css,combine_css,combine_javascript,rewrite_images,rewrite_css,rewrite_javascript,inline_images,recompress_jpeg,recompress_png,resize_images,insert_dns_prefetch,prioritize_critical_css,collapse_whitespace;
# Без prioritize_critical_css
#pagespeed EnableFilters outline_css,rewrite_javascript_external,rewrite_javascript_inline,outline_javascript,move_css_above_scripts,fallback_rewrite_css_urls,combine_css,combine_javascript,rewrite_images,rewrite_css,rewrite_javascript,inline_images,recompress_jpeg,recompress_png,resize_images,insert_dns_prefetch,prioritize_critical_css,collapse_whitespace;
#pagespeed ForceCaching on;
#pagespeed JpegRecompressionQuality 70;
#pagespeed ImageRecompressionQuality 70;
#pagespeed ImageInlineMaxBytes 2048;
#pagespeed LowercaseHtmlNames on;
#pagespeed CriticalImagesBeaconEnabled false;
#pagespeed RespectVary on;
location = /favicon.ico {
}
# Запретить обращение к index.php|html без параметров.
if ( $request_uri ~ "^/index\.php$" ){
rewrite ^/index\.php$ / permanent;
}
error_page 404 /404;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}