Установка

Пример конфигурационного файла для хоста работающего под управлением Nginx.

Основной файл (/usr/local/nginx/conf/site.ru.conf), сайт-пример site.ru работает на протоколе https.

server {

	listen 127.0.0.1:80;
	
	server_name site.ru;

	if ( $scheme != "https" ) {
	
		rewrite ^(.*)$ https://site.ru$1 permanent;
		
	}
	
	include "vhosts/site.ru";
	
}


server {
	
	listen 127.0.0.1:443;
	
	server_name site.ru;
		
	if ( $host !~* "^site.ru$" ) {
	
		rewrite ^(.*)$ https://site.ru$1 permanent;
		
	}
		
	ssl	on;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;	
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_certificate	/var/ssl/site.ru/site.ru.crt;
	ssl_certificate_key	/var/ssl/site.ru/site.ru.key;		

	# Сгенерировать 
	# openssl dhparam -out /var/ssl/site.ru/dhparam.pem 4096
	ssl_dhparam /var/ssl/site.ru/dhparam.pem;
	
	ssl_ecdh_curve secp384r1;
	
	ssl_session_cache	shared:SSL:10m;
	ssl_session_timeout	10m;
	
	# IP-адрес DNS-сервера.
	# http://nginx.org/ru/docs/http/ngx_http_core_module.html#resolver
	#resolver 127.0.0.2;
	
	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains';
	
	include "vhosts/site.ru";
	
}

Дополнительный файл (/usr/local/nginx/conf/site.ru)

charset utf-8;

access_log logs/site.ru/access.log;
error_log logs/site.ru/error.log;

root /var/www/site.ru;

index index.php index.html;

# Полный запрет.
location ~* ^/internals/cache {
	deny all;
	return 404;
}

# Полный запрет.
location ~* ^/cp/internals/cache {
	deny all;
	return 404;
}

# Полный запрет.
location ~* ^/kernel/.*\.php$ {
	deny all;
	return 404;
}

# Полный запрет.
location ~* ^/internals/.*\.php$ {
	deny all;
	return 404;
}

# Полный запрет.
location ~* internals/.*\.php$ {
	deny all;
	return 404;
}

# Полный запрет.
location ~* ^/cp/internals/.*\.php$ {
	deny all;
	return 404;
}

#location ~ /\.ht {
location ~ /\. {
	deny all;
	return 404;
}

# Полный запрет.
location ~* /(kernel|internals|cp/internals)/.*\.(html|sql|tpl|log|txt|zip|gz|jar|bak|ser)$ {
	deny all;
	return 404;
	location ~* ^/internals/uploads/archive {
		allow all;
	}
}	
	

location ~* \.php$ {
	# При ошибки.
	# 400 Bad Request
	# The plain HTTP request was sent to HTTPS port
	fastcgi_param	HTTPS on;
	fastcgi_pass   127.0.0.1:9001;
	fastcgi_index  index.php;
	include        fastcgi_params;
	fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
	# https://developers.google.com/speed/pagespeed/module/configuration
#	pagespeed ModifyCachingHeaders off;
}

location ~* ^.+\.(jpg|jpeg|gif|png|css|js|swf|ico|ttf|woff|woff2)$ {
    access_log      off;
    log_not_found   off;
    expires         1y;
}

location / {
	
	if ( !-e $request_filename ) {
		rewrite ^/(.*)$ /index.php?_sef=$1 last;
	}
	
}

location ~* ^/cp/ {

	auth_basic "Private Area";
	auth_basic_user_file /var/www/.htpasswd;

	if ( !-e $request_filename ) {
		rewrite ^/cp/(.*)$ /cp/index.php?_sef=$1 last;
	}		
}


#location ~* \.(?:jpg|jpeg|gif|png|svg|bmp|ico|pdf|flv|swf|html|htm|txt|css|js|woff|woff2|ttf|webp|eot)$ {
location ~* ^.+\.(jpg|jpeg|gif|png|svg|bmp|ico|pdf|flv|swf|html|htm|txt|css|js|woff|woff2|ttf|webp|eot)$ {
#	add_header  Cache-Control public;
#	add_header  Cache-Control must-revalidate;
	add_header	Cache-Control "public, max-age=31536000";
	expires max;
	access_log off;
	log_not_found   off;
}	

#pagespeed on;
#pagespeed FileCachePath "/var/cache/nginx_pagespeed/";
# https://developers.google.com/speed/pagespeed/module/config_filters
#pagespeed EnableFilters outline_css,rewrite_javascript_external,rewrite_javascript_inline,outline_javascript,move_css_above_scripts,fallback_rewrite_css_urls,prioritize_critical_css,combine_css,combine_javascript,rewrite_images,rewrite_css,rewrite_javascript,inline_images,recompress_jpeg,recompress_png,resize_images,insert_dns_prefetch,prioritize_critical_css,collapse_whitespace;
# Без prioritize_critical_css
#pagespeed EnableFilters outline_css,rewrite_javascript_external,rewrite_javascript_inline,outline_javascript,move_css_above_scripts,fallback_rewrite_css_urls,combine_css,combine_javascript,rewrite_images,rewrite_css,rewrite_javascript,inline_images,recompress_jpeg,recompress_png,resize_images,insert_dns_prefetch,prioritize_critical_css,collapse_whitespace;
#pagespeed ForceCaching on;
#pagespeed JpegRecompressionQuality 70;
#pagespeed ImageRecompressionQuality 70;
#pagespeed ImageInlineMaxBytes 2048;
#pagespeed LowercaseHtmlNames on;
#pagespeed CriticalImagesBeaconEnabled false;
#pagespeed RespectVary on;

	

location = /favicon.ico {
}

# Запретить обращение к index.php|html без параметров.
if ( $request_uri ~ "^/index\.php$" ){
	rewrite ^/index\.php$ / permanent;
}
 

error_page	404	/404;
error_page   500 502 503 504  /50x.html;

location = /50x.html {
	root   html;
}






 

 

 

 

© Автор и разработчик Михаил Шершнёв, 2006–2021
E-mail: support@bwframework.ru