网站优化小记（Nginx+php7）

这是本博客的配置文件

server
{
	listen 80;
  	server_name 234du.com www.234du.com;
  	rewrite ^(.*)$ https://www.234du.com$1 permanent; 
}
server
{
	listen 443 ssl http2;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/234du.com;
    ssl_certificate    /etc/letsencrypt/live/234du.com/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/234du.com/privkey.pem;
  	
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
  
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    resolver 8.8.8.8 8.8.4.4;

    include enable-php-70.conf;
    include /www/server/panel/vhost/rewrite/234du.com.conf;
  	include /www/server/nginx/conf/rocket.conf;
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires      30d;
        access_log off; 
    }
    location ~ .*\.(js|css)?$
    {
        expires      12h;
        access_log off; 
    }
    access_log  /www/wwwlogs/234du.com.log;
}

server

{

listen 80;

server_name 234du.com www.234du.com;

rewrite ^(.*)$ https://www.234du.com$1 permanent;

}

server

{

listen 443 ssl http2;

index index.php index.html index.htm default.php default.htm default.html;

root /www/wwwroot/234du.com;

ssl_certificate /etc/letsencrypt/live/234du.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/234du.com/privkey.pem;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_session_tickets off;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_prefer_server_ciphers on;

resolver 8.8.8.8 8.8.4.4;

include enable-php-70.conf;

include /www/server/panel/vhost/rewrite/234du.com.conf;

include /www/server/nginx/conf/rocket.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

{

expires 30d;

access_log off;

}

location ~ .*\.(js|css)?$

{

expires 12h;

access_log off;

}

access_log /www/wwwlogs/234du.com.log;

}

https 301跳转

建议在原来的server{xxxxxx}配置另外再添加一个server{xxxx}配置

server
{
	listen 80;
  	server_name 234du.com www.234du.com;
  	rewrite ^(.*)$ https://www.234du.com$1 permanent; 
}

server

{

listen 80;

server_name 234du.com www.234du.com;

rewrite ^(.*)$ https://www.234du.com$1 permanent;

}

这段表示http强制跳转到https，并且不www跳转到带www

加强网站ssl

https://mozilla.github.io/server-side-tls/ssl-config-generator/

根据自己的环境选择，下面会生成对应的建议配置

https://www.ssllabs.com SSL检测

配置文件中最重要的是DH交换秘钥

ssl_dhparam /ect/nginx/ssl/dhparam.pem;

1	ssl_dhparam /ect/nginx/ssl/dhparam.pem;

pem文件要自己生成，步骤如下：

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
openssl dhparam -out dhparam.pem 2048

mkdir /etc/nginx/ssl

cd /etc/nginx/ssl

openssl dhparam -out dhparam.pem 2048

有些文章中使用9046，本博主不建议使用，因为9046会消耗更多的服务器资源

本作品采用知识共享署名 4.0 国际许可协议进行许可

网站优化小记（Nginx+php7）

https 301跳转

加强网站ssl

文章评论