Here is a blog about nginx configuration, which is very detailed and very new. It was released on March 21, 2016. But there are too many configuration items in it, and I don’t know what the functions of many of them are. Could you please explain them to me? Original link: https://imququ.com/post/my-nginx-conf.ht...
The configuration files that need to be explained are as follows, and the items that need to be explained are marked with comments. Sorry, there is a lot of content, so I can answer some selective questions.
server {
listen 443 ssl http2 fastopen=3 reuseport;
server_name www.imququ.com imququ.com;
server_tokens off;
include /home/jerry/www/nginx_conf/ip.blacklist;
//能否帮解释一下下面一堆ssl各项意思?
ssl_ct on;
ssl_ct_static_scts /home/jerry/www/scts;
ssl_certificate /home/jerry/www/ssl/chained.pem;
ssl_certificate_key /home/jerry/www/ssl/domain.key;
ssl_dhparam /home/jerry/www/ssl/dhparams.pem;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_session_ticket_key /home/jerry/www/ssl/session_ticket.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/jerry/www/ssl/full_chained.pem;
//下面两项需要解释,不太懂
resolver 114.114.114.114 valid=300s;
resolver_timeout 10s;
access_log /home/jerry/www/nginx_log/imququ_com.log;
//麻烦解释一下下面 “两个” if语句
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
return 444;
}
if ($host != 'imququ.com' ) {
rewrite ^/(.*)$ https://imququ.com/ permanent;
}
//这个location语句需要解释一下,主要是括号里面的内容不太明白
location ~* (robots\.txt|favicon\.ico|crossdomain\.xml|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
root /home/jerry/www/imququ.com/www/static;
expires 1d;
}
//下面这个location语句,可能每句话都需要帮解释一下
location ~ ^/static/uploads/ {
root /home/jerry/www/imququ.com/www;
add_header Access-Control-Allow-Origin *;
set $expires_time max;
valid_referers blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com;
if ($invalid_referer) {
set $expires_time -1;
rewrite ^/ https://imququ.com/static/img/blog/403.png redirect;
}
expires $expires_time;
}
//下面这个location语句,作用是什么?
location ~ ^/static/ {
root /home/jerry/www/imququ.com/www;
add_header Access-Control-Allow-Origin *;
expires max;
}
//下面这个location语句,也是可能每句话都需要帮解释一下。
location ~ ^/admin {
proxy_http_version 1.1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
proxy_set_header X-Via QingDao.Aliyun;
proxy_set_header Connection "";
proxy_set_header Host imququ.com;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9095;
}
//下面这个location语句应该不需要解释了,项目都是上面出现过的。
location / {
proxy_http_version 1.1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: http://ip.qgy18.com:81; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
add_header Public-Key-Pins 'pin-sha256="aef6IF2UF6jNEwA2pNmP7kpgT6NFSdt7Tqf5HzaIGWI="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains';
add_header Cache-Control no-cache;
proxy_ignore_headers Set-Cookie;
proxy_hide_header Vary;
proxy_hide_header X-Powered-By;
proxy_set_header X-Via QingDao.Aliyun;
proxy_set_header Connection "";
proxy_set_header Host imququ.com;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9095;
}
}
//为什么这个server里面的域名和上面server里面一样,弄两个server干啥?
server {
server_name www.imququ.com imququ.com;
server_tokens off;
access_log /dev/null;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
location ^~ /.well-known/acme-challenge/ {
alias /home/jerry/www/challenges/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://imququ.com/ permanent;
}
}
Personally, for SSL issues, it would be better to go directly to nginx’s documentation
http://nginx.org/en/docs/http/ngx_http_s...
In fact, the following problems are also the same, including resolver, location and rewrite of the bottom server. These can be solved by consulting the manual. It is recommended to read through the official nginx documentation. I believe this configuration will be easy to understand. For example, what does the $request_method variable mean, what does the $host variable mean, and what is the HTTP 444 status code.
To put it bluntly, RTFM
I have several suggestions for this problem. I also learned about HTTPS deployment on this blog.
First, please read several articles about HTTPS deployment written by this blogger. I remember there are security articles, performance articles, etc. They are very well written. If you read them patiently, you will be able to answer most of the questions here. get answered. The reason why there are so many options is because this is a summary of many articles written by the blogger. If you really want to know the principle, you need to read all those articles.
Second, regarding the location part, it is recommended to search the configuration of the Nginx location part separately, and then go back and look at the configuration here.
Third, I don’t quite understand the resolver part, but it seems to be related to SSL configuration, which means it is configured together with SSL.