Nginx httpS server配置

                                                                         Nginx httpS 配置                                                                        

配置同时支持http和httpS协议：

server {
        listen 80 default backlog=2048;
　　　　　#backlog：每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目。
        listen 443 ssl;
        server_name ssl.joy4you.com;
        ssl_certificate  /data/nginx/conf/server.crt;
        ssl_certificate_key  /data/nginx/conf/server_nopwd.key;

        root /data/;
        location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
}
         location ~ .*.(php|php5)?$ {
#            try_files $uri =404;
             fastcgi_pass    127.0.0.1:9000;
             fastcgi_index   index.php;
#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             include         fastcgi.conf;
}
        }

配置/data/http/使用http协议；/data/ssl/使用httpS协议:

server {
        listen       80;
        server_name  192.168.17.16;
        access_log  /data/nginx/logs/php.joy4you.com.log  main;
        root /data/http/;

        location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
}

         location ~ .*.(php|php5)?$ {
#            try_files $uri =404;
             fastcgi_pass    127.0.0.1:9000;
             fastcgi_index   index.php;
#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             include         fastcgi.conf;
}
}

server {
        listen       443;
        ssl     on;
        ssl_certificate  /data/nginx/conf/server.crt;
        ssl_certificate_key  /data/nginx/conf/server_nopwd.key;
        server_name  192.168.17.16;
        access_log  /data/nginx/logs/php.joy4you.com.log  main;
        root /data/ssl/;

        location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
}

         location ~ .*.(php|php5)?$ {
#            try_files $uri =404;
             fastcgi_pass    127.0.0.1:9000;
             fastcgi_index   index.php;
#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             include         fastcgi.conf;
}
}

把访问80端口的请求全部转发到443（https）:

server {
        listen       80;
        server_name  192.168.17.16;
        rewrite ^(.*) https://$server_name$1 permanent;
}

server {
        listen       443;
        ssl     on;
        ssl_certificate  /data/nginx/conf/server.crt;
        ssl_certificate_key  /data/nginx/conf/server_nopwd.key;
        server_name  192.168.17.16;
        access_log  /data/nginx/logs/php.joy4you.com.log  main;
        root /data/;

        location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
}
         location ~ .*.(php|php5)?$ {
#            try_files $uri =404;
             fastcgi_pass    127.0.0.1:9000;
             fastcgi_index   index.php;
#            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
             include         fastcgi.conf;
}
}

 使用沃通的CA证书，他们推荐的https配置：

server {
 listen      443;
 server_name  localhost;
 
 #为一个server开启ssl支持
 ssl                  on;
 
 #为虚拟主机指定pem格式的证书文件
 ssl_certificate      /home/wangzhengyi/ssl/wangzhengyi.crt;
 
 #为虚拟主机指定私钥文件
 ssl_certificate_key  /home/wangzhengyi/ssl/wangzhengyi_nopass.key;
 
 #客户端能够重复使用存储在缓存中的会话参数时间
 ssl_session_timeout  5m;
 
 #指定使用的ssl协议
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
 #指定许可的密码描述
 ssl_ciphers  ALL:!ADH:!EXPORT56: -RC4+RSA:+HIGH:+MEDIUM: !EXP;
#ssl_ciphers  ALL:!ADH:!EXPORT56: -RC4+RSA:+HIGH:+MEDIUM:-EXP;
 
 #SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码
 ssl_prefer_server_ciphers  on;

SLL参数：

ssl_session_timeout 5m;   ##设置客户端能够反复使用储存在缓存中的会话参数时间。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  ##指定要开启的SSL协议。
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP; ##指出为建立安全连接，服务器所允许的密码格式列表，密码指定为OpenSSL支持的格式
ssl_prefer_server_ciphers on;  ##依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码.