search

Home  >  Q&A  >  body text

nginx configuration https problem

Here is a blog about nginx configuration, which is very detailed and very new. It was released on March 21, 2016. But there are too many configuration items in it, and I don’t know what the functions of many of them are. Could you please explain them to me? Original link: https://imququ.com/post/my-nginx-conf.ht...

The configuration files that need to be explained are as follows, and the items that need to be explained are marked with comments. Sorry, there is a lot of content, so I can answer some selective questions.

server {
    listen               443 ssl http2 fastopen=3 reuseport;

    server_name          www.imququ.com imququ.com;
    server_tokens        off;

    include              /home/jerry/www/nginx_conf/ip.blacklist;

//能否帮解释一下下面一堆ssl各项意思?
    ssl_ct               on;
    ssl_ct_static_scts   /home/jerry/www/scts;
    ssl_certificate      /home/jerry/www/ssl/chained.pem;
    ssl_certificate_key  /home/jerry/www/ssl/domain.key;
    ssl_dhparam          /home/jerry/www/ssl/dhparams.pem;
    ssl_ciphers                EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache          shared:SSL:50m;
    ssl_session_timeout        1d;
    ssl_session_tickets        on;
    ssl_session_ticket_key     /home/jerry/www/ssl/session_ticket.key;
    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_trusted_certificate    /home/jerry/www/ssl/full_chained.pem;

//下面两项需要解释,不太懂
    resolver                   114.114.114.114 valid=300s;
    resolver_timeout           10s;

    access_log                 /home/jerry/www/nginx_log/imququ_com.log;

//麻烦解释一下下面 “两个” if语句
    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
        return           444;
    }
    if ($host != 'imququ.com' ) {
        rewrite          ^/(.*)$  https://imququ.com/ permanent;
    }

//这个location语句需要解释一下,主要是括号里面的内容不太明白
    location ~* (robots\.txt|favicon\.ico|crossdomain\.xml|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
        root             /home/jerry/www/imququ.com/www/static;
        expires          1d;
    }

//下面这个location语句,可能每句话都需要帮解释一下
    location ~ ^/static/uploads/ {
        root             /home/jerry/www/imququ.com/www;
        add_header       Access-Control-Allow-Origin *;

        set              $expires_time max;

        valid_referers blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com;
        if ($invalid_referer) {
            set          $expires_time -1;
            rewrite      ^/ https://imququ.com/static/img/blog/403.png redirect;
        }

        expires          $expires_time;
    }

//下面这个location语句,作用是什么?
    location ~ ^/static/ {
        root             /home/jerry/www/imququ.com/www;
        add_header       Access-Control-Allow-Origin *;      
        expires          max;
    }


//下面这个location语句,也是可能每句话都需要帮解释一下。
    location ~ ^/admin {
        proxy_http_version       1.1;

        add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header               X-Frame-Options deny;
        add_header               X-Content-Type-Options nosniff;

        proxy_set_header         X-Via            QingDao.Aliyun;
        proxy_set_header         Connection       "";
        proxy_set_header         Host             imququ.com;
        proxy_set_header         X-Real_IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_pass               http://127.0.0.1:9095;
    }

//下面这个location语句应该不需要解释了,项目都是上面出现过的。
    location / {
        proxy_http_version       1.1;

        add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header               X-Frame-Options deny;
        add_header               X-Content-Type-Options nosniff;
        add_header               Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: http://ip.qgy18.com:81; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
        add_header               Public-Key-Pins 'pin-sha256="aef6IF2UF6jNEwA2pNmP7kpgT6NFSdt7Tqf5HzaIGWI="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains';
        add_header               Cache-Control no-cache;

        proxy_ignore_headers     Set-Cookie;

        proxy_hide_header        Vary;
        proxy_hide_header        X-Powered-By;

        proxy_set_header         X-Via            QingDao.Aliyun;
        proxy_set_header         Connection       "";
        proxy_set_header         Host             imququ.com;
        proxy_set_header         X-Real_IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_pass               http://127.0.0.1:9095;
    }
}

//为什么这个server里面的域名和上面server里面一样,弄两个server干啥?
server {
    server_name       www.imququ.com imququ.com;
    server_tokens     off;

    access_log        /dev/null;

    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
        return        444;
    }

    location ^~ /.well-known/acme-challenge/ {
        alias         /home/jerry/www/challenges/;
        try_files     $uri =404;
    }

    location / {
        rewrite       ^/(.*)$ https://imququ.com/ permanent;
    }
}
某草草某草草2751 days ago488

reply all(2)I'll reply

  • 滿天的星座

    滿天的星座2017-05-16 17:19:56

    Personally, for SSL issues, it would be better to go directly to nginx’s documentation
    http://nginx.org/en/docs/http/ngx_http_s...

    In fact, the following problems are also the same, including resolver, location and rewrite of the bottom server. These can be solved by consulting the manual. It is recommended to read through the official nginx documentation. I believe this configuration will be easy to understand. For example, what does the $request_method variable mean, what does the $host variable mean, and what is the HTTP 444 status code.

    To put it bluntly, RTFM

    reply
    0
  • 高洛峰

    高洛峰2017-05-16 17:19:56

    I have several suggestions for this problem. I also learned about HTTPS deployment on this blog.
    First, please read several articles about HTTPS deployment written by this blogger. I remember there are security articles, performance articles, etc. They are very well written. If you read them patiently, you will be able to answer most of the questions here. get answered. The reason why there are so many options is because this is a summary of many articles written by the blogger. If you really want to know the principle, you need to read all those articles.
    Second, regarding the location part, it is recommended to search the configuration of the Nginx location part separately, and then go back and look at the configuration here.
    Third, I don’t quite understand the resolver part, but it seems to be related to SSL configuration, which means it is configured together with SSL.

    reply
    0
  • Cancelreply