在wordpress nginx上设置https和http


0
[root@serv01 nginx]# cat nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    index   index.php index.html index.htm;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        server_name  localhost;
        root         /var/www/wordpress;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            try_files $uri $uri/ =404;
        }     

        # redirect server error pages to the static page /40x.html
        #
        error_page  404              /404.html;
        location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        }
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
    }

    server {
        listen 443;
        server_name home.local;
        ssl on;
        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;
        root /var/www/wordpress;
        index index.php index.htm index.html
    }
}

我正在尝试使用https作为我的wordpress,http工作正常,但当我尝试添加httpd服务器块时,nginx将无法启动,我猜它在错误的位置。任何帮助将不胜感激。


你有合适的证书和钥匙吗?
Romeo Ninov 2015年

什么错误消息nginx给出了什么?(检查日志文件)另外,您可能会index在https部分的行末缺少分号。
wurtel 2015年

Answers:


1

不确定回答这个可能是 “死而埋葬”的问题件好事,但我们走了......

基本配置(即安全性

  1. 生成您的私钥(> = 2048位)和您的证书。我假设你已经拥有它们,否则看看letsencrypt.org。确保您的证书包含完整的证书链(通常是中间/实体证书)。关于Diffie-Hellman参数,您可以通过运行生成它们openssl dhparam -out /path/to/dhparam.pem 2048
  2. 根据Mozilla SSL配置生成器设置SSL设置(中间设置,截至2016-06-30):

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name localhost;
        root /var/www/wordpress;
    
        ### SSL/TLS SETTINGS ###
        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /path/to/signed_cert_plus_intermediates;
        ssl_certificate_key /path/to/private_key;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
    
        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /path/to/dhparam.pem;
    
        # intermediate configuration. tweak to your needs.
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;
    
    
        ### OCSP Stapling ###
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;
    
        # verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    
        resolver <IP DNS resolver>;
    
        include /etc/nginx/default.d/*.conf;
    
        location / {
            try_files $uri $uri/ =404;
        }
    
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
    }
    

高级配置(即来到我这里,NSA!(不,但是......)

采用上面的基本配置并调整如下:

  1. 在生成证书和Diffie-Hellman参数时选择(至少)3072bit(是的,这需要一段时间,但值得)。
  2. 仅使用TLS1.2: ssl_protocols TLSv1.2;
  3. 使用安全曲线: ssl_ecdh_curve secp384r1;
  4. 使用“现代”密码套件(截至2016-06-30): ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  5. 为每个人实施HTTPS:

    • 重写您的“HTTP” server块如下:

      server {
          listen 80;
          listen [::]:80;
          server_name mySuperServer;
          return 301 https://$server_name$request_uri;
      }
      
    • 使用HSTS标头强制访问者的导航器专门使用HTTPS: add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload';

  6. 您的服务器还可以通过设置这些标头来保护您的网站(在某种程度上):

    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header Content-Security-Policy "default-src 'none';
    
  7. 这里的一般最佳实践:永远不要用于root修改您的文件。请sudo改用。

奖金

  1. 如果您的服务器正在运行的nginx> 1.9.5,您可以通过添加使用HTTP / 2 http2在你的listen指令。
  2. 您的服务器获得了IPv6地址(并支持HTTP / 2)?好!listen [::]:443 ssl http2;在第一个listen指令下面添加。
  3. 您打算将您的服务器用于多个域吗?您应该为每个块设置access_log和。error_logserver
  4. 复制/粘贴很少引起...您可以### SSL/TLS SETTINGS ###在文本文件中移动块并将其包含在您的配置中。您对CGI的CGI调用也是如此。
  5. 通过使用UNIX套接字而不是监听环回接口,您可以加快nginx和PHP解释器之间的通信速度:fastcgi_pass unix:/var/run/php5-fpm.sock;

因此,您的server块应如下所示:

#HTTP server
server {
    listen 80;
    listen [::]:80;
    server_name mySuperServer;
    return 301 https://$server_name$request_uri;
}

# HTTPS server
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2;
    server_name mySuperServer;

    index index.php index.html index.htm;
    root /path/to/your/files/mySuperServer;

    access_log /var/log/nginx/mySuperServer/access.log;
    error_log /var/log/nginx/mySuperServer/error.log;

    ### SSL/TLS SETTINGS ###
    ssl on;
    ssl_certificate /path/to/your/cert.pem;
    ssl_certificate_key /path/to/your/privkey.pem;
    ssl_dhparam /path/to/your/dh_parameters.pem;

    include securityrules.inc;

    include fastcgi.inc;
}

内容securityrules.inc

ssl_protocols TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

###  HTTP HEADERS ###
add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains; preload';
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none';

内容fastcgi.inc

location ~ \.php$ {
    include                 fastcgi_params;
    fastcgi_keep_conn       on;
    fastcgi_pass            unix:/var/run/php5-fpm.sock;
    fastcgi_index           index.php;
    fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

一旦我获得了必要的声誉,我会添加更多链接...
Florent_ATo 2016年
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.