Nginx主配置文件模板（http https）——筑梦之路

user nginx;
worker_processes auto;

error_log  /usr/local/nginx/logs/error.log warn;
pid        /var/run/nginx.pid;

worker_rlimit_nofile 65535;

events {
  use epoll;
  worker_connections 65535;
  }

http {
  include /usr/local/nginx/conf/mime.types;
  default_type application/octet-stream;
  server_tokens off;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /usr/local/nginx/logs/access.log  main;

  sendfile on;
  tcp_nopush on;

  server_names_hash_bucket_size 128;
  client_header_buffer_size 32k;
  large_client_header_buffers 4 32k;
  client_max_body_size 2048m;
  tcp_nodelay on;
  keepalive_timeout 65;
  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 4 64k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;


  #静态压缩
  gzip_static  on;
  gzip_proxied expired no-cache no-store private auth;

  #动态压缩
  gzip on;
  gzip_min_length 1100;
  gzip_buffers 4 16k;
  gzip_http_version 1.0;
  gzip_comp_level 9;
  gzip_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
  gzip_vary on;

  include /data/nginx/vhost/*.conf;
}

###静态压缩说明
静态压缩需要开启--with-http_gzip_static_module
编译的时候加上 ./configure --with-http_gzip_static_module

nginx 动态压缩，对每个请求先压缩再输出。
nginx 静态压缩，使用现成的扩展名为 .gz 的预压缩文件。

Nginx 同时支持http和https两种方式访问模板 支持ipv6

server
{
listen [::]:80;
listen [::]:443 ssl;
server_name domain.com; //你的域名
index index.html index.htm index.php default.html default.htm default.php;
ssl_certificate /usr/local/nginx/cert/214020580630662.pem;
ssl_certificate_key /usr/local/nginx/cert/214020580630662.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

root /home/wwwroot/web/public;//项目根目录

include laravel.conf;
#error_page 404 /404.html;
include enable-php.conf;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}

location ~ .*\.(js|css)?$
{
expires 12h;
}

}
server {
listen [::]:80;
server_name domain.com;
rewrite ^/(.*) https://$server_name$request_uri? permanent;
}

nginx http跳转https的几种方法：

方法一 （这是最古老的写法，不推荐）

rewrite ^(.*)$  https://$host$1 permanent;

方法二  （比较推荐）

return     301 https://$server_name$request_uri;

方法三 如果你有多个域名绑定在一起，可以只设定某些域名强制跳转

if ($host = “1.dyseo.com.cn”) {

rewrite ^/(.*)$ https://1.dyseo.com.cn permanent;

}

方法四

方法四跟之前的都不一样，我们不需要另外监听 443 端口的 server，而是都放在一起，像这样

listen 80;

listen 443 ssl http2;

server_name dyseo.com.cn www.dyseo.com.cn;

if ($server_port !~ 443){

rewrite ^(/.*)$ https://$host$1 permanent;

# 示例 
  listen 80;
  listen 443 ssl;
  listen [::]:80;
  listen [::]:443 ssl;
  server_name   www.xxx.cn;
 
  ssl_certificate /ssl/xxx/xxx.cn.crt;
  ssl_certificate_key /ssl/xxx/xxx.cn.key;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;
  #TLSv1.3参考这里配置
  #ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;

  #安全加固
  #待补充
  #允许混合资源
  add_header Content-Security-Policy "upgrade-insecure-requests";
  #强制跳转https
  if ($server_port !~ 443){
        rewrite ^(/.*)$ https://$host$1 permanent;
  }

扩展内容：

# 查看openssl 支持的加密模式

openssl ciphers

# 查看openssl 支持的所有tls/ssl 版本

openssl s_client -help 2>&1 | awk '/-(ssl|tls)[0-9]/{print $1}'