nginx.oldfords.cz

  • Aumentar el tamaño de la letra
  • Tamaño de letra predeterminado
  • Reducir el tamaño de la letra
Home NGINX Nginx serving only SSL and redirecting http to https

Nginx serving only SSL and redirecting http to https

Miércoles 20 de Abril de 2011 16:35 king2
Correo electrónico Imprimir PDF
There are no translations available.

 

Nginx serving only SSL and redirecting http to https

 

 

 

#######################################################

pid               /var/run/nginx.pid;

user              nginx nginx;

worker_processes  4;

 

events {

worker_connections  1024;

}

 

http {

## MIME types

types {

application/xml xml;

image/jpeg      jpg;

image/png       png;

image/x-icon    ico;

text/css        css;

text/html      html;

text/plain      bob;

text/plain      txt;

}

default_type       application/octet-stream;

 

## Size Limits

client_body_buffer_size      16k;

client_header_buffer_size     1k;

client_max_body_size          1k;

large_client_header_buffers 1 1k;

 

## Global SSL options

ssl_ciphers HIGH:!ADH:!MD5;

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

 

## Timeouts

client_body_timeout      60;

client_header_timeout    60;

keepalive_timeout     60 60;

send_timeout             60;

 

## General Options

ignore_invalid_headers   on;

keepalive_requests       10;

recursive_error_pages    on;

server_tokens           off;

server_name_in_redirect off;

sendfile                 on;

 

## TCP options

tcp_nopush  on;

tcp_nodelay on;

 

## Compression

gzip                 on;

gzip_static          on;

gzip_buffers      16 8k;

gzip_http_version   1.0;

gzip_comp_level       6;

gzip_min_length     100;

gzip_types        text/plain text/html text/css image/x-icon image/gif;

gzip_vary            on;

 

## Log Format

log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';

 

## Redirect http to https

server {

add_header Cache-Control "public, must-revalidate";

access_log  /var/log/nginx/access.log main;

error_log   /var/log/nginx/error.log info;

expires     90d;

listen      127.0.0.1:80;

root        /var/empty;

server_name example.com www.example.com;

 

location / {

if ($host ~* ^(example\.com|www\.example\.com)$ ) {

rewrite  ^/(.*)$  https://example.com/$1  permanent;

}

return 444;

}

}

 

## https .:. "default blank SSL server, SNI required"

(look below for the tutorial titled, "default blank SSL server")

#server {

#    add_header Cache-Control "public, must-revalidate";

#    add_header Strict-Transport-Security "max-age=7776000; includeSubdomains";

#    expires     90d;

#    listen      127.0.0.1:443 default;

#    return      444;

#    root        /var/empty;

#    server_name _;

 

#   ## SSL Certs (specific to this blank certificate)

#    ssl                 on;

#    ssl_certificate     ssl_keys/default_blank.crt;

#    ssl_certificate_key ssl_keys/default_blank.key;

#    return              403;

#   }

 

## https .:. (www.)example.com ONLY

server {

access_log  /var/log/nginx/access.log main;

add_header  Cache-Control "public, must-revalidate";

error_log   /var/log/nginx/error.log info;

expires     90d;

index       index.html;

listen      127.0.0.1:443;

root        /var/www/htdocs;

server_name  example.com www.example.com;

 

## SSL Certs (specific to this URL)

ssl on;

ssl_certificate /ssl_keys/mydomain.com_ssl.crt;

ssl_certificate_key /ssl_keys/mydomain_ssl.key;

 

## Strict Transport Security (ForceHTTPS)

add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

 

## Only allow GET and HEAD request methods

if ($request_method !~ ^(GET|HEAD)$ ) {

return 444;

}

 

## Deny illegal Host headers

if ($host !~* ^(example.com|www.example.com)$ ) {

return 444;

}

 

## Deny certain User-Agents (case insensitive)

# if ($http_user_agent ~* (Baiduspider|webalta|Wget|WordPress|youdao) ) {

#   return 444;

# }

 

## Deny certain Referers (case insensitive)

if ($http_referer ~* (\.us$|dating|diamond|forsale|girl|jewelry|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|zongdo) ) {

return 444;

}

 

## Only allow these full URI paths relative to document root. If you only want

## to reference the filename use $request_filename instead of $request_uri

if ($request_uri !~* (^\/|\.html|\.gif|\.jpg|\.png|example\.css|robots\.txt|favicon\.ico)$ ) {

return 444;

}

 

## Redirect from www to non-www

if ($host = 'www.example.com' ) {

rewrite  ^/(.*)$  https://example.com/$1  permanent;

}

 

## Stop Image and Document Hijacking

location ~* (\.jpg|\.gif|\.png|example\.css)$ {

if ($http_referer !~ ^(https://example.com) ) {

return 444;

}

}

 

## Restricted Access directory

location ^~ /secure/ {

allow 127.0.0.1/32;

allow 10.10.10.0/24;

deny all;

auth_basic "RESTRICTED ACCESS";

auth_basic_user_file /var/www/htdocs/secure/access_list;

}

 

## All other errors get the generic error page

error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497

500 501 502 503 504 505 506 507 /error_page.html;

location  /example_error_page.html {

internal;

}

}

}

#######################################################

 

Última actualización el Miércoles 20 de Abril de 2011 16:38  

Main Menu

Sections