nginx.oldfords.cz

  • Aumenta dimensione caratteri
  • Dimensione caratteri predefinita
  • Diminuisci dimensione caratteri
Home NGINX Nginx serving only SSL and redirecting http to https

Nginx serving only SSL and redirecting http to https

Mercoledì 20 Aprile 2011 16:35 king2
E-mail Stampa PDF
There are no translations available.

 

Nginx serving only SSL and redirecting http to https

 

 

 

#######################################################

pid               /var/run/nginx.pid;

user              nginx nginx;

worker_processes  4;

 

events {

worker_connections  1024;

}

 

http {

## MIME types

types {

application/xml xml;

image/jpeg      jpg;

image/png       png;

image/x-icon    ico;

text/css        css;

text/html      html;

text/plain      bob;

text/plain      txt;

}

default_type       application/octet-stream;

 

## Size Limits

client_body_buffer_size      16k;

client_header_buffer_size     1k;

client_max_body_size          1k;

large_client_header_buffers 1 1k;

 

## Global SSL options

ssl_ciphers HIGH:!ADH:!MD5;

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

 

## Timeouts

client_body_timeout      60;

client_header_timeout    60;

keepalive_timeout     60 60;

send_timeout             60;

 

## General Options

ignore_invalid_headers   on;

keepalive_requests       10;

recursive_error_pages    on;

server_tokens           off;

server_name_in_redirect off;

sendfile                 on;

 

## TCP options

tcp_nopush  on;

tcp_nodelay on;

 

## Compression

gzip                 on;

gzip_static          on;

gzip_buffers      16 8k;

gzip_http_version   1.0;

gzip_comp_level       6;

gzip_min_length     100;

gzip_types        text/plain text/html text/css image/x-icon image/gif;

gzip_vary            on;

 

## Log Format

log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';

 

## Redirect http to https

server {

add_header Cache-Control "public, must-revalidate";

access_log  /var/log/nginx/access.log main;

error_log   /var/log/nginx/error.log info;

expires     90d;

listen      127.0.0.1:80;

root        /var/empty;

server_name example.com www.example.com;

 

location / {

if ($host ~* ^(example\.com|www\.example\.com)$ ) {

rewrite  ^/(.*)$  https://example.com/$1  permanent;

}

return 444;

}

}

 

## https .:. "default blank SSL server, SNI required"

(look below for the tutorial titled, "default blank SSL server")

#server {

#    add_header Cache-Control "public, must-revalidate";

#    add_header Strict-Transport-Security "max-age=7776000; includeSubdomains";

#    expires     90d;

#    listen      127.0.0.1:443 default;

#    return      444;

#    root        /var/empty;

#    server_name _;

 

#   ## SSL Certs (specific to this blank certificate)

#    ssl                 on;

#    ssl_certificate     ssl_keys/default_blank.crt;

#    ssl_certificate_key ssl_keys/default_blank.key;

#    return              403;

#   }

 

## https .:. (www.)example.com ONLY

server {

access_log  /var/log/nginx/access.log main;

add_header  Cache-Control "public, must-revalidate";

error_log   /var/log/nginx/error.log info;

expires     90d;

index       index.html;

listen      127.0.0.1:443;

root        /var/www/htdocs;

server_name  example.com www.example.com;

 

## SSL Certs (specific to this URL)

ssl on;

ssl_certificate /ssl_keys/mydomain.com_ssl.crt;

ssl_certificate_key /ssl_keys/mydomain_ssl.key;

 

## Strict Transport Security (ForceHTTPS)

add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";

 

## Only allow GET and HEAD request methods

if ($request_method !~ ^(GET|HEAD)$ ) {

return 444;

}

 

## Deny illegal Host headers

if ($host !~* ^(example.com|www.example.com)$ ) {

return 444;

}

 

## Deny certain User-Agents (case insensitive)

# if ($http_user_agent ~* (Baiduspider|webalta|Wget|WordPress|youdao) ) {

#   return 444;

# }

 

## Deny certain Referers (case insensitive)

if ($http_referer ~* (\.us$|dating|diamond|forsale|girl|jewelry|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|zongdo) ) {

return 444;

}

 

## Only allow these full URI paths relative to document root. If you only want

## to reference the filename use $request_filename instead of $request_uri

if ($request_uri !~* (^\/|\.html|\.gif|\.jpg|\.png|example\.css|robots\.txt|favicon\.ico)$ ) {

return 444;

}

 

## Redirect from www to non-www

if ($host = 'www.example.com' ) {

rewrite  ^/(.*)$  https://example.com/$1  permanent;

}

 

## Stop Image and Document Hijacking

location ~* (\.jpg|\.gif|\.png|example\.css)$ {

if ($http_referer !~ ^(https://example.com) ) {

return 444;

}

}

 

## Restricted Access directory

location ^~ /secure/ {

allow 127.0.0.1/32;

allow 10.10.10.0/24;

deny all;

auth_basic "RESTRICTED ACCESS";

auth_basic_user_file /var/www/htdocs/secure/access_list;

}

 

## All other errors get the generic error page

error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497

500 501 502 503 504 505 506 507 /error_page.html;

location  /example_error_page.html {

internal;

}

}

}

#######################################################

 

Ultimo aggiornamento Mercoledì 20 Aprile 2011 16:38  

Main Menu

Sections