标签归档:HTTPS

Debian+Nginx+PHP HTTPS配置模板

Nginx+PHP+HTTPS的配置模板,如果要部署其它网站,可以基于此进行修改:

# 处理 HTTP 请求,所有请求都重定向到 https://www.jsdd.net
server {
    listen 80;
    server_name jsdd.net www.jsdd.net;  # 同时匹配带 www 和不带 www 的域名

    # 所有请求都重定向到 https://www.jsdd.net
    return 301 https://www.jsdd.net$request_uri;
}

# 处理不带 www 的 HTTPS 请求,重定向到带 www 的域名
server {
    listen 443 ssl http2;
    server_name jsdd.net;  # 不带 www 的域名

    ssl_certificate /etc/nginx/ssl/www.jsdd.net.pem;  # 证书路径
    ssl_certificate_key /etc/nginx/ssl/www.jsdd.net.key;  # 证书路径

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # 重定向所有不带 www 的 HTTPS 请求到 www.jsdd.net
    return 301 https://www.jsdd.net$request_uri;
}

# 处理带 www 的 HTTPS 请求
server {
    listen 443 ssl http2;
    root /var/www/jsdd.net; # 确保这里是正确的根目录路径
    index index.html index.htm index.php index.nginx-debian.html;

    server_name  www.jsdd.net;
    client_max_body_size 20m;

    ssl_certificate /etc/nginx/ssl/www.jsdd.net.pem; # 确保证书路径正确
    ssl_certificate_key /etc/nginx/ssl/www.jsdd.net.key; # 确保证书路径正确

    #加上TLSv1,HTTPS检测会报PCI DSS不合规
    ssl_protocols  TLSv1.2 TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
    }
}