本帖最后由 laoda 于 2018-9-27 11:20 编辑
https不仅仅安全,2017下半年开始各大搜索引擎会优先收录https站点,https消耗最大的是握手过程,所以要比http慢很多,很多站长不太愿意启用。下面按照我列出的方法,写入到你的配置当中,可以明显为给你的https加速,效果立竿见影!- server
- {
- listen 80;
- listen 443 ssl http2;
- server_name bt.cn www.bt.cn;
- index index.php index.html;
- root /www/wwwroot/bt.cn;
-
- #SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
- #error_page 404/404.html;
- #HTTP_TO_HTTPS_START
- if ($server_port !~ 443){
- rewrite ^(/.*)$ https://$host$1 permanent;
- }
- #HTTP_TO_HTTPS_END
- ssl_certificate /etc/letsencrypt/live/bt.cn/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/bt.cn/privkey.pem;
- add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
- ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
- ssl_stapling off;
- resolver 8.8.8.8 114.114.114.114 119.29.29.29 valid=3600s;
- ssl_prefer_server_ciphers on;
- ssl_stapling_verify off;
- ssl_dhparam dh2048.pem;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_session_tickets on;
- ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
- error_page 497 https://$host$request_uri;
- #301-START
- if ($host ~ '^bt.cn'){
- return 301 https://www.bt.cn$request_uri;
- }
- #301-END
- #SSL-END
-
- #ERROR-PAGE-START 错误页配置,可以注释、删除或修改
- error_page 404 /404.html;
- error_page 502 /502.html;
- #ERROR-PAGE-END
-
- #PHP-INFO-START PHP引用配置,可以注释或修改
- include enable-php-72.conf;
- #PHP-INFO-END
-
- #REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
- include /www/server/panel/vhost/rewrite/bt.cn.conf;
- #REWRITE-END
-
- #禁止访问的文件或目录
- location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
- {
- return 444;
- }
-
- #一键申请SSL证书验证目录相关设置
- location ~ \.well-known{
- allow all;
- }
-
- location ~ .*\.(js|css|json|md|csv|log|conf|vue|jpg|jpeg|gif|png|tif|tiff|bmp|svg|psd|ico|tga|imb|mp3|mp4|avi|mpeg|rm|ra|ogg|wav|wmv|rmi|aac|rmvb|mkv|flv|swf|mov|movie|exe|ios|apk|ipa|pxl|sis|cab|deb|rar|zip|gzip|tar|7z|bzip2|dmg|gz|wim|tbz|tpz|z|jar|ttf|otf|woff|woff2|eot|sfnt)?$
- {
- expires max;
- error_log off;
- access_log off;
- }
- access_log /www/wwwlogs/bt.cn.log;
- error_log /www/wwwlogs/bt.cn.error.log;
- }
dh2048.pem默认是会报错的,因为需要自己手动生成,可以打开面板或者登陆ssh进行生成dh2048.pem文件- cd /www/ && openssl gendh -out dh2048.pem 2048 && cp -i /www/dh2048.pem /www/server/nginx/conf/
然后在面板上将当前路径下的dh2048.pem复制放置/www/server/nginx/conf/下
然后到软件管理点击nginx的设置中重启一下nginx即可,可以提升证书的安全保密性的同时减少重复请求的耗时!
|
|
运维要高效,装宝塔
写到指定的网站配置中