Nginx的小程序SSL配置
首先是一个正常的SSL配置,如下:
nginx">server { listen 443;
server_name www.abc.com;
access_log /www/logs/api.log combined;
ssl on;
ssl_certificate /usr/local/nginx/conf/cert/www.abc.com.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/www.abc.com.key;
root /www/web/project-abc/public;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ /api {
set $name "backup.abc.com";
proxy_pass https://127.0.0.1;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_redirect off;
proxy_hide_header Vary;
proxy_set_header Accept-Encoding "";
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
if ($http_referer ~ https://servicewechat.com.wxidnumber/(0|devtools)/page-frame.html) {
set $name "miniprogram.abc.com";
}
proxy_set_header Host $name;
}
location ~ [^/].php(/|$) {
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi.conf;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
}
}
特殊的地方在于 listen 443端口,ssl打开,加了ssl_certificate证书,和ssl_certificate_key证书秘钥。
另外一个就是,为了把小程序开发工具,体验版,提审版的请求与正式用户的请求区分开来,通过对Http-referer进行正则匹配,然后转发到本机(proxy_pass https://127.0.0.1;)的不同Host: backup.abc.com和miniprogram.abc.com,通过proxy_set_header Host $name; 来转发。
然后再配置两个Server处理转发过来的请求:
server { listen 443;
server_name miniprogram.abc.com;
access_log /www/logs/miniprogram.log combined;
ssl on;
ssl_certificate /usr/local/nginx/conf/cert/miniprogram.abc.com.pem;
ssl_certificate_key /usr/local/nginx/conf/cert/miniprogram.abc.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
add_header Strict-Transport-Security "max-age=31536000";
root /www/web/project-abc-miniprogram/public;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ [^/].php(/|$) {
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi.conf;
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
}
}
注意这里的SSL除了证书和证书秘钥之外,还有其他配置:
ssl_session_timeout: Specifies a time during which a client may reuse the session parameters. 这个参数指明客户端可以在多长时间内重用这个会话缓存中的SSL参数,也就是缓存过期时间,默认值是5m,也就是5分钟。
ssl_ciphers : Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example:
指明已开启可使用的密码。可以使用OpenSSL库能理解的格式来指明,例如:
ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;默认值是:ssl_ciphers HIGH:!aNULL:!MD5;
The full list can be viewed using the “openssl ciphers” command.
完整的密码清单可以通过使用 “openssl ciphers” 命令来查看。
ssl_protocols: Enables the specified protocols. 开启指明的SSL协议。
默认值: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
The TLSv1.1 and TLSv1.2 parameters (1.1.13, 1.0.12) work only when OpenSSL 1.0.1 or higher is used.
TLSv1.1 和 TLSv1.2 参数(1.1.13, 1.0.12) 只在使用OpenSSL 1.0.1或更高版本时才起作用。
The TLSv1.3 parameter (1.13.0) works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.
TLSv1.3 参数(1.13.0) 只在OpenSSL 1.1.1通过TLSv1.3编译时才起作用。
ssl_prefer_server_ciphers:Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.
指明当使用SSLv3和TLS协议时,服务器密码应该比客户端密码更优先使用。默认值为 off.
ssl_session_cache: off | none | [builtin[:size]] [shared:name:size];
Sets the types and sizes of caches that store session parameters. A cache can be of any of the following types:
设置保存会话参数的缓存类型和大小。默认值为none。缓存可以是以下类型:
off 关闭
the use of a session cache is strictly prohibited: nginx explicitly tells a client that sessions may not be reused.
使用会话缓存是严格被禁止的: nginx 明确告诉客户端会话不可以重复使用。
none 无
the use of a session cache is gently disallowed: nginx tells a client that sessions may be reused, but does not actually store session parameters in the cache.
使用会话缓存是温和地不允许的: nginx告诉客户端会话也许可以重用,但并不会真的在缓存中保存会话参数。
builtin 内置
a cache built in OpenSSL; used by one worker process only. The cache size is specified in sessions. If size is not given, it is equal to 20480 sessions. Use of the built-in cache can cause memory fragmentation.
内置于OpenSSL的缓存; 只被一个worker进程使用. 缓存大小用会话作为单位被指明。如果缓存大小未被给出,它就等于 20480 个会话。使用内置缓存会引起内存碎片。
shared 共享
a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.
一个缓存被所有worker进程共享。缓存大小用bytes作为单位被指明。1MB可以存储大约4000个会话。每一个共享的缓存应该有一个唯一的名称。拥有相同名称的缓存可以被多个虚拟服务(virtual server)所使用。
Both cache types can be used simultaneously, for example:
多个缓存类型可以同时使用,例如
ssl_session_cache builtin:1000 shared:SSL:10m;but using only shared cache without the built-in cache should be more efficient.
但在使用共享的缓存时不使用内置缓存会更有效率。
更多关于Nginx-SSL的配置请参考官方文档: http://nginx.org/en/docs/http/ngx_http_ssl_module.html
以上是 Nginx的小程序SSL配置 的全部内容, 来源链接: utcz.com/z/511462.html
