oneinstack设置默认网站
默认nginx配置文件:
nginx:
/usr/local/nginx/conf/nginx.confopenresty:
/usr/local/openresty/nginx/conf/nginx.confoneinstack设置默认网站
打开nginx配置文件,在server里的listen后面加上default_server。
listen 80;修改为:
listen 80 default_server;进阶:
很多时候443也必须监控且设为默认网站,理由有很多,比如仿站cdn网站暴露ip,网站启用tls1.3。
关于tls1.3,网上很多教程都只是说升级openssl,没说同一服务器上所有网站必要都要配置tls1.3才能正确开启。
nginx:
创建证书存放的文件夹:
mkdir -p /usr/local/nginx/conf/ssl/default/fullchain.pem和privkey.pem为下方配置里的证书,可以获取任意证书(可以是无效证书)上传到刚才创建的目录。
打开配置文件(/usr/local/nginx/conf/nginx.conf),修改
listen 80;为
listen 80 default_server;
listen 443 ssl http2 default_server;
ssl_stapling on;
ssl_certificate /usr/local/nginx/conf/ssl/default/fullchain.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/default/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";openresty:
创建证书存放的文件夹:
mkdir -p /usr/local/openresty/nginx/conf/ssl/default/fullchain.pem和privkey.pem为下方配置里的证书,可以获取任意证书(可以是无效证书)上传到刚才创建的目录。
打开配置文件(/usr/local/openresty/nginx/conf/nginx.conf),修改
listen 80;为:
listen 80 default_server;
listen 443 ssl http2 default_server;
ssl_stapling on;
ssl_certificate /usr/local/openresty/nginx/conf/ssl/default/fullchain.pem;
ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/default/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";其他:
如果监听了ipv6,那么需要加上:
listen [::]:80 default_server;
listen [::]:443 ssl http2 default_server;本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。
评论已关闭