?? NGINX配置生成器

您唯一需要配置NGINX服务器的工具。

? nginxconfig.io

NGINX不仅仅是一个网络服务器。您可能已经知道了。

我们喜欢NGINX，因为：

• 低内存使用
• 高并发
• 异步事件驱动架构
• 负载均衡
• 反向代理
• 带有缓存的FastCGI支持（PHP）
• 快速处理静态文件
• 带有SNI的TLS / SSL
• 性感的配置语法

许多功能具有相应的配置指令。您可以立即深入了解NGINX文档，也可以使用此工具检查NGINX的工作方式，观察您的输入如何影响输出，针对特定用例生成最佳配置（同时，您仍然可以使用docs）。

前因

关于Nginx部署，配置的文章网上已经发布过很多，包括我自己也私藏了不少还发布过两篇文章：

• 初步必备Nginx配置
• 前端必备Nginx配置

整理出来为的就是需要的时候，复制，加入即可使用。

然而千奇百怪的实际开发中，你肯定需要增删Nginx配置。你就得上网搜一下，复制粘贴出bug了又得调一下...

搞定还得保存下来以备后患。多了不好找还得整理...就搞得很麻烦

使用

实现用户访问*.myweb.com域名自动重新迁移到myweb.com配置，并开启http强制重启到https的配置。

配置完之后，下方还有安装步骤指导你配置才能。交互体验相当好

生成配置/etc/nginx/sites-available/myweb.com.conf如下：

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name myweb.com;
    root /var/www/myweb.com/public;

    # SSL
    ssl_certificate /etc/letsencrypt/live/myweb.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myweb.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/myweb.com/chain.pem;

    # security
    include nginxconfig.io/security.conf;

    # index.html fallback
    location / {
        try_files $uri $uri/ /index.html;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# subdomains redirect
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name *.myweb.com;

    # SSL
    ssl_certificate /etc/letsencrypt/live/myweb.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myweb.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/myweb.com/chain.pem;

    return 301 https://myweb.com$request_uri;
}

# HTTP redirect
server {
    listen 80;
    listen [::]:80;

    server_name .myweb.com;

    include nginxconfig.io/letsencrypt.conf;

    location / {
        return 301 https://myweb.com$request_uri;
    }
}
复制代码

网站下方还罗列了推荐的nginx配置，安全配置...以作参考

/etc/nginx/nginx.conf

# Generated by nginxconfig.io
# https://nginxconfig.io/?0.domain=myweb.com&0.php=false&0.index=index.html&0.fallback_html

user www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
    multi_accept on;
    worker_connections 65535;
}

http {
    charset utf-8;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 2048;
    client_max_body_size 16M;

    # MIME
    include mime.types;
    default_type application/octet-stream;

    # logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/nginx/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout 2s;

    # load configs
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}
复制代码

/etc/nginx/nginxconfig.io/security.conf

# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

# . files
location ~ /\.(?!well-known) {
    deny all;
}

资源资源

• Mozilla SSL配置生成器v5
• Mozilla SSL配置生成器
• OWASP TLS密码字符串备忘单
• Nginx优化：了解sendfile，tcp_nodelay和tcp_nopush
• NGINX调整以获得最佳性能
• 强化HTTP安全标头
• h5bp / server-configs-nginx
• 类似于Diffie-Hellman DSA的参数
• hstspreload.org
• Nginx worker_connections的最佳值