Nginx 笔记

Summary: Author: 张亚飞 | Read Time: 3 minute read | Published: 2016-08-08
Filed under Categories: DevOpsTags: Linux, Server, Software, DevOps,

Nginx 安装管理相关

NGINX官网 Ubuntu Server 编译安装 Nginx Nginx 配置之性能篇

ubuntu 下使用 apt 方式安装. 卸载 nginx–更新 nginx 源安装最新版 1. 添加升级源,把 nginx 团队官方的 PPA 加入到 apt 的源配置文件中,并更新源

add-apt-repository ppa:nginx/stable

如果提示找不到 add-apt-repository

apt install python-software-properties -y
apt update
  1. 更新 nginx
apt upgrade nginx -y
nginx -v
  1. 重启 nginx
kill -9 `pidof nginx`
/etc/init.d/nginx restart

安装nginx后,卸载不完整,使用源码安装最新nginx,一直不通过,卸载nginx的方法:

sudo apt --purge remove nginx
sudo apt autoremove
dpkg --get-selections|grep nginx

列出与nginx相关的软件:

nginx-common deinstall

然后

sudo apt --purge remove nginx-common

这样就可以完全卸载掉nginx包括配置文件

sudo apt remove nginx nginx-common # Removes all but config files.
sudo apt purge nginx nginx-common # Removes everything.
sudo apt autoremove # After using any of the above commands, use this in order to remove dependencies used by nginx which are no longer required.

参考 http://askubuntu.com/questions/235347/what-is-the-best-way-to-uninstall-nginx

Nginx 配置 SSL 证书相关

关于 OCSP 配置相关

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /you/path/to/domain.chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;(国外)
resolver 223.5.5.5 223.6.6.6 valid=300s;(国内)
resolver_timeout 10s;

使用如下命令测试 ocsp 状态

openssl s_client -connect coopens.com:443 -tls1 -tlsextdebug -status
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://ocsp.int-x1.letsencrypt.org -header "HOST" "ocsp.int-x1.letsencrypt.org" -no_nonce
openssl ocsp -no_nonce \
-header Host ocsp.int-x1.letsencrypt.org \
-url http://ocsp.int-x1.letsencrypt.org/ \
-issuer chain.pem \
-CAfile chain.pem \
-cert cert.pem
  • 关于 ocsp 根证书配置
cat fullchain.pem /data/home/yzhang/ServerRun/docs/Server/ServiceConfig/Nginx/Certify/DST_Root_CA_X3.pem > rootchain.pem

其中 fullchain.pem 为当前网站的 证书链,DST_Root_CA_X3.pem 为 letsencrypt 根证书 ,更新了 OCSP 证书之后需要测试两次,否则查看 ocsp 缓存失败 参考Nginx OCSP stapling ssl_trusted_certificate #1813

ssl_trusted_certificate 是用来验证ocsp响应的各个ca证书+中级证书,和信任的ca根证书列表.当用来验证ocsp响应的时候,应该配置为你的ca根证书+和中级ca证书的列表,此处可以简单和ssl_certificate使用同一个证书列表文件.

[[Solved] Cannot verify ocsp](https://community.letsencrypt.org/t/solved-cannot-verify-ocsp/3306)
[Unable to verify OCSP response](https://community.letsencrypt.org/t/unable-to-verify-ocsp-response/7264)

配置 ssl_dhparam 提高ssl证书加密安全系数

使用如下命令生成 4096 位的 dhparam.pem 加密密钥

openssl dhparam -out dhparam.pem 4096

配置 HTTP 严格传输安全(HSTS)(HTTP Strict Transport Security)

nginx server{} 段添加如下响应头

add_header Strict-Transport-Security max-age=15768000;

配置 ssl_session_ticket_key

#ssl_session_ticket_key /etc/nginx/conf.d/tls_session_ticket.key;
ssl_session_tickets on;

其中 tls_session_ticket.key 可以按如下方式生成 (参考 Nginx下配置高性能,高安全性的https TLS服务)

cd /etc/letsencrypt/archive/certify/
openssl rand 48 > tls_session_ticket.key

使用 https://www.ssllabs.com/ssltest/analyze.html?d=coopens.com 检测 网站证书安全性

Mozilla 查看最新推荐 Nginx 配置项 Nginx 配置上更安全的 SSL & ECC 证书

HTTPS协议介绍—使用Nginx+SSL实现部署与性能优化 SSL Labs 评分 A+ 的 nginx 配置 SSL, Nginx, HSTS, SPDY, BREACH, FIPS, OCSP Stapling

从无法开启 OCSP Stapling 说起

Nginx相关

nginx配置location总结及rewrite规则写法 为 NGINX 开启 HTTP2 功能 Nginx 开始支持 HTTP/2 了 HTTP2 on Nginx 測試

Nginx 变量相关

Nginx配置-变量笔记 获取Nginx内置绑定变量 最新版 nginx内置变量 大全

yzhang@coamn:/etc/nginx$ nginx -V
nginx version: nginx/1.8.1
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
 --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid
 --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
 --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module
 --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module
 --add-module=/build/nginx-TOhDdu/nginx-1.8.1/debian/modules/nginx-auth-pam --add-module=/build/nginx-TOhDdu/nginx-1.8.1/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-TOhDdu/nginx-1.8.1/debian/modules/nginx-echo
 --add-module=/build/nginx-TOhDdu/nginx-1.8.1/debian/modules/nginx-upstream-fair --add-module=/build/nginx-TOhDdu/nginx-1.8.1/debian/modules/ngx_http_substitutions_filter_module

Comments

Cor-Ethan, the beverage → www.iirii.com