nginx-craft:用于Craft CMS的Nginx虚拟主机配置,实现了许多最佳实践

  • L8_112627
  • 20.7KB
  • zip
  • 0
  • VIP专享
  • 0
  • 2022-06-09 02:22
Nginx的 用于Craft CMS的Nginx虚拟主机配置,实现了许多最佳实践。 概述 它处理什么 Nginx-Craft配置处理: 从HTTP重定向到HTTPS 规范域从重写为 符合301重定向网址,后缀为/。 通过php-fpm-> PHP正确设置PATH_INFO 设置HTTP_HOST以缓解 “未来”过期标头 启用通过提供的静态gzip文件 添加XSS和其他安全标头 Gzip压缩 基于文件名的缓存破坏静态资源 IPv4和IPv6支持 http2支持 合理的SSL密码套件和TLS协议 本地化网站 服务器端包含 (可选)包括生成的.env文件 假设 以下是在此配置中做出的假设: 该网站是https SSL证书来自 规范域是无 。) Nginx是1.9.5或更高版本
  • nginx-craft-master
  • forge-templates
  • NginxFastCGICacheTemplate.conf
  • NginxTemplate.conf
  • nginx-partials
  • expires.conf
  • cache-busting.conf
  • compression.conf
  • security.conf
  • .gitignore
  • sites-available
# nginx-craft An Nginx virtual host configuration for Craft CMS that implements a number of best-practices. ## Overview ### What it handles The Nginx-Craft configuration handles: * Redirecting from HTTP to HTTPS * Canonical domain rewrites from to * 301 Redirect URLs with trailing /'s as per * Setting `PATH_INFO` properly via php-fpm -> PHP * Setting `HTTP_HOST` to mitigate [HTTP_HOST Security Issues]( * "Far-future" Expires headers * Enable serving of static gzip files via [gzip_static]( * Adding XSS and other security headers * Gzip compression * Filename-based cache busting for static resources * IPv4 and IPv6 support * http2 support * Reasonable SSL cipher suites and TLS protocols * Localized sites * Server-side includes * Optionally includes [Dotenvy]( generated `.env` files ### Assumptions made The following are assumptions made in this configuration: * The site is https * The SSL certificate is from * The canonical domain is (no www.) * Nginx is version 1.9.5 or later (and thus supports http2) * Paths are standard Ubuntu, change as needed * You're using php7.1 via php-fpm * You have `'omitScriptNameInUrls' => true,` in your `craft/general.php` If any of these assumptions are invalid, make the appropriate changes. **Note**: We disable TLSv1.0 because it is insecure, but IE 8, 9 & 10 need to have support for TLSv1.1 [manually enabled or they will not be able to connect]( ### What's included This Nginx configuration comes in two parts: * `sites-available/` - an Nginx virtual host configuration file tailored for Craft CMS; it will require some minor customization for your domain * `nginx-partials` - some Nginx configuration partials used by all of the virtual hosts, logically segregated. These don't need to be changed, but can be selectively disabled by changing the suffix to `.off` (or anything other than `.conf`) ## Using Nginx-Craft 1. Obtain an SSL certificate for your domain via []( (or via other certificate authorities). is free, and it's automated. You will need a basic server up and running that responds to port 80 to do this, [LetsEnecrypt/Nginx tutorial]( 2. Create a `dhparam.pem` via `sudo openssl dhparam -out /etc/nginx/dhparams.pem 2048` 3. Download your Issuer certificate via `mkdir /etc/nginx/ssl; sudo wget -O /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem ""` 4. Upload the entire `nginx-partials` folder to `/etc/nginx/` 5. Rename the `` file to `` 6. Do a search & replace in `` to change `SOMEDOMAIN` -> `yourdomain` 7. Tweak any paths that may need changing on your server 8. Change the `fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;` line to reflect whatever version of PHP you're running 9. Restart nginx via `sudo nginx -s reload` If you're using [Forge](, it takes care of a number of these things for you, but still needs tuning. The same applies for CloudWays, ServerPilot, Homestead, MAMP, etc. A [Forge Template]( is provided in `forge-templates/NginxTemplate.conf` that you can use to [automate setting up]( your Forge servers. For this to work, you must clone the repo into `/home/forge` via: ``` git clone /home/forge ``` For further information on TLS optimization, see the [How to properly configure your nginx for TLS]( article. ## Forge & opcache **N.B.:** Forge now has `opcache` functionality baked-in, you can enable it via the Server settings, so this information is largely deprecated. If you're using Forge, understand that `opcache` is off by default. To enable it, go to your server in Forge, click on *Edit Files* and choose *Edit PHP FPM Configuration* and search on `opcache`. Here are the defaults I use; tweak them to suit your needs: [opcache] ; Determines if Zend OPCache is enabled opcache.enable=1 ; Determines if Zend OPCache is enabled for the CLI version of PHP ;opcache.enable_cli=0 ; The OPcache shared memory storage size. opcache.memory_consumption=256 ; The amount of memory for interned strings in Mbytes. opcache.interned_strings_buffer=16 ; The maximum number of keys (scripts) in the OPcache hash table. ; Only numbers between 200 and 100000 are allowed. opcache.max_accelerated_files=8000 ; If disabled, all PHPDoc comments are dropped from the code to reduce the ; size of the optimized code. opcache.save_comments=0 More about tweaking `opcache` can be found in the [Fine-Tune Your Opcache Configuration to Avoid Caching Suprises]( article. The [Best Zend OpCache Settings/Tuning/Config]( article is very useful as well. ## Local Development While all of the configuration in the `` will work fine in local development as well, some people might want a simpler setup for local development. There is a `` that you can use for a basic Nginx configuration that will work with Craft without any of the bells, whistles, or optimizations found in the ``. While this is suitable for getting up and running quickly for local development, do not use it in production. There are a number of performance optimizations missing from it. Brought to you by [nystudio107](
    • SSL实现资料
      HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL
    • 一键配置 SSL证书(HTTPS
      自动配置HTTPS证书(SSL), 压缩包的备注已详细注明了部署方法。
    • 模拟SSL通讯
      NULL 博文链接:
    • weblogic 设置 ssl
      NULL 博文链接:
    • .dotfiles:curl -sSL https:kevingisi.comd | 重击
      curl -sSL | bash 用法 该存储库被克隆到~/.dotfiles ,并且符号链接将~/.vimrc指向~/.dotfiles/vimrc 。 存储库根目录中的bashrc文件处理...
    • ssl通讯流程
      NULL 博文链接:
    • https+ssl.rar
    • SSLHTTPS协议实例源码
      SSLHTTPS协议实例源码,java https server and ssl server.
    • SSLHTTPS配置文档
    • ssl server服务