質問編集履歴
1
nginxの設定を追記
title
CHANGED
|
File without changes
|
body
CHANGED
|
@@ -34,4 +34,111 @@
|
|
|
34
34
|
OS:CentOS 7.4
|
|
35
35
|
Webサーバ:nginx 1.13.8
|
|
36
36
|
SSL:OpenSSL 1.0.2k
|
|
37
|
-
他:PHP 7.2、cURL 7.57.8
|
|
37
|
+
他:PHP 7.2、cURL 7.57.8
|
|
38
|
+
|
|
39
|
+
|
|
40
|
+
1/29追記
|
|
41
|
+
|
|
42
|
+
### (A)のnginxの設定
|
|
43
|
+
|
|
44
|
+
■nginx.conf
|
|
45
|
+
```conf
|
|
46
|
+
user nginx;
|
|
47
|
+
worker_processes 1;
|
|
48
|
+
|
|
49
|
+
error_log /var/log/nginx/error.log warn;
|
|
50
|
+
pid /var/run/nginx.pid;
|
|
51
|
+
|
|
52
|
+
events {
|
|
53
|
+
worker_connections 1024;
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
http {
|
|
57
|
+
include /etc/nginx/mime.types;
|
|
58
|
+
default_type application/octet-stream;
|
|
59
|
+
|
|
60
|
+
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
61
|
+
'$status $body_bytes_sent "$http_referer" '
|
|
62
|
+
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
63
|
+
|
|
64
|
+
access_log /var/log/nginx/access.log main;
|
|
65
|
+
|
|
66
|
+
sendfile on;
|
|
67
|
+
#tcp_nopush on;
|
|
68
|
+
|
|
69
|
+
resolver 127.0.0.1;
|
|
70
|
+
|
|
71
|
+
keepalive_timeout 65;
|
|
72
|
+
|
|
73
|
+
#gzip on;
|
|
74
|
+
brotli on;
|
|
75
|
+
|
|
76
|
+
server_tokens off;
|
|
77
|
+
add_header X-Frame-Options SAMEORIGIN;
|
|
78
|
+
add_header X-XSS-Protection "1; mode=block";
|
|
79
|
+
add_header X-Content-Type-Options nosniff;
|
|
80
|
+
|
|
81
|
+
include /etc/nginx/conf.d/vhost.conf;
|
|
82
|
+
#include /etc/nginx/conf.d/*.conf;
|
|
83
|
+
}
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
|
|
87
|
+
|
|
88
|
+
■conf.d/vhost.conf
|
|
89
|
+
```conf
|
|
90
|
+
server {
|
|
91
|
+
listen 80 default_server;
|
|
92
|
+
listen [::]:80 default_server;
|
|
93
|
+
server_name example.com;
|
|
94
|
+
root /var/www/html;
|
|
95
|
+
error_log /var/log/nginx/error.log;
|
|
96
|
+
access_log /var/log/nginx/access.log main;
|
|
97
|
+
|
|
98
|
+
location / {
|
|
99
|
+
index index.html index.htm index.php;
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
|
|
103
|
+
#
|
|
104
|
+
location ~ .php$ {
|
|
105
|
+
fastcgi_pass unix:/var/run/php-fpm/www.sock;
|
|
106
|
+
fastcgi_index index.php;
|
|
107
|
+
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
|
108
|
+
include fastcgi_params;
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
include ssl.conf;
|
|
112
|
+
}
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
|
|
116
|
+
|
|
117
|
+
■conf.d/ssl.conf
|
|
118
|
+
|
|
119
|
+
```conf
|
|
120
|
+
#
|
|
121
|
+
# conf.d/ssl.conf
|
|
122
|
+
#
|
|
123
|
+
|
|
124
|
+
#listen 443 ssl http2;
|
|
125
|
+
listen 443 ssl;
|
|
126
|
+
ssl_session_cache shared:le_nginx_SSL:1m;
|
|
127
|
+
ssl_session_timeout 1440m;
|
|
128
|
+
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;
|
|
129
|
+
|
|
130
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
131
|
+
ssl_prefer_server_ciphers on;
|
|
132
|
+
|
|
133
|
+
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA";
|
|
134
|
+
|
|
135
|
+
ssl_stapling on;
|
|
136
|
+
ssl_stapling_verify on;
|
|
137
|
+
|
|
138
|
+
if ($scheme != "https") {
|
|
139
|
+
return 301 https://$host$request_uri;
|
|
140
|
+
}
|
|
141
|
+
ssl_certificate /etc/pki/tls/certs/2017.crt;
|
|
142
|
+
ssl_certificate_key /etc/pki/tls/private/2017.key;
|
|
143
|
+
ssl_trusted_certificate /etc/pki/tls/certs/2017.intermediate;
|
|
144
|
+
```
|