1、禁止ip直接访问
2、访问http强制重定向到https
3、SSL证书配置,这个标准可以通过SSL的校验,地址:https://myssl.com/
ssl_certificate ceti/xxx.pem; ssl_certificate_key ceti/xxx.key; ssl_session_timeout 5m; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000";
4、完整配置
server { listen 80; server_name www.xxx.cn; return 301 https://www.xxx.cn; } server { listen 443 ssl; server_name www.xxx.cn; ssl_certificate ceti/xxx.cn.pem; ssl_certificate_key ceti/xxx.cn.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL; ssl_prefer_server_ciphers on; index index.php; root /data/www/xxx.cn/public; #允许跨域 add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers X-Requested-With; add_header Access-Control-Allow-Methods GET,POST,OPTIONS; location / { if (!-e $request_filename) { rewrite ^(.*)$ /index.php?s=/$1 last; break; } } include enable-php.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } access_log /data/logs/nginx/www.xxx_access.log; error_log /data/logs/nginx/www.xxx_error.log; }