Nginx Server块配置详细解读
server { listen 80; # 监听端口 listen [::]:80 ipv6only=on; # IPv6 server_name example.com www.example.com; # 域名 # 根目录和索引 root /var/www/html; index index.html index.htm index.php; # 字符集 charset utf-8; # SSL配置(HTTPS) listen 443 ssl http2; ssl_certificate /etc/ssl/cert.pem; ssl_certificate_key /etc/ssl/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # 重定向HTTP到HTTPS if ($scheme != "https") { return 301 https://$host$request_uri; } # 安全头 add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header X-XSS-Protection "1; mode=block"; }一、基础监听配置
1. 监听设置
listen 80; # 监听IPv4的80端口 listen [::]:80 ipv6only=on; # 监听IPv6的80端口详细说明:
listen 80:监听所有IPv4地址的80端口[::]:IPv6的简写,表示所有IPv6地址ipv6only=on:仅处理IPv6连接,避免IPv6 socket同时处理IPv4连接
等价写法:
# 更明确的写法 listen 0.0.0.0:80; # 监听所有IPv4 listen [::]:80; # 监听所有IPv62. 域名绑定
server_name example.com www.example.com;匹配规则:
请求: http://example.com → 匹配 ✓ 请求: http://www.example.com → 匹配 ✓ 请求: http://blog.example.com → 不匹配 ✗ 请求: http://example.org → 不匹配 ✗通配符用法:
server_name *.example.com; # 匹配所有子域名 server_name .example.com; # 匹配example.com和所有子域名 server_name ~^(www\.)?example\.com$; # 正则匹配二、文件服务配置
1. 根目录设置
root /var/www/html; index index.html index.htm index.php;文件查找流程:
请求: GET /about 查找: /var/www/html/about → 存在则返回 ↓ 不存在 查找: /var/www/html/about/index.html ↓ 不存在 查找: /var/www/html/about/index.htm ↓ 不存在 查找: /var/www/html/about/index.php2. 字符集设置
charset utf-8; # 设置默认字符集为UTF-8响应头效果:
Content-Type: text/html; charset=utf-8其他常用字符集:
charset gb2312; # 简体中文 charset gbk; # 扩展中文 charset iso-8859-1; # 西欧语言三、SSL/TLS配置
1. HTTPS监听
listen 443 ssl http2; # 监听443端口,启用SSL和HTTP/2协议支持:
ssl:启用SSL/TLS加密http2:启用HTTP/2协议(需要Nginx 1.9.5+)
2. 证书配置
ssl_certificate /etc/ssl/cert.pem; # 公钥证书 ssl_certificate_key /etc/ssl/key.pem; # 私钥文件证书格式说明:
# PEM格式(常用)-----BEGIN CERTIFICATE----- 证书内容 -----END CERTIFICATE-----# 证书链配置ssl_certificate /path/to/fullchain.pem;# 包含中间证书3. 安全协议
ssl_protocols TLSv1.2 TLSv1.3; # 只允许TLS 1.2和1.3各版本对比:
| 协议 | 状态 | 安全性 |
|---|---|---|
| SSLv2 | ❌ 已弃用 | 严重漏洞 |
| SSLv3 | ❌ 已弃用 | POODLE攻击 |
| TLSv1.0 | ❌ 不推荐 | BEAST攻击 |
| TLSv1.1 | ⚠️ 过渡 | 逐渐淘汰 |
| TLSv1.2 | ✅ 推荐 | 目前主流 |
| TLSv1.3 | ✅ 最新 | 最高安全 |
4. 加密套件
ssl_ciphers HIGH:!aNULL:!MD5;加密套件解析:
HIGH:高强度加密算法!aNULL:禁用匿名DH算法!MD5:禁用MD5哈希算法
推荐配置:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;四、HTTP到HTTPS重定向
1. 重定向配置
if ($scheme != "https") { return 301 https://$host$request_uri; }变量说明:
$scheme:请求协议(http/https)$host:请求的主机名$request_uri:完整的请求URI
重定向示例:
http://example.com/about → https://example.com/about http://www.example.com/ → https://www.example.com/ http://example.com:80 → https://example.com:4432. 替代方案(推荐)
# 方案1:单独监听80端口并重定向 server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; } # 方案2:使用rewrite server { listen 80; server_name example.com; rewrite ^(.*) https://$server_name$1 permanent; }五、安全响应头
1. X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN";作用:防止点击劫持攻击
取值:
DENY:完全禁止iframe嵌入SAMEORIGIN:只允许同域名嵌入ALLOW-FROM uri:允许指定域名嵌入
2. X-Content-Type-Options
add_header X-Content-Type-Options "nosniff";作用:阻止MIME类型嗅探攻击
效果:浏览器不会尝试猜测文件类型,严格按照Content-Type处理
3. X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";作用:启用XSS过滤器
取值:
0:禁用过滤器1:启用过滤器1; mode=block:启用并阻止页面加载
六、配置存在的问题与优化
问题1:SSL配置位置不当
# ❌ 错误:把SSL配置放在非SSL server块 server { listen 80; listen 443 ssl; # 混合配置,不清晰 # SSL配置... }✅ 正确分离:
# HTTP server(只重定向) server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; } # HTTPS server(完整配置) server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com www.example.com; # SSL配置... # 主站点配置... }问题2:缺少重要安全头
# 建议补充的安全头 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; add_header Content-Security-Policy "default-src 'self'"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Permissions-Policy "geolocation=()";问题3:SSL配置不完整
# 完整SSL优化配置 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s;七、完整优化配置示例
# HTTP重定向server server { listen 80; listen [::]:80; server_name example.com www.example.com; # 301永久重定向到HTTPS return 301 https://$server_name$request_uri; # 可选:记录重定向日志 access_log /var/log/nginx/redirect.log; } # HTTPS主server server { # 监听设置 listen 443 ssl http2; listen [::]:443 ssl http2; # 域名 server_name example.com www.example.com; # SSL证书 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # SSL安全配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512; ssl_prefer_server_ciphers off; # SSL性能优化 ssl_session_cache shared:SSL:10m; ssl_session_timeout 24h; ssl_session_tickets off; # OCSP装订 ssl_stapling on; ssl_stapling_verify on; # 安全响应头 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # 站点根目录 root /var/www/example.com; index index.html index.htm; # 字符编码 charset utf-8; # 日志 access_log /var/log/nginx/example.com.access.log; error_log /var/log/nginx/example.com.error.log; # 默认location location / { try_files $uri $uri/ =404; } # 静态文件缓存 location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ { expires 1y; add_header Cache-Control "public, immutable"; } }八、配置流程图
客户端访问 ↓ [HTTP请求] → 80端口server → 301重定向到HTTPS ↓ [HTTPS请求] → 443端口server ↓ SSL握手 → 证书验证 → 协议协商 ↓ 添加安全响应头 ↓ 查找文件 → root目录 → index文件 ↓ 返回加密响应九、调试技巧
1. 测试配置
# 检查配置语法sudonginx -t# 重新加载配置sudonginx -s reload# 查看监听端口sudonetstat-tlnp|grepnginx2. SSL测试
# 测试SSL配置openssl s_client -connect example.com:443 -tls1_2# 检查证书链openssl s_client -showcerts -connect example.com:443# 在线测试curl-I https://example.com3. 安全头测试
# 查看响应头curl-I https://example.com# 专门检查安全头curl-s -D - https://example.com -o /dev/null|grep-iE"(x-|hsts|content-security)"
 启动失败)
