默认nginx配置文件:

nginx:

/usr/local/nginx/conf/nginx.conf

openresty:

/usr/local/openresty/nginx/conf/nginx.conf

oneinstack设置默认网站

打开nginx配置文件,在server里的listen后面加上default_server。

listen 80;

修改为:

listen 80 default_server;

进阶:

很多时候443也必须监控且设为默认网站,理由有很多,比如仿站cdn网站暴露ip,网站启用tls1.3。

关于tls1.3,网上很多教程都只是说升级openssl,没说同一服务器上所有网站必要都要配置tls1.3才能正确开启。

nginx:

创建证书存放的文件夹:

mkdir -p /usr/local/nginx/conf/ssl/default/

fullchain.pem和privkey.pem为下方配置里的证书,可以获取任意证书(可以是无效证书)上传到刚才创建的目录。

打开配置文件(/usr/local/nginx/conf/nginx.conf),修改

listen 80;

    listen 80 default_server;
    listen 443 ssl http2 default_server;
    ssl_stapling on;
    ssl_certificate     /usr/local/nginx/conf/ssl/default/fullchain.pem;
    ssl_certificate_key    /usr/local/nginx/conf/ssl/default/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

openresty:

创建证书存放的文件夹:

mkdir -p /usr/local/openresty/nginx/conf/ssl/default/

fullchain.pem和privkey.pem为下方配置里的证书,可以获取任意证书(可以是无效证书)上传到刚才创建的目录。

打开配置文件(/usr/local/openresty/nginx/conf/nginx.conf),修改

listen 80;

为:

    listen 80 default_server;
    listen 443 ssl http2 default_server;
    ssl_stapling on;
    ssl_certificate     /usr/local/openresty/nginx/conf/ssl/default/fullchain.pem;
    ssl_certificate_key    /usr/local/openresty/nginx/conf/ssl/default/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

其他:

如果监听了ipv6,那么需要加上:

listen [::]:80 default_server;
listen [::]:443 ssl http2 default_server;