일반적인 PHP 사이트 (그누보드 등)
server { listen 80; server_name samplesite.com www.samplesite.com anothersite.net; root /home/myuser1/www; #set same size as post_max_size(php.ini or php_admin_value). client_max_body_size 10M; access_log /var/log/nginx/samplesite.com.access.log main; error_log /var/log/nginx/samplesite.com.error.log warn; location / { index index.php index.html; } # Allow Lets Encrypt Domain Validation Program location ^~ /.well-known/acme-challenge/ { allow all; } # Block dot file (.htaccess .htpasswd .svn .git .env and so on.) location ~ /\. { deny all; } # Block (log file, binary, certificate, shell script, sql dump file) access. location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ { deny all; } # Block access location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard). location ~* /(?:uploads|default/files|data)/.*\.php$ { deny all; } # Add PHP handler location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/myuser1.sock; fastcgi_index index.php; fastcgi_buffers 64 4k; # default 8 4k include fastcgi_params; } }
짧은 주소 사이트(워드프레스, 드루팔, CI, Laravel)에서는 try_files 구문을 통해 응답을 index.php 파일로 보내도록 설정합니다.
server { listen 80; server_name samplesite.com www.samplesite.com anothersite.net; root /home/myuser1/www; #set same size as post_max_size(php.ini or php_admin_value). client_max_body_size 10M; access_log /var/log/nginx/samplesite.com.access.log main; error_log /var/log/nginx/samplesite.com.error.log warn; location / { index index.php index.html; try_files $uri $uri/ /index.php?$args; } # Allow Lets Encrypt Domain Validation Program location ^~ /.well-known/acme-challenge/ { allow all; } # Block dot file (.htaccess .htpasswd .svn .git .env and so on.) location ~ /\. { deny all; } # Block (log file, binary, certificate, shell script, sql dump file) access. location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ { deny all; } # Block access location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard). location ~* /(?:uploads|default/files|data)/.*\.php$ { deny all; } # Add PHP handler location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/myuser1.sock; fastcgi_index index.php; fastcgi_buffers 64 4k; # default 8 4k include fastcgi_params; } }
https 관련 구문을 설정합니다.
인증서 발급업체에서 인증서 파일을 발급받아 준비해야 합니다. 또는
https://blog.lael.be/post/5107 글을 통해 직접 인증서 파일을 발급할 수 있습니다.
다음 명령어로 dhparam.pem 파일을 먼저 생성해야 합니다. (서버 내에 1회만 실행하면 됨. 중복실행해도 문제없음)
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
server { listen 80; server_name samplesite.com www.samplesite.com anothersite.net; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name samplesite.com www.samplesite.com anothersite.net; root /home/myuser1/www; #set same size as post_max_size(php.ini or php_admin_value). client_max_body_size 10M; ssl_certificate /home/myuser1/ssl/mergedssl.crt; ssl_certificate_key /home/myuser1/ssl/ssl.dec.key; ssl_dhparam "/etc/ssl/certs/dhparam.pem"; # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional. add_header Strict-Transport-Security "max-age=31536000"; # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score. ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; access_log /var/log/nginx/samplesite.com.access.log main; error_log /var/log/nginx/samplesite.com.error.log warn; location / { index index.php index.html; try_files $uri $uri/ /index.php?$args; } # Allow Lets Encrypt Domain Validation Program location ^~ /.well-known/acme-challenge/ { allow all; } # Block dot file (.htaccess .htpasswd .svn .git .env and so on.) location ~ /\. { deny all; } # Block (log file, binary, certificate, shell script, sql dump file) access. location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ { deny all; } # Block access location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard). location ~* /(?:uploads|default/files|data)/.*\.php$ { deny all; } # Add PHP handler location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/myuser1.sock; fastcgi_index index.php; fastcgi_buffers 64 4k; # default 8 4k include fastcgi_params; } }
https 관련 구문을 설정합니다.
인증서 발급업체에서 인증서 파일을 발급받아 준비해야 합니다. 또는
https://blog.lael.be/post/5107 글을 통해 직접 인증서 파일을 발급할 수 있습니다.
다음 명령어로 dhparam.pem 파일을 먼저 생성해야 합니다. (서버 내에 1회만 실행하면 됨. 중복실행해도 문제없음)
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
server { listen 80; server_name samplesite.com www.samplesite.com anothersite.net; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name samplesite.com www.samplesite.com anothersite.net; root /home/myuser1/www; #set same size as post_max_size(php.ini or php_admin_value). client_max_body_size 10M; ssl_certificate /home/myuser1/ssl/mergedssl.crt; ssl_certificate_key /home/myuser1/ssl/ssl.dec.key; ssl_dhparam "/etc/ssl/certs/dhparam.pem"; # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional. add_header Strict-Transport-Security "max-age=31536000"; # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score. ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; access_log /var/log/nginx/samplesite.com.access.log main; error_log /var/log/nginx/samplesite.com.error.log warn; location / { index index.php index.html; } # Allow Lets Encrypt Domain Validation Program location ^~ /.well-known/acme-challenge/ { allow all; } # Block dot file (.htaccess .htpasswd .svn .git .env and so on.) location ~ /\. { deny all; } # Block (log file, binary, certificate, shell script, sql dump file) access. location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ { deny all; } # Block access location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard). location ~* /(?:uploads|default/files|data)/.*\.php$ { deny all; } # Add PHP handler location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/myuser1.sock; fastcgi_index index.php; fastcgi_buffers 64 4k; # default 8 4k include fastcgi_params; } }
http와 https 모두 사용합니다. 어쩔 수 없는 상황이 아니라면, https 하나만 사용하는 것이 좋습니다.
인증서 발급업체에서 인증서 파일을 발급받아 준비해야 합니다. 또는
https://blog.lael.be/post/5107 글을 통해 직접 인증서 파일을 발급할 수 있습니다.
다음 명령어로 dhparam.pem 파일을 먼저 생성해야 합니다. (서버 내에 1회만 실행하면 됨. 중복실행해도 문제없음)
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
server { listen 80; server_name samplesite.com www.samplesite.com anothersite.net; root /home/myuser1/www; #set same size as post_max_size(php.ini or php_admin_value). client_max_body_size 10M; access_log /var/log/nginx/samplesite.com.access.log main; error_log /var/log/nginx/samplesite.com.error.log warn; location / { index index.php index.html; } # Allow Lets Encrypt Domain Validation Program location ^~ /.well-known/acme-challenge/ { allow all; } # Block dot file (.htaccess .htpasswd .svn .git .env and so on.) location ~ /\. { deny all; } # Block (log file, binary, certificate, shell script, sql dump file) access. location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ { deny all; } # Block access location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard). location ~* /(?:uploads|default/files|data)/.*\.php$ { deny all; } # Add PHP handler location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/myuser1.sock; fastcgi_index index.php; fastcgi_buffers 64 4k; # default 8 4k include fastcgi_params; } } server { listen 443 ssl http2; server_name samplesite.com www.samplesite.com anothersite.net; root /home/myuser1/www; #set same size as post_max_size(php.ini or php_admin_value). client_max_body_size 10M; ssl_certificate /home/myuser1/ssl/mergedssl.crt; ssl_certificate_key /home/myuser1/ssl/ssl.dec.key; ssl_dhparam "/etc/ssl/certs/dhparam.pem"; # Disable HSTS. add_header Strict-Transport-Security "max-age=0"; # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score. ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; access_log /var/log/nginx/samplesite.com.access.log main; error_log /var/log/nginx/samplesite.com.error.log warn; location / { index index.php index.html; } # Allow Lets Encrypt Domain Validation Program location ^~ /.well-known/acme-challenge/ { allow all; } # Block dot file (.htaccess .htpasswd .svn .git .env and so on.) location ~ /\. { deny all; } # Block (log file, binary, certificate, shell script, sql dump file) access. location ~* \.(log|binary|pem|enc|crt|conf|cnf|sql|sh|key)$ { deny all; } # Block access location ~* (composer\.json|composer\.lock|composer\.phar|contributing\.md|license\.txt|readme\.rst|readme\.md|readme\.txt|copyright|artisan|gulpfile\.js|package\.json|phpunit\.xml)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { log_not_found off; access_log off; } # Block .php file inside upload folder. uploads(wp), files(drupal), data(gnuboard). location ~* /(?:uploads|default/files|data)/.*\.php$ { deny all; } # Add PHP handler location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass unix:/var/run/php-fpm/myuser1.sock; fastcgi_index index.php; fastcgi_buffers 64 4k; # default 8 4k include fastcgi_params; } }