From 0daec119b314793d41493f8b78e467fe33079657 Mon Sep 17 00:00:00 2001
From: q158073378252010 <q158073378252010@gmail.com>
Date: Wed, 13 Dec 2017 01:50:41 +0800
Subject: [PATCH] Add comments and configuration

---
 websocket+Nginx+TLS/Nginx.config | 45 +++++++++++++++++++++++++-------
 1 file changed, 35 insertions(+), 10 deletions(-)

diff --git a/websocket+Nginx+TLS/Nginx.config b/websocket+Nginx+TLS/Nginx.config
index 2341ed0..0cf49db 100644
--- a/websocket+Nginx+TLS/Nginx.config
+++ b/websocket+Nginx+TLS/Nginx.config
@@ -18,9 +18,10 @@
 
 # Default server configuration
 #
+#####兼容客户端Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
+
 server {
 	#listen 80 default_server;
-	listen 127.0.0.1:80;
 	#listen [::]:80 default_server;
 
 	# SSL configuration
@@ -39,27 +40,49 @@ server {
 	#
 	# include snippets/snakeoil.conf;
   
+	listen 127.0.0.1:80 default_server;
 	server_name domain.Name;
-	return 301 https://$server_name/$request_uri;
+	return 301 https://$host/$request_uri;
 }
 
 
 server {
-	#listen 443 ssl http2;
+	#listen 443 ssl http2; 
 	#listen [::]:443 ssl;
-	listen 127.0.0.1:443 ssl;
-	ssl on;
+	#要开启HTTP/2需要nginx版本在1.10.0以上且需要openssl版本在1.0.2以上编译
+	#可以使用 nginx -V  检查
+	listen 127.0.0.1:443 ssl http2;
+	
+	#证书配置
 	ssl_certificate PATH;
 	ssl_certificate_key PATH;
-	#openssl dhparam out dhparam.pem 2048
-	#openssl dhparam out dhparam.pem 4096
-	ssl_dhparam /home/acme/data/dhparam.pem;
 	ssl_session_cache shared:SSL:10m;
 	ssl_session_timeout  5m;
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; #屏蔽不安全的加密方式
+	ssl_session_tickets off;
+	
+	#https://nginx.org/en/docs/http/ngx_http_ssl_module.html
+	ssl_protocols TLSv1.2;
+	###openssl ciphers
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; #屏蔽不安全的加密方式
+	ssl_prefer_server_ciphers on;
+	
 
+	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+	#
+	###测试前请使用较少的时间 此处以从 15768000 >>> 15 
+	###https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+	#add_header Strict-Transport-Security max-age=15;
+	
+	#openssl dhparam out dhparam.pem 2048
+	#openssl dhparam out dhparam.pem 4096
+	#ssl_dhparam /home/acme/data/dhparam.pem;
 
+	# OCSP Stapling ---
+	# fetch OCSP records from URL in ssl_certificate and cache them
+	#有条件就开
+	#ssl_stapling on;
+	#ssl_stapling_verify on;
+	
 	root /var/www/html;
 
 	# Add index.php to the list if you are using PHP
@@ -74,7 +97,9 @@ server {
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Host $http_host;
 		
+		#host判断
 		if ($http_host = "domain.Name" ) {
+			#v 监听端口
 			proxy_pass http://127.0.0.1:10086;
 			}
 	}