1. server {
    2.     listen 80 ;
    3.     server_name www.zenkr.com;
    4.     # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    5.     return 301 https://$host$request_uri;
    6. }
    7. server {
    8.     listen 443;
    9.     server_name www.zenkr.com;
    10.     ssl on;
    11.     # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    12.     ssl_certificate /etc/letsencrypt/live/www.zenkr.com/fullchain.pem;
    13.     ssl_certificate_key /etc/letsencrypt/live/www.zenkr.com/privkey.pem;
    14.     ssl_session_timeout 1d;
    15.     ssl_session_cache shared:SSL:50m;
    16.     ssl_session_tickets off;
    17.     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    18.     ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    19.     # intermediate configuration. tweak to your needs.
    20.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    21.     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    22.     ssl_prefer_server_ciphers on;
    23.     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    24.     add_header Strict-Transport-Security max-age=15768000;
    25.     # OCSP Stapling ---
    26.     # fetch OCSP records from URL in ssl_certificate and cache them
    27.     ssl_stapling on;
    28.     ssl_stapling_verify on;
    29.     ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    30.     ssl_trusted_certificate /etc/letsencrypt/live/www.zenkr.com/root_ca_cert_plus_intermediates;
    31.     resolver vip1.alidns.com vip2.alidns.com;
    32.   root         /z-data/sites/zenkr-201808;
    33.   # index        index.php index.html index.htm;
    34.   location / {
    35.     index      index.php index.html index.htm;
    36.     try_files  $uri $uri/ /index.php?$query_string;
    37.   }
    38.   location ~ '\.php$|^/update.php' {
    39.     fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
    40.     fastcgi_pass   127.0.0.1:9000;
    41.     fastcgi_index  index.php;
    42.     fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    43.     include        fastcgi_params;
    44.   }
    45. }

    请注意 '\.php$|^/update.php'fastcgi_split_path_info ^(.+?\.php)(|/.*)$;。之前因为手动升级 Drupal 8,当进行到最后的省级数据库阶段,需要运行 update.php 然而却出现了路径不对,所以必须要添加这两行。

    更完整的配置文件,请参考 Nginx 官方配置 Drupal 指导

    ssl_dhparam 通过下面命令生成:

    1. sudo mkdir /z-data/ssl/
    2. sudo openssl dhparam -out /z-data/ssl/dhparam.pem 2048