diff --git a/conf/nginx/domain/blog.conf b/conf/nginx/domain/blog.conf index defc8f4..0bbd438 100644 --- a/conf/nginx/domain/blog.conf +++ b/conf/nginx/domain/blog.conf @@ -1,91 +1,90 @@ server { - listen 443 ssl http2 fastopen=3 reuseport; + listen 443 ssl http2 fastopen=3 reuseport; - server_name www.deepzz.com deepzz.com; - server_tokens off; + server_name www.deepzz.com deepzz.com; + server_tokens off; - include /data/eiblog/conf/nginx/ip.blacklist; + access_log /data/eiblog/logdata/nginx.log; - # 现在一般证书是内置的。可以注释该项 + # ip 黑名单 + include /data/eiblog/conf/nginx/ip.blacklist; + + # 现在一般证书是内置的。letsencrypt 暂未 # https://imququ.com/post/certificate-transparency.html#toc-2 - # ssl_ct on; - # ssl_ct_static_scts /data/eiblog/conf/scts; + ssl_ct on; - # 中间证书 + 站点证书 - ssl_certificate /data/eiblog/conf/ssl/domain.pem; + # 中间证书 + 根证书 + # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html + ssl_trusted_certificate /data/eiblog/conf/ssl/full_chained.pem; - # 创建 CSR 文件时用的密钥 - ssl_certificate_key /data/eiblog/conf/ssl/domain.key; + # 站点证书 + 中间证书,私钥 + ssl_certificate /data/eiblog/conf/ssl/domain.rsa.pem; + ssl_certificate_key /data/eiblog/conf/ssl/domain.rsa.key; + ssl_ct_static_scts /data/eiblog/conf/scts/rsa/; + # ssl_certificate /data/eiblog/conf/ssl/domain.ecc.pem; + # ssl_certificate_key /data/eiblog/conf/ssl/domain.ecc.key; + # ssl_ct_static_scts /data/eiblog/conf/scts/ecc/; # openssl dhparam -out dhparams.pem 2048 # https://weakdh.org/sysadmin.html - ssl_dhparam /data/eiblog/conf/ssl/dhparams.pem; - - # https://github.com/cloudflare/sslconfig/blob/master/conf - ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; - - # 如果启用了 RSA + ECDSA 双证书,Cipher Suite 可以参考以下配置: - # ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; - - ssl_prefer_server_ciphers on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - ssl_session_cache shared:SSL:50m; - ssl_session_timeout 1d; - - ssl_session_tickets on; + ssl_dhparam /data/eiblog/conf/ssl/dhparams.pem; # openssl rand 48 > session_ticket.key # 单机部署可以不指定 ssl_session_ticket_key # ssl_session_ticket_key /data/eiblog/conf/ssl/session_ticket.key; - ssl_stapling on; - ssl_stapling_verify on; + # https://github.com/cloudflare/sslconfig/blob/master/conf + ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; - # 根证书 + 中间证书 - # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html - ssl_trusted_certificate /data/eiblog/conf/ssl/full_chained.pem; + # 如果启用了 RSA + ECDSA 双证书,Cipher Suite 可以参考以下配置: + # ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; - resolver 114.114.114.114 8.8.8.8 valid=300s; - resolver_timeout 10s; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets on; - access_log /data/eiblog/logdata/nginx.log; + # ssl stapling + ssl_stapling on; + ssl_stapling_verify on; + resolver 114.114.114.114 8.8.8.8 valid=300s; + resolver_timeout 10s; if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) { - return 444; + return 444; } if ($host != 'deepzz.com' ) { - rewrite ^/(.*)$ https://deepzz.com/$1 permanent; + rewrite ^/(.*)$ https://deepzz.com/$1 permanent; } # webmaster 站点验证相关 location ~* (robots\.txt|favicon\.ico|crossdomain\.xml|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ { - root /data/eiblog/static; - expires 1d; + root /data/eiblog/static; + expires 1d; } # imququ 的上传文件相关,未用到 location ^~ /static/uploads/ { - root /home/jerry/www/imququ.com/www; - add_header Access-Control-Allow-Origin *; + root /home/jerry/www/imququ.com/www; + add_header Access-Control-Allow-Origin *; - set $expires_time max; + set $expires_time max; - valid_referers blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com; + valid_referers blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com; if ($invalid_referer) { - set $expires_time -1; - return 403; + set $expires_time -1; + return 403; } - expires $expires_time; + expires $expires_time; } location ^~ /static/ { - root /data/eiblog; - add_header Access-Control-Allow-Origin *; - expires max; + root /data/eiblog; + add_header Access-Control-Allow-Origin *; + expires max; } location ^~ /admin/ { @@ -96,7 +95,7 @@ server { # deny 将完全不允许页面被嵌套,可能会导致一些异常。如果遇到这样的问题,建议改成 SAMEORIGIN # https://imququ.com/post/web-security-and-response-header.html#toc-1 add_header X-Frame-Options deny; - + add_header X-Powered-By eiblog/1.2.1; add_header X-Content-Type-Options nosniff; proxy_set_header Connection ""; @@ -114,7 +113,7 @@ server { add_header X-Frame-Options deny; add_header X-Content-Type-Options nosniff; # 改deepzz相关的 - add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net"; + add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net"; # 中间证书证书指纹 # https://imququ.com/post/http-public-key-pinning.html add_header Public-Key-Pins 'pin-sha256="lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains'; @@ -137,21 +136,22 @@ server { } server { - server_name www.deepzz.com deepzz.com; - server_tokens off; + server_name www.deepzz.com deepzz.com; + server_tokens off; - access_log /dev/null; + access_log /dev/null; - if ($request_method !~ ^(GET|HEAD|POST)$ ) { - return 444; + if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) { + return 444; } + # letsencrypt file verify location ^~ /.well-known/acme-challenge/ { - alias /data/letsencrypt/challenges/; - try_files $uri =404; + alias /data/letsencrypt/challenges/; + try_files $uri =404; } location / { - rewrite ^/(.*)$ https://deepzz.com/$1 permanent; + rewrite ^/(.*)$ https://deepzz.com/$1 permanent; } } diff --git a/conf/nginx/ip.blacklist b/conf/nginx/ip.blacklist index e69de29..e7695cd 100644 --- a/conf/nginx/ip.blacklist +++ b/conf/nginx/ip.blacklist @@ -0,0 +1,2 @@ +# example black list +#deny 195.154.211.220; \ No newline at end of file diff --git a/conf/scts/aviator.sct b/conf/scts/ecc/aviator.sct similarity index 100% rename from conf/scts/aviator.sct rename to conf/scts/ecc/aviator.sct diff --git a/conf/scts/digicert.sct b/conf/scts/ecc/digicert.sct similarity index 100% rename from conf/scts/digicert.sct rename to conf/scts/ecc/digicert.sct diff --git a/conf/scts/rsa/aviator.sct b/conf/scts/rsa/aviator.sct new file mode 100644 index 0000000..e674439 Binary files /dev/null and b/conf/scts/rsa/aviator.sct differ diff --git a/conf/scts/rsa/digicert.sct b/conf/scts/rsa/digicert.sct new file mode 100644 index 0000000..f3cd6af Binary files /dev/null and b/conf/scts/rsa/digicert.sct differ