mirrors2/eiblog
1
0
Fork 0
mirror of https://github.com/eiblog/eiblog.git synced 2026-02-04 13:52:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

nginx config: use Expect-CT repleace HPKP

Browse Source
This commit is contained in:
henry.chen
2018-07-17 10:32:54 +08:00
parent b35d7de58a
commit 63a4d69209
1 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
conf/nginx/domain/eiblog.conf
View File

@@ -6,20 +6,20 @@ server {
access_log /data/eiblog/logdata/nginx.log; access_log /data/eiblog/logdata/nginx.log;
# ip 黑名单 # IP黑名单.
include /data/eiblog/conf/nginx/ip.blacklist; include /data/eiblog/conf/nginx/ip.blacklist;
# letsencrypt v2已内置 # letsencrypt v2已内置, 忽略.
# https://imququ.com/post/certificate-transparency.html#toc-2 # https://imququ.com/post/certificate-transparency.html#toc-2
#ssl_ct on; #ssl_ct on;
#ssl_ct_static_scts /data/eiblog/conf/scts/rsa/; #ssl_ct_static_scts /data/eiblog/conf/scts/rsa/;
#ssl_ct_static_scts /data/eiblog/conf/scts/ecc/; #ssl_ct_static_scts /data/eiblog/conf/scts/ecc/;
# 中间证书 + 根证书 # 中间证书 + 根证书.
# https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
ssl_trusted_certificate /data/eiblog/conf/ssl/full_chained.pem; ssl_trusted_certificate /data/eiblog/conf/ssl/full_chained.pem;
# 站点证书 + 中间证书私钥 # 站点证书 + 中间证书, 私钥.
ssl_certificate /data/eiblog/conf/ssl/domain.rsa.pem; ssl_certificate /data/eiblog/conf/ssl/domain.rsa.pem;
ssl_certificate_key /data/eiblog/conf/ssl/domain.rsa.key; ssl_certificate_key /data/eiblog/conf/ssl/domain.rsa.key;
# ssl_certificate /data/eiblog/conf/ssl/domain.ecc.pem; # ssl_certificate /data/eiblog/conf/ssl/domain.ecc.pem;
@@ -29,17 +29,17 @@ server {
# https://weakdh.org/sysadmin.html # https://weakdh.org/sysadmin.html
ssl_dhparam /data/eiblog/conf/ssl/dhparams.pem; ssl_dhparam /data/eiblog/conf/ssl/dhparams.pem;
# 单机部署可以不指定.
# openssl rand 48 > session_ticket.key # openssl rand 48 > session_ticket.key
# 单机部署可以不指定 ssl_session_ticket_key
# ssl_session_ticket_key /data/eiblog/conf/ssl/session_ticket.key; # ssl_session_ticket_key /data/eiblog/conf/ssl/session_ticket.key;
ssl_prefer_server_ciphers on;
# https://github.com/cloudflare/sslconfig/blob/master/conf # https://github.com/cloudflare/sslconfig/blob/master/conf
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# 如果启用 RSA + ECDSA 双证书Cipher Suite 可以参考以下配置 # 如果启用 RSA + ECDSA 双证书, Cipher Suite 可以参考以下配置.
# ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; # ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d; ssl_session_timeout 1d;
@@ -48,6 +48,7 @@ server {
# ssl stapling # ssl stapling
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
resolver 114.114.114.114 8.8.8.8 valid=300s; resolver 114.114.114.114 8.8.8.8 valid=300s;
resolver_timeout 10s; resolver_timeout 10s;
@@ -59,7 +60,7 @@ server {
rewrite ^/(.*)$ https://deepzz.com/$1 permanent; rewrite ^/(.*)$ https://deepzz.com/$1 permanent;
} }
# webmaster 站点验证相关 # webmaster 站点验证相关.
location ~* (google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ { location ~* (google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
root /data/eiblog/static; root /data/eiblog/static;
expires 1d; expires 1d;
@@ -70,7 +71,7 @@ server {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
# deny 将完全不允许页面被嵌套,可能会导致一些异常。如果遇到这样的问题,建议改成 SAMEORIGIN # deny 将完全不允许页面被嵌套,可能会导致一些异常。如果遇到这样的问题,建议改成 SAMEORIGIN.
# https://imququ.com/post/web-security-and-response-header.html#toc-1 # https://imququ.com/post/web-security-and-response-header.html#toc-1
add_header X-Frame-Options deny; add_header X-Frame-Options deny;
add_header X-Powered-By eiblog/1.3.0; add_header X-Powered-By eiblog/1.3.0;
@@ -78,7 +79,7 @@ server {
proxy_set_header Connection ""; proxy_set_header Connection "";
proxy_set_header Host deepzz.com; proxy_set_header Host deepzz.com;
proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9000; proxy_pass http://127.0.0.1:9000;
@@ -90,11 +91,14 @@ server {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options deny; add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
# 改deepzz相关的 # 改deepzz相关的.
add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net"; add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
# 中间证书证书指纹 # 中间证书证书指纹, chrome69 将忽略, 用 expect-ct 替代.
# https://imququ.com/post/http-public-key-pinning.html # https://imququ.com/post/http-public-key-pinning.html
add_header Public-Key-Pins 'pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000;'; #add_header Public-Key-Pins 'pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000;';
# 期望 ct.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
add_header Expect-CT "max-age=180";
add_header Cache-Control no-cache; add_header Cache-Control no-cache;
add_header X-Via Aliyun.QingDao; add_header X-Via Aliyun.QingDao;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";