server {
    listen                       443 ssl http2 fastopen=3 reuseport;

    server_name                  www.deepzz.com deepzz.com;
    server_tokens                off;

    access_log                   /data/eiblog/logdata/nginx.log;

    # IP黑名单.
    include                      /data/eiblog/conf/nginx/ip.blacklist;

    # letsencrypt v2已内置, 忽略.
    # https://imququ.com/post/certificate-transparency.html#toc-2
    #ssl_ct                       on;
    #ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
    #ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;

    # 中间证书 + 根证书.
    # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
    ssl_trusted_certificate      /data/eiblog/conf/ssl/full_chained.pem;

    # 站点证书 + 中间证书, 私钥.
    ssl_certificate              /data/eiblog/conf/ssl/domain.rsa.pem;
    ssl_certificate_key          /data/eiblog/conf/ssl/domain.rsa.key;
    # ssl_certificate              /data/eiblog/conf/ssl/domain.ecc.pem;
    # ssl_certificate_key          /data/eiblog/conf/ssl/domain.ecc.key;

    # openssl dhparam -out dhparams.pem 2048
    # https://weakdh.org/sysadmin.html
    ssl_dhparam                  /data/eiblog/conf/ssl/dhparams.pem;

    # 单机部署可以不指定.
    # openssl rand 48 > session_ticket.key
    # ssl_session_ticket_key     /data/eiblog/conf/ssl/session_ticket.key;

    ssl_prefer_server_ciphers    on;
    # https://github.com/cloudflare/sslconfig/blob/master/conf
    ssl_ciphers                  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    # 如果启用 RSA + ECDSA 双证书, Cipher Suite 可以参考以下配置.
    # ssl_ciphers                 EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

    ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache            shared:SSL:50m;
    ssl_session_timeout          1d;
    ssl_session_tickets          on;

    # ssl stapling
    ssl_stapling                 on;
    ssl_stapling_verify          on;

    resolver                     114.114.114.114 8.8.8.8 valid=300s;
    resolver_timeout             10s;

    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
        return                   444;
    }

    if ($host != 'deepzz.com' ) {
        rewrite                  ^/(.*)$  https://deepzz.com/$1 permanent;
    }

    # webmaster 站点验证相关.
    location ~* (google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
        root                     /data/eiblog/static;
        expires                  1d;
    }

    location ^~ /admin/ {
        proxy_http_version       1.1;

        add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        # deny 将完全不允许页面被嵌套，可能会导致一些异常。如果遇到这样的问题，建议改成 SAMEORIGIN.
        # https://imququ.com/post/web-security-and-response-header.html#toc-1
        add_header               X-Frame-Options deny;
        add_header               X-Powered-By eiblog/1.3.0;
        add_header               X-Content-Type-Options nosniff;

        proxy_set_header         Connection       "";
        proxy_set_header         Host             deepzz.com;
        proxy_set_header         X-Real-IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_pass               http://127.0.0.1:9000;
    }

    location / {
        proxy_http_version       1.1;

        add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header               X-Frame-Options deny;
        add_header               X-Content-Type-Options nosniff;
        # 改deepzz相关的.
        add_header               Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
        # 中间证书证书指纹, chrome69 将忽略, 用 expect-ct 替代.
        # https://imququ.com/post/http-public-key-pinning.html
        #add_header               Public-Key-Pins 'pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000;';
        # 期望 ct.
        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
        add_header               Expect-CT "max-age=180";
        add_header               Cache-Control no-cache;
        add_header               X-Via Aliyun.QingDao;
        add_header               X-XSS-Protection "1; mode=block";
        add_header               X-Powered-By eiblog/1.3.0;

        proxy_ignore_headers     Set-Cookie;
        proxy_hide_header        Vary;

        proxy_set_header         Connection       "";
        proxy_set_header         Host             deepzz.com;
        proxy_set_header         X-Real-IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

        proxy_pass               http://127.0.0.1:9000;
    }
}

server {
    server_name                  www.deepzz.com deepzz.com;
    server_tokens                off;

    access_log                   /dev/null;

    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
        return                   444;
    }

    # letsencrypt file verify
    location ^~ /.well-known/acme-challenge/ {
        alias                    /data/eiblog/challenges/;
        try_files                $uri =404;
    }

    location / {
        rewrite                  ^/(.*)$ https://deepzz.com/$1 permanent;
    }
}