server { listen 443 ssl http2 fastopen=3 reuseport; server_name www.deepzz.com deepzz.com; server_tokens off; include /data/eiblog/conf/nginx/ip.blacklist; # 现在一般证书是内置的。可以注释该项 # https://imququ.com/post/certificate-transparency.html#toc-2 # ssl_ct on; # ssl_ct_static_scts /data/eiblog/conf/scts; # 中间证书 + 站点证书 ssl_certificate /data/eiblog/conf/ssl/domain.pem; # 创建 CSR 文件时用的密钥 ssl_certificate_key /data/eiblog/conf/ssl/domain.key; # openssl dhparam -out dhparams.pem 2048 # https://weakdh.org/sysadmin.html ssl_dhparam /data/eiblog/conf/ssl/dhparams.pem; # https://github.com/cloudflare/sslconfig/blob/master/conf ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; # 如果启用了 RSA + ECDSA 双证书,Cipher Suite 可以参考以下配置: # ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets on; # openssl rand 48 > session_ticket.key # 单机部署可以不指定 ssl_session_ticket_key # ssl_session_ticket_key /data/eiblog/conf/ssl/session_ticket.key; ssl_stapling on; ssl_stapling_verify on; # 根证书 + 中间证书 # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html # ssl_trusted_certificate /data/eiblog/conf/ssl/full_chained.pem; resolver 114.114.114.114 valid=300s; resolver_timeout 10s; access_log /data/eiblog/logdata/nginx.log; if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) { return 444; } if ($host != 'deepzz.com' ) { rewrite ^/(.*)$ https://deepzz.com/$1 permanent; } # webmaster 站点验证相关 location ~* (robots\.txt|favicon\.ico|crossdomain\.xml|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ { root /data/eiblog/static; expires 1d; } location ^~ /static/uploads/ { root /home/jerry/www/imququ.com/www; add_header Access-Control-Allow-Origin *; set $expires_time max; valid_referers blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com; if ($invalid_referer) { set $expires_time -1; return 403; } expires $expires_time; } location ^~ /static/ { root /data/eiblog; add_header Access-Control-Allow-Origin *; expires max; } location ^~ /admin/ { proxy_http_version 1.1; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # DENY 将完全不允许页面被嵌套,可能会导致一些异常。如果遇到这样的问题,建议改成 SAMEORIGIN # https://imququ.com/post/web-security-and-response-header.html#toc-1 add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; # proxy_set_header X-Via QingDao.Aliyun; proxy_set_header Connection ""; proxy_set_header Host deepzz.com; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-XSS-Protection 1; mode=block; proxy_pass http://127.0.0.1:9000; } location / { proxy_http_version 1.1; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Frame-Options deny; add_header X-Content-Type-Options nosniff; # 改deepzz相关的 add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net"; # 中间证书证书指纹 # https://imququ.com/post/http-public-key-pinning.html add_header Public-Key-Pins 'pin-sha256="lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains'; add_header Cache-Control no-cache; proxy_ignore_headers Set-Cookie; proxy_hide_header Vary; proxy_hide_header X-Powered-By; # proxy_set_header X-Via QingDao.Aliyun; proxy_set_header Connection ""; proxy_set_header Host deepzz.com; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:9000; } } server { server_name www.deepzz.com deepzz.com; server_tokens off; access_log /dev/null; if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; } location ^~ /.well-known/acme-challenge/ { alias /home/jerry/www/challenges/; try_files $uri =404; } location / { rewrite ^/(.*)$ https://deepzz.com/$1 permanent; } } # 原博客,内部做的转发 server { server_name blog.deepzz.com; access_log /dev/null; location / { rewrite ^/(.*)$ https://blog.deepzz.com/$1 permanent; } } server { listen 443; server_name blog.deepzz.com; add_header Strict-Transport-Security "max-age=31536000"; add_header X-Frame-Options deny; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection "1; mode=block;"; location / { proxy_pass https://127.0.0.1:9010; } }