tcp_nopush on; tcp_nodelay on; # gzip gzip on; gzip_vary on; gzip_comp_level 6; gzip_buffers 16 8k; gzip_min_length 1000; gzip_proxied any; gzip_disable "msie6"; gzip_http_version 1.0; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml; server { server_name www.deepzz.com deepzz.com; server_tokens off; location / { rewrite ^/(.*)$ https://deepzz.com/$1 permanent; } } server { listen 443 ssl http2 fastopen=3 reuseport; server_name www.deepzz.com deepzz.com; server_tokens off; # 站点证书 + 中间证书, 私钥. ssl_certificate /etc/nginx/ssl/domain.rsa.pem; ssl_certificate_key /etc/nginx/ssl/domain.rsa.key; # ssl_certificate /etc/nginx/ssl/domain.ecc.pem; # ssl_certificate_key /etc/nginx/ssl/domain.ecc.key; # https://github.com/cloudflare/sslconfig/blob/master/conf ssl_prefer_server_ciphers on; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; # 如果启用 RSA+ECDSA 双证书, Cipher Suite 可以参考以下配置. # ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; # openssl dhparam -out dhparams.pem 2048 # https://weakdh.org/sysadmin.html ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets on; # 中间证书 + 根证书. # OCSP装订: https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html ssl_trusted_certificate /etc/nginx/ssl/full_chained.pem; ssl_stapling on; ssl_stapling_verify on; if ($request_method !~ ^(GET|HEAD|POST|PUT|OPTIONS)$ ) { return 444; } # webmaster 站点验证相关. location ~* (favicon\.ico|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml|ads\.txt)$ { root /usr/share/nginx/html; expires 1d; } if ($host != 'deepzz.com' ) { rewrite ^/(.*)$ https://deepzz.com/$1 permanent; } # proxy setting proxy_http_version 1.1; proxy_ignore_headers Set-Cookie; proxy_hide_header Vary; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location ^~ /admin/ { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # https://imququ.com/post/web-security-and-response-header.html#toc-1 # 期望CT: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT add_header Expect-CT "max-age=180"; add_header Cache-Control no-cache; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Via Aliyun.QingDao; add_header X-Powered-By eiblog/2.x; proxy_pass http://127.0.0.1:9000; } location / { add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # https://imququ.com/post/web-security-and-response-header.html#toc-1 # 期望CT: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT add_header Expect-CT "max-age=180"; add_header Cache-Control no-cache; # 内容安全策略: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https:; media-src https:; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self'; frame-src https://disqus.com"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Via Aliyun.QingDao; add_header X-Powered-By eiblog/2.x; proxy_pass http://127.0.0.1:9000; } }