mirror of
https://github.com/eiblog/eiblog.git
synced 2026-02-04 13:52:26 +08:00
158 lines
6.6 KiB
Plaintext
158 lines
6.6 KiB
Plaintext
server {
|
||
listen 443 ssl http2 fastopen=3 reuseport;
|
||
|
||
server_name www.deepzz.com deepzz.com;
|
||
server_tokens off;
|
||
|
||
access_log /data/eiblog/logdata/nginx.log;
|
||
|
||
# ip 黑名单
|
||
include /data/eiblog/conf/nginx/ip.blacklist;
|
||
|
||
# 现在一般证书是内置的。letsencrypt 暂未
|
||
# https://imququ.com/post/certificate-transparency.html#toc-2
|
||
ssl_ct on;
|
||
|
||
# 中间证书 + 根证书
|
||
# https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
|
||
ssl_trusted_certificate /data/eiblog/conf/ssl/full_chained.pem;
|
||
|
||
# 站点证书 + 中间证书,私钥
|
||
ssl_certificate /data/eiblog/conf/ssl/domain.rsa.pem;
|
||
ssl_certificate_key /data/eiblog/conf/ssl/domain.rsa.key;
|
||
ssl_ct_static_scts /data/eiblog/conf/scts/rsa/;
|
||
# ssl_certificate /data/eiblog/conf/ssl/domain.ecc.pem;
|
||
# ssl_certificate_key /data/eiblog/conf/ssl/domain.ecc.key;
|
||
# ssl_ct_static_scts /data/eiblog/conf/scts/ecc/;
|
||
|
||
# openssl dhparam -out dhparams.pem 2048
|
||
# https://weakdh.org/sysadmin.html
|
||
ssl_dhparam /data/eiblog/conf/ssl/dhparams.pem;
|
||
|
||
# openssl rand 48 > session_ticket.key
|
||
# 单机部署可以不指定 ssl_session_ticket_key
|
||
# ssl_session_ticket_key /data/eiblog/conf/ssl/session_ticket.key;
|
||
|
||
# https://github.com/cloudflare/sslconfig/blob/master/conf
|
||
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
|
||
|
||
# 如果启用了 RSA + ECDSA 双证书,Cipher Suite 可以参考以下配置:
|
||
# ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
|
||
|
||
ssl_prefer_server_ciphers on;
|
||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||
ssl_session_cache shared:SSL:50m;
|
||
ssl_session_timeout 1d;
|
||
ssl_session_tickets on;
|
||
|
||
# ssl stapling
|
||
ssl_stapling on;
|
||
ssl_stapling_verify on;
|
||
resolver 114.114.114.114 8.8.8.8 valid=300s;
|
||
resolver_timeout 10s;
|
||
|
||
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
|
||
return 444;
|
||
}
|
||
|
||
if ($host != 'deepzz.com' ) {
|
||
rewrite ^/(.*)$ https://deepzz.com/$1 permanent;
|
||
}
|
||
|
||
# webmaster 站点验证相关
|
||
location ~* (robots\.txt|favicon\.ico|crossdomain\.xml|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
|
||
root /data/eiblog/static;
|
||
expires 1d;
|
||
}
|
||
|
||
# imququ 的上传文件相关,未用到
|
||
location ^~ /static/uploads/ {
|
||
root /home/jerry/www/imququ.com/www;
|
||
add_header Access-Control-Allow-Origin *;
|
||
|
||
set $expires_time max;
|
||
|
||
valid_referers blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com;
|
||
if ($invalid_referer) {
|
||
set $expires_time -1;
|
||
return 403;
|
||
}
|
||
|
||
expires $expires_time;
|
||
}
|
||
|
||
location ^~ /static/ {
|
||
root /data/eiblog;
|
||
add_header Access-Control-Allow-Origin *;
|
||
expires max;
|
||
}
|
||
|
||
location ^~ /admin/ {
|
||
proxy_http_version 1.1;
|
||
|
||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
||
|
||
# deny 将完全不允许页面被嵌套,可能会导致一些异常。如果遇到这样的问题,建议改成 SAMEORIGIN
|
||
# https://imququ.com/post/web-security-and-response-header.html#toc-1
|
||
add_header X-Frame-Options deny;
|
||
add_header X-Powered-By eiblog/1.2.1;
|
||
add_header X-Content-Type-Options nosniff;
|
||
|
||
proxy_set_header Connection "";
|
||
proxy_set_header Host deepzz.com;
|
||
proxy_set_header X-Real_IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
||
proxy_pass http://127.0.0.1:9000;
|
||
}
|
||
|
||
location / {
|
||
proxy_http_version 1.1;
|
||
|
||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
|
||
add_header X-Frame-Options deny;
|
||
add_header X-Content-Type-Options nosniff;
|
||
# 改deepzz相关的
|
||
add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
|
||
# 中间证书证书指纹
|
||
# https://imququ.com/post/http-public-key-pinning.html
|
||
add_header Public-Key-Pins 'pin-sha256="IiSbZ4pMDEyXvtl7Lg8K3FNmJcTAhKUTrB2FQOaAO/s="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains';
|
||
add_header Cache-Control no-cache;
|
||
add_header X-Via Aliyun.QingDao;
|
||
add_header X-XSS-Protection "1; mode=block";
|
||
|
||
proxy_ignore_headers Set-Cookie;
|
||
|
||
proxy_hide_header Vary;
|
||
proxy_hide_header X-Powered-By;
|
||
|
||
proxy_set_header Connection "";
|
||
proxy_set_header Host deepzz.com;
|
||
proxy_set_header X-Real_IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
||
proxy_pass http://127.0.0.1:9000;
|
||
}
|
||
}
|
||
|
||
server {
|
||
server_name www.deepzz.com deepzz.com;
|
||
server_tokens off;
|
||
|
||
access_log /dev/null;
|
||
|
||
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
|
||
return 444;
|
||
}
|
||
|
||
# letsencrypt file verify
|
||
location ^~ /.well-known/acme-challenge/ {
|
||
alias /data/letsencrypt/challenges/;
|
||
try_files $uri =404;
|
||
}
|
||
|
||
location / {
|
||
rewrite ^/(.*)$ https://deepzz.com/$1 permanent;
|
||
}
|
||
}
|