最佳nginx配置
- 支持http2、tls1.2、tls1.3、OCSP stampling
- 尽可能提高传输性能,比如开启压缩等
- 兼容git http协议
- 最安全的ssl配置
user nginx;
worker_processes auto;
events {
multi_accept on;
worker_connections 65535;
}
http {
include /usr/local/nginx/conf.d/*.conf;
include /usr/local/nginx/sites-enabled/*;
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 650;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 1024M;
server_names_hash_bucket_size 64;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml image/svg+xml;
gzip on;
limit_req_zone $binary_remote_addr zone=one:100m rate=10r/s;
ssl_session_timeout 5m;
ssl_session_tickets off;
ssl_session_cache shared:SSL:128m;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
#ssl_protocols TLSv1.3;
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
#OCSP
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=60s;
resolver_timeout 2s;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #HSTS
##################################################################################################
server {
listen 80;
listen [::]:80;
server_name xiedeacc.com;
return 301 https://$host$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name youkechat.net;
return 301 https://$host$request_uri;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host/$request_uri;
}
##################################################################################################
#HTTPS server
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ssserver.youkechat.net;
ssl_certificate /usr/local/nginx/conf/ssl/youkechat.net.fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/youkechat.net.key;
location /sspath {
proxy_redirect off;
proxy_pass http://[::1]:1080;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
#server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name forsimple.youkechat.net;
# ssl_certificate /usr/local/nginx/conf/ssl/youkechat.net.fullchain.cer;
# ssl_certificate_key /usr/local/nginx/conf/ssl/youkechat.net.key;
# location /forsimple {
# proxy_redirect off;
# proxy_pass http://127.0.0.1:1090;
# proxy_http_version 1.1;
# proxy_set_header Host $http_host;
# proxy_set_header X-Real_IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
# }
#}
##################################################################################################
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xiedeacc.com;
ssl_certificate /usr/local/nginx/conf/ssl/xiedeacc.com.fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xiedeacc.com.key;
location / {
root /data/www;
index index.html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ip.xiedeacc.com;
ssl_certificate /usr/local/nginx/conf/ssl/xiedeacc.com.fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xiedeacc.com.key;
location / {
default_type text/plain;
return 200 $remote_addr;
}
}
upstream halo {
server 127.0.0.1:8090;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.xiedeacc.com;
ssl_certificate /usr/local/nginx/conf/ssl/xiedeacc.com.fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/xiedeacc.com.key;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
#add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location / {
proxy_pass http://halo;
proxy_http_version 1.1;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
proxy_pass http://halo;
expires 30d;
access_log off;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name unlock-music.youkechat.net;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/ca.cert.pem;
ssl_certificate /usr/local/nginx/conf/ssl/code.xiedeacc.com.cert.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/code.xiedeacc.com.unencrypted.key.pem;
location / {
root /data/www/unlock-music/web/dist;
index index.html;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name code.xiedeacc.com;
ssl_trusted_certificate /usr/local/nginx/conf/ssl/ca.cert.pem;
ssl_certificate /usr/local/nginx/conf/ssl/code.xiedeacc.com.cert.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/code.xiedeacc.com.unencrypted.key.pem;
location / {
client_max_body_size 0;
proxy_redirect http:// https://;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:10080;
}
}
}