每次搭建站点后要写一大堆 Nginx 的配置文件,今天记录一下,贴在下面方便下次用,需要的可以拿走

下面已经配置了 HTTPS 和安全之类的参数,基本不需要修改啥,除了证书路径域名php_fastcgi伪静态

全局配置

下方配置放在 nginx.conf 配置文件中的 http {} 块中

# OCSP Stapling
ssl_stapling         on;
ssl_stapling_verify  on;
resolver             8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout     2s;

# SSL
ssl_session_timeout  1d;
ssl_session_cache    shared:SSL:10m;
ssl_session_tickets  off;

# Mozilla Intermediate configuration
ssl_protocols        TLSv1.2 TLSv1.3;
ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

# Diffie-Hellman parameter for DHE ciphersuites
# 执行生成命令:openssl dhparam -out /root/ssl/dhparam.pem 2048
ssl_dhparam          /root/ssl/dhparam.pem;

# gzip
gzip            on;
gzip_vary       on;
gzip_proxied    any;
gzip_comp_level 6;
gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

站点配置

server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;
    server_name         www.sm.link;
    set                 $base /www/wwwroot/sm.link;
    root                $base/;
    
    index index.php index.html index.htm default.php default.htm default.html;

    # SSL
    # 需要替换
    ssl_certificate     /www/server/panel/vhost/cert/sm.link/fullchain.pem;
    ssl_certificate_key /www/server/panel/vhost/cert/sm.link/privkey.pem;

    # security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # additional config
    # 需要替换
    include /www/server/panel/vhost/rewrite/sm.link.conf;

    # . files
    location ~ /\.(?!well-known) {
        deny all;
    }

    # logging
    # 需要替换
    access_log  /www/wwwlogs/sm.link.log;
    error_log   /www/wwwlogs/sm.link.error.log;
    
    #禁止访问的文件或目录
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log    off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log    off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires    7d;
        access_log off;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires    7d;
        access_log off;
    }

    # handle .php
    include enable-php-74.conf;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    
    # 需要替换
    server_name sm.link;

    #需要替换, 为了符合 hstspreload.org 的规范,所以必须先定向到 https, 而不是直接到 www
    return 301 https://sm.link$request_uri;
}

# non-www, subdomains redirect
server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;
    
    # 需要替换
    server_name         sm.link;

    # SSL
    # 需要替换
    ssl_certificate     /www/server/panel/vhost/cert/sm.link/fullchain.pem;
    ssl_certificate_key /www/server/panel/vhost/cert/sm.link/privkey.pem;
    # security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline' 'unsafe-eval'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    
    # 需要替换
    return 301 https://www.sm.link$request_uri;
}

反向代理

# 全局配置
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
    default upgrade;
    ""      close;
}

server {
    listen              443 ssl http2;
    listen              [::]:443 ssl http2;
    server_name         wss.sm.link;
    
    ssl_certificate     /www/server/panel/vhost/cert/sm.link/fullchain.pem;
    ssl_certificate_key /www/server/panel/vhost/cert/sm.link/privkey.pem;

    location / {
        proxy_pass                           http://127.0.0.1:9502;

        proxy_http_version                 1.1;
        proxy_cache_bypass                 $http_upgrade;

        # Proxy headers
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
        proxy_set_header Host              $host; # 或按需求更换为 $proxy_host
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host  $host;
        proxy_set_header X-Forwarded-Port  $server_port;
        proxy_set_header Accept-Encoding '';

        # Proxy timeouts
        proxy_connect_timeout              60s;
        proxy_send_timeout                 60s;
        proxy_read_timeout                 60s;

        # 内容替换
        # sub_filter 'www.goole.com' 'goole.sm.link';
        # sub_filter_once off;
        # sub_filter_types *;
    }
}
Vultr, 注册就送100$, 价格实惠, 服务器节点多多
最后修改:2021 年 04 月 24 日 07 : 13 PM
如果觉得我的文章对你有用,请随意赞赏