1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
server { listen 80; server_name ops.aaa.cn; access_log off; rewrite ^(.*) https://$server_name$1 permanent; } server { listen 443 ssl http2; server_name ops.aaa.cn; client_max_body_size 0; chunked_transfer_encoding on; client_body_buffer_size 102400k; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "DENY"; add_header X-via "AAA Server v2.0"; add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.aaa.cn ; script-src 'self' https://rescdn.qqmail.com https://cdnjs.cloudflare.com 'unsafe-inline' 'unsafe-eval' https://*.aaa.cn; img-src 'self' https://*.aaa.cn; style-src 'self' 'unsafe-inline' https://*.aaa.cn; font-src 'self' https://*.aaa.cn; frame-src https://*.aaa.cn https://open.work.weixin.qq.com; object-src 'none'"; # ssl on; ssl_certificate /apps/nginx/sslkey/*.aaa.cn/certificate.crt; ssl_certificate_key /apps/nginx/sslkey/*.aaa.cn/private.key; #ecc ssl_certificate /apps/nginx/sslkey/*.aaa.cn/ecccertificate.crt; ssl_certificate_key /apps/nginx/sslkey/*.aaa.cn/eccprivate.key; keepalive_timeout 60; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_ticket_key /apps/nginx/sslkey/*.aaa.cn/tlsb_session_ticket.key; ssl_session_ticket_key /apps/nginx/sslkey/*.aaa.cn/tls_session_ticket.key; ssl_session_tickets on; ssl_dhparam /apps/nginx/sslkey/*.aaa.cn/dhparam.pem; ssl_buffer_size 4k; ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256"; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.3 TLSv1.2; ssl_ecdh_curve secp384r1; ssl_stapling on; ssl_stapling_verify on; ssl_stapling_file /apps/nginx/sslkey/*.aaa.cn/eccstapling_ocsp; ssl_trusted_certificate /apps/nginx/sslkey/*.aaa.cn/ca.crt; resolver 119.29.29.29 114.114.114.114 valid=300s; resolver_timeout 5s; location / { proxy_pass http://192.168.1.121:80; client_body_buffer_size 202400k; client_max_body_size 0; client_body_in_single_buffer on; proxy_connect_timeout 3000s; proxy_send_timeout 9000; proxy_read_timeout 9000; proxy_buffer_size 12800k; proxy_buffers 4 6400k; proxy_busy_buffers_size 12800k; proxy_redirect off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Accept-Encoding ''; proxy_set_header Host ops.aaa.cn; proxy_set_header Referer $http_referer; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie; # add_header Cache-Control max-age=60; # HSTS 注释开启 # add_header X-Cache '$upstream_cache_status from $server_addr'; # proxy_cache_key $host$uri$is_args$args; proxy_buffering off; proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; # proxy_cache_bypass $http_upgrade; # proxy_temp_file_write_size 256k; proxy_next_upstream error timeout invalid_header http_500 http_503 http_404; # proxy_max_temp_file_size 128m; #proxy_cache cache_one; #proxy_cache_valid 200 302 60m; #proxy_cache_valid 404 1m; proxy_http_version 1.1; proxy_set_header Connection ""; } } |
- 本文固定链接: https://www.yoyoask.com/?p=4723
- 转载请注明: shooter 于 SHOOTER 发表