# worker_processes auto; worker_processes 4; worker_rlimit_nofile 51200; events { #use epoll; worker_connections 51200; multi_accept on; } http { # include black.ip; #黑名单 include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 128; large_client_header_buffers 4 32k; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 120s 120s; keepalive_requests 10000; server_tokens off; # off 隐藏nginx版本号, on 显示nginx版本号 underscores_in_headers on; # on 有下划线的头也传过去 open_file_cache max=100000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; client_max_body_size 200m; # 文件大小限制,默认1m client_header_timeout 1m; client_body_timeout 10m; proxy_connect_timeout 1m; proxy_read_timeout 5m; proxy_send_timeout 10m; # proxy_ignore_client_abort on; ssl_session_timeout 3h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache builtin:3000 shared:SSL:30m; ssl_session_tickets on; ssl_stapling on; ssl_stapling_verify on; resolver 114.114.114.114 119.29.29.29 223.5.5.5 valid=300s; # 指定DNS resolver_timeout 5s; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; etag on; gzip on; gzip_vary on; gzip_min_length 1k; gzip_buffers 16 16k; gzip_http_version 1.1; gzip_comp_level 8; gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml; gzip_proxied expired no-cache no-store private auth; gzip_disable "MSIE [1-6]\."; limit_conn_zone $binary_remote_addr zone=perip:10m; limit_conn_zone $server_name zone=perserver:10m; log_format main '$remote_addr [$time_iso8601] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$request_body"'; access_log logs/access.txt main; # 把http跳转到https server { include vars.conf; listen 80; server_name hongxin.3dgis.net.cn; return 302 https://$server_name$request_uri; } server { include vars.conf; listen 443 ssl http2; server_name hongxin.3dgis.net.cn; proxy_pass_header Server; ssl_certificate cert/tiocloud/site.pem; ssl_certificate_key cert/tiocloud/site.key; include common-ssl.conf; include common-main.conf; } server { include vars.conf; listen 80; server_name thongxin.3dgis.net.cn; return 302 https://$server_name$request_uri; } server { include vars.conf; listen 443 ssl http2; server_name thongxin.3dgis.net.cn; ssl_certificate cert/tiocloud/tres.pem; ssl_certificate_key cert/tiocloud/tres.key; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:9292; proxy_set_header Host $host; proxy_set_header X-Real-Ip $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; } } server { include vars.conf; listen 9292; server_name 47.97.172.38; proxy_pass_header Server; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Server $host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header 'Access-Control-Allow-Origin' * always; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'PUT,GET,POST,OPTIONS'; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; add_header X-Frame-Options $X_Frame_Options; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # ssl_certificate cert/site.pem; # ssl_certificate_key cert/site.key; # ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS:!RC4; # 访问 http_server_api # ~ 开头表示区分大小写的正则匹配 location ~ /(api/|letao/) { proxy_pass $http_server_api_1; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-PORT $remote_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; expires -1; } # 访问 nginx本地 (以"/res/xxxx/"开头的访问nginx本地,其中xxxx是变量) location ~ /res/.+/.*$ { etag on; root $pages_dir; error_page 404 =200 /p400/index.html; error_page 500 502 503 504 =200 /p500/index.html; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; expires 12h; proxy_http_version 1.1; proxy_set_header Connection ""; } # 访问 http_server_view location ~ .*\.(js|css|html|htm)(.*) { proxy_pass $http_server_view_1; proxy_http_version 1.1; proxy_set_header Connection ""; index index.html index.htm; proxy_set_header x-real-ip $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header host $http_host; } # 访问 http_server_view location ~ .*\.(html|htm)(.*) { add_header Cache-Control no-store; } # 访问 nginx本地 location / { etag on; root $pages_dir_1; error_page 404 =200 /p400/index.html; error_page 500 502 503 504 =200 /p500/index.html; index index.html index.htm; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; expires 12h; proxy_http_version 1.1; proxy_set_header Connection ""; } } include server/*.conf; }
https证书配置
于 2023-01-07 23:35:44 首次发布