├── .editorconfig ├── README.md ├── sites-available ├── http-server-tpl.conf └── https-server-tpl.conf ├── sites-certs ├── dhparam.pem └── example.com │ ├── root.crt │ ├── ssl_certificate.crt │ ├── ssl_certificate.csr │ └── ssl_certificate.key ├── sites-enabled └── example-www.conf ├── sites-options ├── add-headers.conf ├── error-pages.conf ├── gzip.conf ├── logging.conf ├── proxy-options.conf └── ssl-options.conf └── url-filters └── security.conf /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | charset = utf-8 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | insert_final_newline = true 9 | trim_trailing_whitespace = true 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nginx 通用配置模板 2 | 3 | 整理 [nginx][nginx] 通用配置模板,方便新项目复用,在此感谢 [旅销宝][旅销宝],让我有机会使用 [nginx][nginx] 配置 https 服务,并且推广的能力。 4 | 5 | > 本项目仅在 windows 10 上测试成功,虽然我有 linux 服务器,可是我就是不尝试,你能拿我咋地 (#^.^#)。 6 | 7 | ## 目录结构 8 | 9 | ```bash 10 | nginx-conf/ 11 | ├── url-filters/ # 过滤器,主要用于拦截异常请求 12 | ├── sites-options/ # 公共可选配置 13 | ├── sites-enabled/ # 目前启动的站点配置 14 | ├── sites-available/ # 可用站点配置 ( 含废弃,历史,存档等配置 ) 15 | | ├── http-server-tpl.conf 16 | | └── https-server-tpl.conf 17 | └── sites-certs/ # https 证书存放目录 18 | └── dhparam.pem 19 | ``` 20 | 21 | ## 引入配置文件 22 | 23 | > path/to 为 nginx 的安装目录 24 | 25 | **1. 在 `path/to/conf/nginx.conf` 文件中添加以下代码** 26 | 27 | ```bash 28 | # 注意 http 文件中就存在的,是在 http 的内容添加内容 29 | http { 30 | ... 31 | 32 | include ../sites-enabled/*.conf; 33 | 34 | ... 35 | } 36 | ``` 37 | 38 | **2. 复制项目下的所有文件夹到 [nginx][nginx] 安装目录下** 39 | 40 | **3. 配置新站点** 41 | 42 | 1. 从 `site-available` 复制模板文件到 `site-enabled` 模板 43 | 2. 根据实际项目需要修改里面的 `server_name` 44 | 3. 如果是 https 还需要将证书的路径添加正确 45 | 46 | **4. 检查 [nginx][nginx] 是否配置成功** 47 | 48 | ```bash 49 | # 注意这个只检查语法,但是会忽略使用通配符引入的文件 50 | # 比如: include cc/*.conf, 如果 cc 文件夹不存在也不会报错 51 | # 但是如果是引入单个文件,文件不存在,就会报错 52 | nginx -t 53 | ``` 54 | 55 | **5. 重新加载配置文件** 56 | 57 | ```bash 58 | nginx -s reload 59 | ``` 60 | 61 | ## Nginx 常用命令 62 | 63 | ```bash 64 | # 检查 nginx 配置是否正确 65 | nginx -t 66 | 67 | # 停止服务 68 | nginx -s stop 69 | 70 | # 退出服务 71 | nginx -s quit 72 | 73 | # 重启服务 74 | nginx -s reload 75 | ``` 76 | 77 | ## 本地使用 78 | 79 | > windows/mac 修改本机 hosts 文件,推荐使用 [switchhosts][switchhosts] 软件管理本机 host 80 | 81 | ```bash 82 | 127.0.0.1 example.com 83 | 127.0.0.1 www.example.com 84 | ``` 85 | 86 | 在浏览器中使用 `example.com` 就可以访问到 nginx 中配置的项目了 87 | 88 | ## 注意事项 89 | 90 | windows 用户使用命令方式需加上参数 -p 指定 ngixn 路径,-p 指定 nginx 的安装目录,加引号是因为文件名称中间有空格 91 | 92 | ```bash 93 | # 检查 nginx 配置是否正确 94 | nginx -p "C:\Program Files (x86)\nginx-1.13.8" -t 95 | 96 | # 重启服务 97 | nginx -p "C:\Program Files (x86)\nginx-1.13.8" -s reload 98 | ``` 99 | 100 | 项目仅参考了 [旅销宝][旅销宝] 的配置,更多的是基于我自身在使用过程中的理解,so,可能会出现很大部分误差,推荐本地开发使用,生产使用请慎重。 101 | 102 | 在我的 windows 10 上 [nginx][nginx] 不支持 deferred 和 reusepor,linux 阵营的可以去了解下这两个,看介绍貌似挺牛 X 的,值得去尝试。 103 | 104 | 编写配置时用的 [nginx][nginx] 为 1.13.8 版本,低于或高于这个版本的请自测,不行请自行处理,顺便提供下解决方案,不谢 (#^.^#)! 105 | 106 | 107 | ## Thanks 108 | 109 | 以下排名不分先后 110 | 111 | - [nginx][nginx] 112 | - [旅销宝][旅销宝] 113 | - [nginx-conf][nginx-conf] 114 | - And more open source projects. 115 | 116 | ## LICENSE 117 | 118 | MIT 119 | 120 | [旅销宝]: https://www.lxiaobao.com/ 121 | [nginx]: http://nginx.org/ 122 | [nginx-conf]: https://github.com/carlbennett/nginx-conf 123 | [switchhosts]: https://github.com/oldj/SwitchHosts 124 | -------------------------------------------------------------------------------- /sites-available/http-server-tpl.conf: -------------------------------------------------------------------------------- 1 | ################################################################## 2 | # name: Project Name 3 | # domain: example.com 4 | # path: /path/to/example_project 5 | ################################################################# 6 | 7 | server { 8 | server_name example.com 9 | www.example.com; 10 | 11 | # 注意: default_server 和 ipv6only 只能存在一次 12 | # 如果需要添加新的站点,需要删除 default_server 和 ipv6only 13 | listen 80 default_server; 14 | listen [::]:80 default_server ipv6only=on; 15 | 16 | include ../url-filters/*.conf; 17 | 18 | include ../sites-options/add-headers.conf; 19 | include ../sites-options/error-pages.conf; 20 | 21 | location = /robots.txt { 22 | return 200 "User-agent: *\nDisallow: /\n"; 23 | } 24 | 25 | location / { 26 | include ../sites-options/proxy-options.conf; 27 | proxy_pass http://127.0.0.1:8080; 28 | } 29 | } -------------------------------------------------------------------------------- /sites-available/https-server-tpl.conf: -------------------------------------------------------------------------------- 1 | ################################################################## 2 | # name: Project Name 3 | # domain: example.com 4 | # path: /path/to/example_project 5 | ################################################################# 6 | 7 | server { 8 | server_name example.com 9 | www.example.com; 10 | 11 | # 注意: default_server 和 ipv6only 只能存在一次 12 | # 如果需要添加新的站点,需要删除 default_server 和 ipv6only 13 | listen 80 default_server; 14 | listen [::]:80 default_server ipv6only=on; 15 | 16 | include ../url-filters/*.conf; 17 | 18 | return 301 https://$server_name$request_uri; 19 | } 20 | 21 | server { 22 | server_name example.com 23 | www.example.com; 24 | 25 | listen 443 ssl http2; 26 | listen [::]:443 ssl http2; 27 | 28 | ssl_certificate ../sites-certs/example.com/ssl_certificate.crt; 29 | ssl_certificate_key ../sites-certs/example.com/ssl_certificate.key; 30 | 31 | include ../url-filters/*.conf; 32 | 33 | include ../sites-options/add-headers.conf; 34 | include ../sites-options/ssl-options.conf; 35 | include ../sites-options/error-pages.conf; 36 | 37 | location = /robots.txt { 38 | return 200 "User-agent: *\nDisallow: /\n"; 39 | } 40 | 41 | location / { 42 | include ../sites-options/proxy-options.conf; 43 | proxy_pass http://127.0.0.1:8080; 44 | } 45 | } -------------------------------------------------------------------------------- /sites-certs/dhparam.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEArZ+vRB7U+Om3mEx3WmHpWs6V4jPv308U0Wz+r4gnMA8r9vwgvyFL 3 | IkGsQSAv5UHqSSc8zQJyJ/cHC6SZa1ft4NtIkDxu81BaXHqNwsGc2keWbYePBg5h 4 | m4BcN6/ZxANtWfedadaivwAQ4+8n4vidQ+nn9rYuQC3cBwRKRPAT8INoQYOKt4Ej 5 | hte0Z/zNbSv13tg/8rzs1t0Aqa4hGzP6+H11xeiWEpn+V4iaK2//cjr72OEvgWM2 6 | TEpE9CmMUMmaUl0Q3wqodGiDttho0KgPsuwSc6CTAmeG0fIXpfGfqsHu0esHKKi2 7 | DurxROuzmrWVmFCmyZmOaX7w2uqOgSs0CwIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /sites-certs/example.com/root.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDuTCCAqGgAwIBAgIJAPIdJb0RdwhzMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV 3 | BAYTAkNOMRAwDgYDVQQIDAdUaWFuamluMRAwDgYDVQQHDAdUaWFuamluMRUwEwYD 4 | VQQKDAxDSElOQVNTTCBJbmMxKTAnBgNVBAMMIENISU5BU1NMIENlcnRpZmljYXRp 5 | b24gQXV0aG9yaXR5MB4XDTE2MDgyNjAyMzAzM1oXDTQ0MDQxNjAyMzAzM1owczEL 6 | MAkGA1UEBhMCQ04xEDAOBgNVBAgMB1RpYW5qaW4xEDAOBgNVBAcMB1RpYW5qaW4x 7 | FTATBgNVBAoMDENISU5BU1NMIEluYzEpMCcGA1UEAwwgQ0hJTkFTU0wgQ2VydGlm 8 | aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB 9 | AQCvFNsKGlWA/z7s1ci0QkzoACs2KlUFvERoSSDl74iDgRrRgzTqNznZG4zPxUmV 10 | 0IjkCo6d297Sn3pZa+Tjj+HvyzqJg72N2jf0ToCbLxvA+NsnPCHjKk52R4jA6f+s 11 | GdGw25xe1KSVU7FUOPYGpbkG+K7HHZ+MBCskutjtbvbVR85axy7dzm5R5Xtah2HC 12 | 783azeicJN7hmVNEeXVzOujz0AQVvMUG6Q4QxUurwcmMnzN9H2XVCv287drtfzdr 13 | PBudLfkpnJ/FADQ2UbeDmAdnYwnzaSmO93V6N64QhLr4oXW8qpld2BMEV4+D/Sr2 14 | 4Vg+cFLAgBTWuAItCGSwCZjBAgMBAAGjUDBOMB0GA1UdDgQWBBRcHyP6yOEhMcLY 15 | N/aI/NJvwlRDMzAfBgNVHSMEGDAWgBRcHyP6yOEhMcLYN/aI/NJvwlRDMzAMBgNV 16 | HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB98HrVG+xDsOqN5r8jQ1YvFh+4 17 | fdWnkesr4quE/hNdTAfUqGcim3pX8g/NBXwk+YnKEcS0d+gwG8uDPZpDTuDZhyg4 18 | SD4CniuLS8XDeg8xTqCwiD1pB9CP6xm5RUWw+mt2VSNeq85rKBw5rJQzLOSghk8x 19 | EH8Fek0tbrpCwEi3ES8qywqD3QCZ3WXRMvusYG2HrSSoavWqvaaE7Zo/0p4KTwI/ 20 | ylbQIj7lgIb4hK2jknKqK2PO08r6TtFYBsaR/ciL99LUsbzwlgHPmCGzpzILRAyq 21 | UyOs7q0PGep+9q2Gq4tMIVx64Ny/6aBaumLKFLoduutIH5rUzafaR4bNHeiK 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /sites-certs/example.com/ssl_certificate.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID8TCCAtmgAwIBAgICByQwDQYJKoZIhvcNAQELBQAwczELMAkGA1UEBhMCQ04x 3 | EDAOBgNVBAgMB1RpYW5qaW4xEDAOBgNVBAcMB1RpYW5qaW4xFTATBgNVBAoMDENI 4 | SU5BU1NMIEluYzEpMCcGA1UEAwwgQ0hJTkFTU0wgQ2VydGlmaWNhdGlvbiBBdXRo 5 | b3JpdHkwHhcNMTgwMTE5MTY1MzE3WhcNMTkwMTE5MTY1MzE3WjCBgzELMAkGA1UE 6 | BhMCQ04xETAPBgNVBAgMCEhhbmdaaG91MRQwEgYDVQQKDAtFeGFtcGxlIEluYzEP 7 | MA0GA1UECwwGQ2hyb21lMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xIDAeBgkq 8 | hkiG9w0BCQEWEWFkbWluQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC 9 | AQ8AMIIBCgKCAQEA9WfS37jDzE1Go5Df/MmU0OzKnU+hjd8Kw0aQEVzNa0TW06tb 10 | r59KB1E8t24PC2C7NCtgiT5cyAX//lmbmJ8Ql5wm3V1CJqqHNUcDtOQSDNmgYxQC 11 | CIFCDGa+yDwR1G0DzoV31reL3PkDlAoyERJCwAgTyv2p1TUQTO2oCnjF+do8rEa4 12 | DurTSAT9M8cyHxDi25cjaMqFPdtk0j9fnf0OBpW2w988EdmaotsIOXBe5U2YumEo 13 | IzVZheQdT0fMi2A2tUFp8Z0aj6cLpQESvGnCQpjepOXdBFPrh0eXmFxufXi3jwG9 14 | 1hLxqgMEMPWFBIMJzGuMFhga1638UsqzpKvzKwIDAQABo34wfDAJBgNVHRMEAjAA 15 | MC8GCWCGSAGG+EIBDQQiFiBDSElOQVNTTCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 16 | eTAdBgNVHQ4EFgQU2WvE4HcM4AHL4VxMilGf62qUKeMwHwYDVR0jBBgwFoAUXB8j 17 | +sjhITHC2Df2iPzSb8JUQzMwDQYJKoZIhvcNAQELBQADggEBAIbCztxvMAM434Qr 18 | vY7yr4dnDqQ5rje812Lx6lNr9dilO4oaceWkVlUl1NFV+05u93xF9W2+uovlE80J 19 | VSlIiC9+IoEYozbGDgk7sPkMn6ppc+SNJxR0K2CA7/Cc6nyjBN9hZflM0OHAz+EI 20 | 6GM8sOWvtMN9ih1rtBBVkn9HNfKpAPZ3jJoSrOvN2EtNg6q3Hgf02hbn9Qnvi3PI 21 | fopWOTVYQ7seSvj5Cey8WMkA5b2pHp7RHPIddanY+y85AE+/RabY3dUPBB2Q9Jyx 22 | 3tbTi99a84+oIvnCbgrpem9L9q7PLM3MJtvzJgb++kAJXxmlo+2BIosjF9AleH3R 23 | LPNpx9M= 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /sites-certs/example.com/ssl_certificate.csr: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE REQUEST----- 2 | MIIC3DCCAcQCAQAwgZYxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhIYW5nWmhvdTER 3 | MA8GA1UEBwwIWmhlSmlhbmcxFDASBgNVBAoMC0V4YW1wbGUgSW5jMQ8wDQYDVQQL 4 | DAZDaHJvbWUxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTEgMB4GCSqGSIb3DQEJ 5 | ARYRYWRtaW5AZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK 6 | AoIBAQD1Z9LfuMPMTUajkN/8yZTQ7MqdT6GN3wrDRpARXM1rRNbTq1uvn0oHUTy3 7 | bg8LYLs0K2CJPlzIBf/+WZuYnxCXnCbdXUImqoc1RwO05BIM2aBjFAIIgUIMZr7I 8 | PBHUbQPOhXfWt4vc+QOUCjIREkLACBPK/anVNRBM7agKeMX52jysRrgO6tNIBP0z 9 | xzIfEOLblyNoyoU922TSP1+d/Q4GlbbD3zwR2Zqi2wg5cF7lTZi6YSgjNVmF5B1P 10 | R8yLYDa1QWnxnRqPpwulARK8acJCmN6k5d0EU+uHR5eYXG59eLePAb3WEvGqAwQw 11 | 9YUEgwnMa4wWGBrXrfxSyrOkq/MrAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA 12 | FJ47vmx46iJQEuFttjwpgHJeO8QVS6s1oMK/uA8gUBJUGln/kyDOwzuu+urKDAJj 13 | u2Ww9T08P+qTNcF+qZUyyoc08zKRuiH8bP14v4gRfrt9Sea1InY4btZNGfHugnWS 14 | vBefuk5WOdqKZ6CJ/JxbLQMwA3hegkwipwcV3FjzeXBPDAvMf9BxzVgn7FKQB7ky 15 | CwAjnHuHPcD9rEe2KS9OJdLSEhOBa4eVccTkmq6ys7OMTlAgZgSfS2h+qf2x+ocO 16 | B71fLv6zIOncYTXuktj7gnOoh1/UZILzMsfH67iqBgq7lBJyosu/F2wgtLrGejD8 17 | LWU6qoTPcNVELAvXQjm4tw== 18 | -----END CERTIFICATE REQUEST----- 19 | -------------------------------------------------------------------------------- /sites-certs/example.com/ssl_certificate.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD1Z9LfuMPMTUaj 3 | kN/8yZTQ7MqdT6GN3wrDRpARXM1rRNbTq1uvn0oHUTy3bg8LYLs0K2CJPlzIBf/+ 4 | WZuYnxCXnCbdXUImqoc1RwO05BIM2aBjFAIIgUIMZr7IPBHUbQPOhXfWt4vc+QOU 5 | CjIREkLACBPK/anVNRBM7agKeMX52jysRrgO6tNIBP0zxzIfEOLblyNoyoU922TS 6 | P1+d/Q4GlbbD3zwR2Zqi2wg5cF7lTZi6YSgjNVmF5B1PR8yLYDa1QWnxnRqPpwul 7 | ARK8acJCmN6k5d0EU+uHR5eYXG59eLePAb3WEvGqAwQw9YUEgwnMa4wWGBrXrfxS 8 | yrOkq/MrAgMBAAECggEAVtfe7/zajTnrfYaPPU24tBaXvQOpECOWE3StFvfYWdWK 9 | kG1bjNK5x80fx2nTORuKI/QVvXusKby10rSzM1dW78/6kOuntTczkc8HqMPs/08k 10 | SuuRrKDRVsIlUYawaJQLfNIOjpV1kUUt1v2kqhXkOUCigHsz1pdopVCU3t/Ob5Px 11 | 7Beu9r2KehBJJ4zBP/CQKmhO166p9M+3pDRseBD5HU2WcXa7SqJaDVLsWJbiOFUy 12 | 9/4ZEu8yJbl/7AJ11wd2pT5isn8a9lEDg4Xwl5laACZAa9Sinwt+Bvwiur1zXuYg 13 | dHFAdoZAlgND16v8/4f5mkVjiJ1n9ZYr/DwUNX/BQQKBgQD9SDRAK14ARe0jbQ4d 14 | KG3Mo9JSXtZDSq5bzVcxezzBT33NJZiFaPE/XXLKorVGHcKA08DX+pKb7Gba9To5 15 | EPznKHCCvqhIdLBFuaozroGcubMMgJS7o2FrkFO0bpuyGzGBiSCVhPuoK6JYN/Ve 16 | MSEIJ3zcXIDRd+89pAjv2Kx2RQKBgQD4Cfti+kiMzxwkZZvuli/B8NqGr2EfB9I1 17 | CmzlrM1bIM91xVa7lwHp4698P1w5jLzclwzrCV9Oi1HtQIGXFQrD4sVV7OjW0GO5 18 | EJar3SPpjuZYKvjt8Z0j1XXxkcaVvvu3XQTeDbo42FG6PvDpU19BpDyvZM54wu8H 19 | 80gpgiFSrwKBgQDiWE9RdS/5IIRuXzv4tLOC6HfBYr0pv6iXo6ajMpW1z1sGJO3r 20 | cz/8t38pNUS4F0pFpHa2zFeOfjHgxLu2WccYsJvzS3zJ23XXqbc/nlh3/b/TkWjZ 21 | UoVyAbW8DgiXnxObxjbXR9M5k1zuZ3ugJFl3lwpPR19bUkn7lQbjiId+3QKBgDUt 22 | 1rLy3EksQmlfS55MnvKi1AdaZKVFhQEQOibH9MNb9n7Wj3DqwGNICKDH6NsB3KAi 23 | 1ocx3Dg30JngYahlv4gd/5cbkxQzW54a+2Lfp8p0c9hlZjeFvN4o7v+a9Iu4hblb 24 | fSaqpMl5P5SB2B7+XAbz0nr8TvQ/PwZiV49msgRLAoGBAOeWNhq3vXMVYbWHx+wx 25 | E/yxNz2CwZOmsrK+BrkNlZ5aW5zdggy+1mrpKX5nlsHl+AYixqCFRYE3XsxhbBRw 26 | wx7Kh8PnsYecajSHdsY0Ne6N1MQP+PYtG+7IOmSpNWEJSlF7xXEzr7l5yd/XKbA0 27 | 4ZKvT6U7q6pqektQscVXAuvN 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /sites-enabled/example-www.conf: -------------------------------------------------------------------------------- 1 | ################################################################## 2 | # name: Project Name 3 | # domain: example.com 4 | # path: /path/to/example_project 5 | ################################################################# 6 | 7 | server { 8 | server_name example.com 9 | www.example.com; 10 | 11 | # 注意: default_server 和 ipv6only 只能存在一次 12 | # 如果需要添加新的站点,需要删除 default_server 和 ipv6only 13 | listen 80 default_server; 14 | listen [::]:80 default_server ipv6only=on; 15 | 16 | include ../url-filters/*.conf; 17 | 18 | include ../sites-options/add-headers.conf; 19 | include ../sites-options/error-pages.conf; 20 | 21 | location = /robots.txt { 22 | return 200 "User-agent: *\nDisallow: /\n"; 23 | } 24 | 25 | location / { 26 | include ../sites-options/proxy-options.conf; 27 | proxy_pass http://127.0.0.1:8080; 28 | } 29 | } -------------------------------------------------------------------------------- /sites-options/add-headers.conf: -------------------------------------------------------------------------------- 1 | # 设置长连接 2 | keepalive_timeout 70; 3 | 4 | # 减少点击劫持 5 | add_header X-Frame-Options DENY; 6 | 7 | # 禁止服务器自动解析资源类型 8 | add_header X-Content-Type-Options nosniff; 9 | 10 | # 防 XSS 攻擊 11 | add_header X-Xss-Protection 1; 12 | 13 | # HSTS策略 14 | # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 15 | -------------------------------------------------------------------------------- /sites-options/error-pages.conf: -------------------------------------------------------------------------------- 1 | # error_page 404 /404.html; 2 | 3 | # redirect server error pages to the static page /50x.html 4 | # 5 | error_page 500 502 503 504 /50x.html; 6 | location = /50x.html { 7 | root html; 8 | } -------------------------------------------------------------------------------- /sites-options/gzip.conf: -------------------------------------------------------------------------------- 1 | # from https://github.com/carlbennett/nginx-conf 2 | # System-wide compression 3 | 4 | # Note: Be careful not to include this file on SSL/TLS-enabled server blocks. 5 | # See the BREACH and CRIME attacks for more info. 6 | 7 | # Enable Gzip? 8 | gzip on; 9 | 10 | # Buffer pool count and their size. 11 | gzip_buffers 32 4k; 12 | 13 | # Compression level from worst to best (1-9) compressed. 14 | # A higher value will require more CPU per request. 15 | gzip_comp_level 6; 16 | 17 | # Disable Gzip if the user-agent matches the regular expression. 18 | gzip_disable "MSIE [1-6]\.(?!.*SV1)"; 19 | 20 | # Disable Gzip if the HTTP version is less than this value. 21 | gzip_http_version 1.1; 22 | 23 | # The required minimum size of the body (in bytes) for it to get compressed. 24 | gzip_min_length 4096; 25 | 26 | # Compress the following extensions: 27 | # css, exe, dll, gif, jpeg, jpg, json, js, png, so, ttf, txt, xml 28 | gzip_types application/font-sfnt 29 | application/json 30 | application/octet-stream 31 | application/vnd.ms-fontobject 32 | application/x-font-ttf 33 | application/xml 34 | font/opentype 35 | font/x-woff 36 | image/gif 37 | image/jpeg image/jpg 38 | image/png 39 | text/css 40 | text/javascript 41 | text/plain 42 | ; -------------------------------------------------------------------------------- /sites-options/logging.conf: -------------------------------------------------------------------------------- 1 | # This format shouldn't be used if `conf.d/real-ip-resolution.conf` is 2 | # included further below, since `$remote_addr` will populate with the 3 | # correct IP address. 4 | log_format vhost_proxy_combined '$http_host $http_x_forwarded_for - ' 5 | '$remote_user [$time_local] "$request" ' 6 | '$status $body_bytes_sent ' 7 | '"$http_referer" "$http_user_agent"'; 8 | 9 | access_log logs/access.log vhost_combined; 10 | error_log logs/error.log warn; -------------------------------------------------------------------------------- /sites-options/proxy-options.conf: -------------------------------------------------------------------------------- 1 | # http://bl.ocks.org/abernier/3070589 2 | 3 | proxy_redirect off; 4 | 5 | proxy_pass_header Server; 6 | 7 | proxy_set_header Host_NAME $host; 8 | proxy_set_header Host $http_host; 9 | 10 | proxy_set_header X-Scheme $scheme; 11 | proxy_set_header X-Forwarded-Proto $scheme; 12 | proxy_set_header X-Real-IP $remote_addr; 13 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 14 | 15 | # proxy_connect_timeout 10; 16 | # proxy_read_timeout 120; -------------------------------------------------------------------------------- /sites-options/ssl-options.conf: -------------------------------------------------------------------------------- 1 | ssl on; 2 | 3 | # 优先采取服务器算法 4 | ssl_prefer_server_ciphers on; 5 | 6 | # 使用DH文件 7 | ssl_dhparam ../sites-certs/dhparam.pem; 8 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 9 | 10 | # 定义算法 11 | ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; 12 | 13 | # 配置共享会话缓存大小,视站点访问情况设定 14 | ssl_session_cache shared:SSL:10m; 15 | 16 | # 配置会话超时时间 17 | ssl_session_timeout 10m; -------------------------------------------------------------------------------- /url-filters/security.conf: -------------------------------------------------------------------------------- 1 | # 禁止访问特殊文件及文件夹 2 | location ~ (.*\.sh?$|/\.|.*\.log?$){ 3 | return 444; 4 | } --------------------------------------------------------------------------------