文档说明:只记录关键地方;
nginx 配置文件nginx.conf
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 10240;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main escape=json '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'host:"$host" '
'request_uri:"$request_uri" '
'upstream_addr: "$upstream_addr" '
'upstream_response_time: "$upstream_response_time" '
;
# underscores_in_headers on;
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
resolver 223.5.5.5 223.6.6.6 2400:3200::1 2400:3200:baba::1 ;
# 关闭IPV6解析
# resolver 223.5.5.5 223.6.6.6 2400:3200::1 2400:3200:baba::1 ipv6=off;
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 4 16k;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/xml text/javascript application/json image/png image/gif image/jpeg;
proxy_buffer_size 1024k;
proxy_buffers 32 1024k;
proxy_busy_buffers_size 1024k;
proxy_temp_file_write_size 1024k;
client_body_buffer_size 1024k;
server_names_hash_bucket_size 256;
client_max_body_size 50M;
map_hash_bucket_size 256;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/conf.d/*.conf;
}
nginx default.conf
server {
listen 80;
listen [::]:80;
server_name your-domain;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your-domain;
charset utf-8;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Referrer-Policy "no-referrer";
location / {
root html;
index index.html index.htm;
}
}
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_reject_handshake on; #非服务器名称的 SSL 握手直接拒绝
return 444;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 444;
}
指定类型的文件设置缓存
location ~* \.(css|js|png|jpg|jpeg|gif|gz|svg|mp4|ogg|ogv|webm|htc|xml|woff)$ {
access_log off;
add_header Cache-Control max-age=360000;
}
参考文档
- nginx features
- nginx documentation
- HTTP安全
- nginx解决跨域关键点
- 拷贝nginx容器内配置文件到容器外
- nginx TLSv1.3配置
- SSL web配置参考网站(SSL Configuration Generator)