Nginx 的配置
HTTP
user www;
worker_processes auto;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
pcre_jit on;
events {
worker_connections 8000;
use epoll;
}
http {
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset UTF-8;
access_log off;
log_format main '$remote_addr-$remote_user[$time_local]$request' '"$status"$body_bytes_sent"$http_referer"' '"$http_user_agent""$http_x_forwarded_for""$gzip_ratio"';
sendfile on;
client_max_body_size 100m;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 300s;
#gzip
gzip on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_vary on;
gzip_disable "msie6";
gzip_proxied expired no-cache no-store private auth;
# text/html is always compressed by HttpGzipModule
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
#brotli
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
include /etc/nginx/conf.d/*.conf;
}
Server
server {
listen 443 ssl http2;
server_name some_domain;
root /absolute/path/to/your/site/public;
#default charset
charset utf-8;
index index.php;
# config to don't allow the browser to render the page inside an frame or
# iframe and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN
# or set an uri with ALLOW-FROM uri
# warning, this option breaking some analitics tools
add_header X-Frame-Options "SAMEORIGIN";
# this header enables the Cross-site scripting (XSS) filter, it's usually
# enabled by default anyway, so the role of this header is to re-enable
# the filter for this particular website if it was disabled by the user.
add_header X-XSS-Protection "1; mode=block";
# when serving user-supplied content, include a
# X-Content-Type-Options: nosniff header along with the Content-Type:
# header to disable content-type sniffing on some browsers.
# https://github.com/blog/1482-heads-up-nosniff-header-support-coming-to-chrome-and-firefox
add_header X-Content-Type-Options "nosniff";
# enabling HSTS(HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# to generate your dhparam.pem file, run in the terminal:
# $ openssl dhparam -out dhparam.pem 2048
ssl_dhparam /home/www/ssl/dhparam.pem
# Public key, contains your public key and class 1 certificate, to create:
ssl_certificate /home/www/ssl/fullchain.pem;
# Private RSA key
ssl_certificate_key /home/www/ssl/fabtek.key;
# ciphers are latest modern from https://wiki.mozilla.org/Security/Server_Side_TLS (only place you can trust on web)
ssl_ciphers HIGH:!CAMELLIA:!ARIA:!PSK:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
# make it bigger for more sessions, one megabyte for ~ 4000 session
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 1d;
ssl_buffer_size 4k;
# OCSP Stapling ---
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/www/ssl/lets-encrypt-x3-cross-signed.pem;
resolver 114.114.114.114 119.29.29.29 223.5.5.5 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 2s;
#0-RTT
ssl_early_data on;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
error_page 404 /index.php;
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000;
fastcgi_pass unix:/var/run/php74-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
Jupyter Proxy
server {
listen 80;
server_name some_domain;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name some_domain;
charset utf-8;
ssl_certificate public.pem;
ssl_certificate_key private.key;
ssl_dhparam dhparam.pem;
ssl_ciphers HIGH:!CAMELLIA:!ARIA:!PSK:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3;
ssl_early_data on;
# make it bigger for more sessions, one megabyte for ~ 4000 session
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 1d;
ssl_buffer_size 4k;
location / {
proxy_pass http://127.0.0.1:8888;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
# websocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
proxy_redirect off;
}
}
网友评论