Jiao77/astro-jiao77.cn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
astro-jiao77.cn/jiao77.cn.nginx.conf
Jiao77 cfbd7ad1f0 update nginx setting
2026-01-28 11:36:59 +08:00

726 lines
24 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
############################################################
# Nginx 服务器配置jiao77.cn- HTTPS 完全版
# 支持多个子域名 HTTPS
#
# 域名列表:
# - jiao77.cn (主站) + www.jiao77.cn
# - ai.jiao77.cn (AI 服务)
# - aliyun.jiao77.cn (阿里云服务)
# - gitea.jiao77.cn (Gitea 代码托管)
#
# SSL 证书Let's Encrypt 自动申请并配置
############################################################
# ==========================================
# HTTP 重定向到 HTTPS (主站)
# ==========================================
server {
listen 80;
server_name jiao77.cn www.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (AI)
# ==========================================
server {
listen 80;
server_name ai.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (阿里云)
# ==========================================
server {
listen 80;
server_name aliyun.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (Gitea)
# ==========================================
server {
listen 80;
server_name gitea.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (QNas)
# ==========================================
server {
listen 80;
server_name qnas.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (Ollama API)
# ==========================================
server {
listen 80;
server_name ollama.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (WebDev WebDAV)
# ==========================================
server {
listen 80;
server_name webdev.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (AList)
# ==========================================
server {
listen 80;
server_name alist.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (Upsnap)
# ==========================================
server {
listen 80;
server_name upsnap.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (SunPanel)
# ==========================================
server {
listen 80;
server_name sunpanel.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (AudioBook)
# ==========================================
server {
listen 80;
server_name audiobook.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (Divination)
# ==========================================
server {
listen 80;
server_name divination.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (Halo)
# ==========================================
server {
listen 80;
server_name halo.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (WordPress)
# ==========================================
server {
listen 80;
server_name wp.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (Blog) - 待配置
# ==========================================
server {
listen 80;
server_name blog.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTP 重定向到 HTTPS (salary)
# ==========================================
server {
listen 80;
server_name salary.jiao77.cn;
return 301 https://$server_name$request_uri;
}
# ==========================================
# HTTPS 主站配置 (jiao77.cn + www.jiao77.cn)
# ==========================================
server {
listen 443 ssl http2;
server_name jiao77.cn www.jiao77.cn;
# SSL 证书 (Let's Encrypt)
ssl_certificate /etc/letsencrypt/live/jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
root /var/www/jiao77.cn;
index index.html;
# 安全头
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 日志
access_log /var/log/nginx/jiao77-access.log;
error_log /var/log/nginx/jiao77-error.log;
# Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss application/atom+xml image/svg+xml;
# 静态资源缓存 (30天)
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf|webp)$ {
expires 30d;
add_header Cache-Control "public, immutable, max-age=2592000";
}
# HTML 不缓存
location ~* \.html$ {
expires -1;
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
# SPA 路由支持
location / {
try_files $uri $uri/ /index.html;
}
# 禁止访问敏感文件
location ~ /\.(?!well-known).* { deny all; }
location ~* \.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])$ { deny all; }
}
# ==========================================
# HTTPS AI 服务配置 (ai.jiao77.cn)
# ==========================================
server {
listen 443 ssl http2;
server_name ai.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/ai.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ai.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
root /var/www/jiao77.cn;
index index.html;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
access_log /var/log/nginx/ai-access.log;
error_log /var/log/nginx/ai-error.log;
location / {
try_files $uri $uri/ /index.html;
}
}
# ==========================================
# HTTPS 阿里云配置 (aliyun.jiao77.cn)
# ==========================================
server {
listen 443 ssl http2;
server_name aliyun.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/aliyun.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aliyun.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
root /var/www/jiao77.cn;
index index.html;
access_log /var/log/nginx/aliyun-access.log;
error_log /var/log/nginx/aliyun-error.log;
location / {
try_files $uri $uri/ /index.html;
}
}
# ==========================================
# HTTPS Gitea 配置 (gitea.jiao77.cn)
# ==========================================
server {
listen 443 ssl http2;
server_name gitea.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/gitea.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gitea.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# Gitea 反向代理 (转发到 10.126.126.2:3012)
location / {
proxy_pass http://10.126.126.2:3012/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
access_log /var/log/nginx/gitea-access.log;
error_log /var/log/nginx/gitea-error.log;
}
# ==========================================
# HTTPS QNas 配置 (qnas.jiao77.cn) - 反向代理到 10.126.126.2:5666
# ==========================================
server {
listen 443 ssl http2;
server_name qnas.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/qnas.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qnas.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# 反向代理到 10.126.126.2:5666
location / {
proxy_pass http://10.126.126.2:5666/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
access_log /var/log/nginx/qnas-access.log;
error_log /var/log/nginx/qnas-error.log;
}
# ==========================================
# HTTPS Ollama API 配置 (ollama.jiao77.cn) - 反向代理到 10.126.126.8:11435
# ==========================================
server {
listen 443 ssl http2;
server_name ollama.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/ollama.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ollama.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# Ollama API 反向代理
location / {
proxy_pass http://10.126.126.8:11435/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# API 特殊配置
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
proxy_read_timeout 300s;
}
access_log /var/log/nginx/ollama-access.log;
error_log /var/log/nginx/ollama-error.log;
}
# ==========================================
# HTTPS WebDev WebDAV 配置 (webdev.jiao77.cn) - 反向代理到 10.126.126.2:5006
# ==========================================
server {
listen 443 ssl http2;
server_name webdev.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/webdev.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/webdev.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# WebDAV 反向代理
location / {
proxy_pass https://10.126.126.2:5006/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebDAV 需要的方法
proxy_http_version 1.1;
proxy_set_header Connection "";
# 保持 WebDAV 方法
proxy_pass_request_headers on;
}
access_log /var/log/nginx/webdev-access.log;
error_log /var/log/nginx/webdev-error.log;
}
# ==========================================
# HTTPS AList 配置 (alist.jiao77.cn) - 反向代理到 10.126.126.2:5244
# ==========================================
server {
listen 443 ssl http2;
server_name alist.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/alist.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alist.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# AList 反向代理
location / {
proxy_pass http://10.126.126.2:5244/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# AList WebSocket 支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
access_log /var/log/nginx/alist-access.log;
error_log /var/log/nginx/alist-error.log;
}
# ==========================================
# HTTPS Upsnap 配置 (upsnap.jiao77.cn) -> 10.126.126.2:8090
# ==========================================
server {
listen 443 ssl http2;
server_name upsnap.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/upsnap.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/upsnap.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
location / {
proxy_pass http://10.126.126.2:8090/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/upsnap-access.log;
error_log /var/log/nginx/upsnap-error.log;
}
# ==========================================
# HTTPS SunPanel 配置 (sunpanel.jiao77.cn) -> 10.126.126.2:13002
# ==========================================
server {
listen 443 ssl http2;
server_name sunpanel.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/sunpanel.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sunpanel.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
location / {
proxy_pass http://10.126.126.2:13002/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/sunpanel-access.log;
error_log /var/log/nginx/sunpanel-error.log;
}
# ==========================================
# HTTPS AudioBook 配置 (audiobook.jiao77.cn) -> 10.126.126.2:1081
# ==========================================
server {
listen 443 ssl http2;
server_name audiobook.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/audiobook.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/audiobook.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
location / {
proxy_pass http://10.126.126.2:1081/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/audiobook-access.log;
error_log /var/log/nginx/audiobook-error.log;
}
# ==========================================
# HTTPS Divination 配置 (divination.jiao77.cn) -> 10.126.126.2:5001
# ==========================================
server {
listen 443 ssl http2;
server_name divination.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/divination.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/divination.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
location / {
proxy_pass http://10.126.126.2:5001/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/divination-access.log;
error_log /var/log/nginx/divination-error.log;
}
# ==========================================
# HTTPS Halo 配置 (halo.jiao77.cn) -> 10.126.126.2:8083
# ==========================================
server {
listen 443 ssl http2;
server_name halo.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/halo.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/halo.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# Halo 反向代理
location / {
proxy_pass http://10.126.126.2:8083/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket 支持
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
access_log /var/log/nginx/halo-access.log;
error_log /var/log/nginx/halo-error.log;
}
# ==========================================
# HTTPS WordPress 配置 (wp.jiao77.cn) -> 10.126.126.2:8080
# ==========================================
server {
listen 443 ssl http2;
server_name wp.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/wp.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wp.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# WordPress 反向代理
location / {
proxy_pass http://10.126.126.2:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WordPress 需要
proxy_set_header X-Forwarded-Host $host;
}
access_log /var/log/nginx/wp-access.log;
error_log /var/log/nginx/wp-error.log;
}
# ==========================================
# HTTPS Blog 配置 (blog.jiao77.cn) - 待配置
# ==========================================
server {
listen 443 ssl http2;
server_name blog.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/blog.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# 待配置 - 当前返回 503
location / {
return 503 "Service not configured";
}
access_log /var/log/nginx/blog-access.log;
error_log /var/log/nginx/blog-error.log;
}
# ==========================================
# HTTPS Salary 配置 (salary.jiao77.cn) -> 10.126.126.2:5053
# ==========================================
server {
listen 443 ssl http2;
server_name salary.jiao77.cn;
ssl_certificate /etc/letsencrypt/live/salary.jiao77.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/salary.jiao77.cn/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# 允许最大上传 50M
client_max_body_size 50M;
# 反向代理到 10.126.126.2:5053
location / {
proxy_pass http://10.126.126.2:5053/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
access_log /var/log/nginx/salary-access.log;
error_log /var/log/nginx/salary-error.log;
}
Reference in New Issue View Git Blame Copy Permalink