主题
nginx 配置参考
conf
upstream api_upstream{
ip_hash;
server 10.10.10.10:8000;
}
server {
listen 443 ssl;
server_name www.wueasy.com;
charset utf-8;
# 证书配置
ssl_certificate /srv/ssl/wueasy/fullchain.crt;
ssl_certificate_key /srv/ssl/wueasy/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!aNULL:!MD5:!RC4:!DHE;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#设置主访问日志
#access_log logs/access.log main;
access_log /dev/null;
error_page 404 /404.html;
# 拒绝包含 "actuator" 的所有请求
location ~ /actuator {
deny all;
return 403;
}
#静态页面配置
location / {
# 设置安全响应头
add_header X-Content-Type-Options "nosniff"; #响应头可以禁用浏览器的类型猜测行为
add_header X-Frame-Options "SAMEORIGIN"; #只允许本站用 frame 来嵌套
add_header X-XSS-Protection "1; mode=block"; #XSS 保护
add_header Referrer-Policy "no-referrer"; #不发送任何 Referer 信息
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; #强制浏览器使用 HTTPS 与服务器通信,防止协议降级攻击和中间人攻击
#增加浏览器缓存
#add_header Cache-Control max-age=10800;
root /srv/html;
try_files $uri $uri/ /index.html;
}
#请求转发到后端服务器的设置
location /api
{
proxy_pass http://api_upstream;
client_max_body_size 200M;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header REMOTE_ADDR $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
}
}