哔哩萌的 Nginx 完整配置 🦄
由于极度的小白,只能到处查资料问大佬,补知识,总算最后搞定了。。万分感谢屈屈大佬的文章,受益匪浅,以及半夏和比特萌的技术支持。通过 Qualys SSl Labs 测试,得分A+。
Nginx 版本为 1.15.*。添加了 Brotli 压缩算法,TCP Fast Open 的支持,因未查明的原因导致博客非正常运行所以暂不打上 Patch。
已加入 HSTS Preload List
1) Qualys SSL Labs's SSL Server Test
以下是本博客测试结果截图,测试地址>>>:
2)HTTP Security Report
以下是本博客测试结果截图,测试地址>>>:
哔哩萌的完整 Nginx 配置如下。
proxy_cache_path /home/nginx/ghostcache levels=1:2 keys_zone=ghostcache:60m max_size=300m inactive=24h;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_cache_methods GET HEAD;
server
{
listen 443 ssl http2 fastopen=3 reuseport;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_certificate /path/bundle.crt;
ssl_certificate_key /path/com.key;
ssl_certificate /path/fullchain.pem;
ssl_certificate_key /path/privkey.pem;
ssl_stapling on;
ssl_early_data on;
ssl_session_cache shared:ssl:5m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_dhparam /path/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers On;
resolver 119.29.29.29 114.114.114.114 valid=300s;
resolver_timeout 10s;
if ($host != 'www.bilimoe.com' )
{
return 301 https://www.bilimoe.com$request_uri;
}
server_name www.bilimoe.com bilimoe.com;
http2_push_preload on;
server_tokens off;
location /
{
proxy_cache ghostcache;
proxy_cache_valid 60m;
proxy_cache_valid 404 1m;
proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_ignore_headers Cache-Control;
add_header X-Cache-Status $upstream_cache_status;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:2368;
proxy_set_header Early-Data $ssl_early_data;
proxy_hide_header X-Powered-By;
proxy_hide_header Vary;
}
location ^~ /ghost/
{
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:2368;
proxy_set_header Early-Data $ssl_early_data;
}
add_header X-Frame-Options DENY;
add_header Referrer-Policy "no-referrer";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' https:; img-src data: https:; style-src 'unsafe-inline' https:; media-src https:; font-src 'self' https:; worker-src https:; connect-src 'self' https:; frame-src 'self' https://www.bilibili.com https://www.youtube.com";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Cache-Control public;
location ~ /\.
{
deny all;
}
location ^~ /assets/
{
root /home/……/caffeine;
add_header Access-Control-Allow-Origin *;
expires max;
}
}
server
{
server_name www.bilimoe.com bilimoe.com;
server_tokens off;
location /
{
return 301 https://$host$request_uri;
}
}
map $http_cookie $resources
{
"~*session=1" "";
default "</assets/css/caffeine-theme.css?v=>; as=style; rel=preload, </assets/js/caffeine-theme.js?v=>; as=script; rel=preload, </assets/js/scrollreveal.min.js>; as=script; rel=preload, </assets/js/masonry.pkgd.min.js>; as=script; rel=preload, </assets/js/base.js>; as=script; rel=preload, </assets/img/cursor.ico>; as=image; rel=preload, </assets/img/author.png?v=>; as=image; rel=preload, </assets/fonts/fontawesome-webfont.woff2?v=4.7.0>; as=font; rel=preload, </rss/>; as=xhr; crossorigin; rel=preload";
}
说说遇到的一些问题
其实也没有很大的问题,主要是一些组件的更新,比如升级Openssl以支持ALPN,升级Nginx以支持双证书,呃,小白的编译初体验,都是泪。。最大的坑是 OCSP Stapling ,折腾了大概三四天,一度怀疑TrustAsia给我颁发了假证书,最后发现真相的我眼泪掉下来。我在配置的过程中下意识的认为 TrustAsia 需要指定证书链并开启Stapling Verify,结果怎么弄都有问题。后来才发现它和Let's Encryp一样不用指定,只要 ssl_stapling on; 就可以了, ssl_trusted_certificate 和 ssl_stapling_verify 无视就好,我有一句哔哔哔不知当讲不当讲。。😂
追剧射雕英雄传
出来的八集已经看完,总体感觉还不错,很贴近原著,以前只看过小说,虽然已被翻拍六七版,但这个还是第一次看电视剧来演绎,表示追定了,就是一周只有四集,宝宝不开心 (`Δ´)!
不出意外,应该是丁酉🐔年来临前最后一篇文了,祝各位在即将到来的🐔年大吉大利,早日脱光 ~ 💑