由于极度的小白,只能到处查资料问大佬,补知识,总算最后搞定了。。万分感谢屈屈大佬的文章,受益匪浅,以及半夏比特萌的技术支持。通过 Qualys SSl Labs 测试,得分A+

Nginx 版本为 1.15.*。添加了 Brotli 压缩算法,TCP Fast Open 的支持,因未查明的原因导致博客非正常运行所以暂不打上 Patch

已加入 HSTS Preload List

1) Qualys SSL Labs's SSL Server Test

以下是本博客测试结果截图,测试地址>>>

HTTPS

2)HTTP Security Report

以下是本博客测试结果截图,测试地址>>>

FKHPKP.png


哔哩萌的完整 Nginx 配置如下。

    proxy_cache_path /home/nginx/ghostcache levels=1:2 keys_zone=ghostcache:60m max_size=300m inactive=24h;
    proxy_cache_key "$scheme$request_method$host$request_uri";
    proxy_cache_methods GET HEAD;

server
{

	listen 443 ssl http2 fastopen=3 reuseport;
	ssl_protocols TLSv1.3 TLSv1.2;
	ssl_certificate /path/bundle.crt;
	ssl_certificate_key /path/com.key;
	ssl_certificate /path/fullchain.pem;
	ssl_certificate_key /path/privkey.pem;
	ssl_stapling on;
	ssl_session_cache shared:ssl:5m;
	ssl_session_timeout 1d;
	ssl_session_tickets on;
	ssl_dhparam /path/dhparam.pem;
    ssl_ecdh_curve     secp384r1;
	ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
	ssl_prefer_server_ciphers On;
	resolver 119.29.29.29 114.114.114.114 valid=300s;
	resolver_timeout 10s;
	if ($host != 'www.bilimoe.com' )
	{

		return 301 https://www.bilimoe.com$request_uri;
	}
	server_name www.bilimoe.com bilimoe.com;
	http2_push_preload on;
	server_tokens off;
	location /
	{

		proxy_cache ghostcache;
		proxy_cache_valid 60m;
		proxy_cache_valid 404 1m;
		proxy_ignore_headers Set-Cookie;
		proxy_hide_header Set-Cookie;
		proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
		proxy_ignore_headers Cache-Control;
		add_header X-Cache-Status $upstream_cache_status;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header Host $http_host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		proxy_pass http://127.0.0.1:2368;
		proxy_hide_header X-Powered-By;
		proxy_hide_header Vary;
	}

	location ^~ /ghost/
	{

		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_pass http://localhost:2368;
	}
	add_header X-Frame-Options DENY;
	add_header Referrer-Policy "no-referrer";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' https:; img-src data: https:; style-src 'unsafe-inline' https:; media-src https:; font-src 'self' https:; worker-src https:; connect-src 'self' https:; frame-src 'self' https://www.bilibili.com https://www.youtube.com";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Cache-Control public;
	location ~ /\.
	{

		deny all;
	}

	location ^~ /assets/
	{

		root /home/……/caffeine;
		add_header Access-Control-Allow-Origin *;
		expires max;
	}
}
server
{

	server_name www.bilimoe.com bilimoe.com;
	server_tokens off;
	location /
	{

		return 301 https://$host$request_uri;
	}
}
map $http_cookie $resources
{

	"~*session=1" "";
	default "</assets/css/caffeine-theme.css?v=>; as=style; rel=preload, </assets/js/caffeine-theme.js?v=>; as=script; rel=preload, </assets/js/scrollreveal.min.js>; as=script; rel=preload, </assets/js/masonry.pkgd.min.js>; as=script; rel=preload, </assets/js/base.js>; as=script; rel=preload, </assets/img/cursor.ico>; as=image; rel=preload, </assets/img/author.png?v=>; as=image; rel=preload, </assets/fonts/fontawesome-webfont.woff2?v=4.7.0>; as=font; rel=preload, </rss/>; as=xhr; crossorigin; rel=preload";
}

说说遇到的一些问题

其实也没有很大的问题,主要是一些组件的更新,比如升级Openssl以支持ALPN,升级Nginx以支持双证书,呃,小白的编译初体验,都是泪。。最大的坑是 OCSP Stapling ,折腾了大概三四天,一度怀疑TrustAsia给我颁发了假证书,最后发现真相的我眼泪掉下来。我在配置的过程中下意识的认为 TrustAsia 需要指定证书链并开启Stapling Verify,结果怎么弄都有问题。后来才发现它和Let's Encryp一样不用指定,只要 ssl_stapling on; 就可以了, ssl_trusted_certificatessl_stapling_verify 无视就好,我有一句哔哔哔不知当讲不当讲。。😂

追剧射雕英雄传

DIAO
出来的八集已经看完,总体感觉还不错,很贴近原著,以前只看过小说,虽然已被翻拍六七版,但这个还是第一次看电视剧来演绎,表示追定了,就是一周只有四集,宝宝不开心 (`Δ´)!

不出意外,应该是丁酉🐔年来临前最后一篇文了,祝各位在即将到来的🐔年大吉大利,早日脱光 ~ 💑