## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # #####本配置使用正常环境 debian9_x64 nginx_1.10.3 openssl_1.1.0f v2ray_4.2 #####兼容客户端Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8 #####注:切勿修改中的内容,但<该文件>与中的<参数重叠>那么会<遵从前者> server { # 禁用不需要的请求方式 以下只允许 get、post if ($request_method !~ ^(POST|GET)$) { return 444; } listen 127.0.0.1:80; server_name domain.Name; #注:填写自己的域名 return 301 https://$host/; } upstream v2ray { server 127.0.0.1:10086; #注:v2ray后端监听地址、端口 keepalive 2176; # 链接池空闲链接数 } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { #要开启 HTTP/2 注意nginx版本 #可以使用 nginx -V 检查 listen 127.0.0.1:443 ssl http2 backlog=1024 so_keepalive=120s:60s:10 reuseport; # backlog是nginx 监听队列 默认是511 使用命令 ss -tnl查看(Send-Q); #设置编码 charset utf-8; #证书配置 ssl_certificate PATH; #注:填写自己证书路径 ssl_certificate_key PATH; #注:填写密钥路径 ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; # https://nginx.org/en/docs/http/ngx_http_ssl_module.html ssl_protocols TLSv1.2; #openssl ciphers #注:懒人配置 https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; #安全设定 #屏蔽请求类型 if ($request_method !~ ^(POST|GET)$) { return 444; } add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) ###测试前请使用较少的时间 ### https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/ add_header Strict-Transport-Security max-age=15 always; #openssl dhparam -out dhparam.pem 2048 #openssl dhparam -out dhparam.pem 4096 #ssl_dhparam /home/dhparam.pem; #ssl_ecdh_curve secp384r1; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them #ssl_stapling on; #ssl_stapling_verify on; #resolver_timeout 10s; #resolver [去掉括号并将文字改成你希望的dns服务器ip地址] valid=300s; #范例 resolver 2.2.2.2 valid=300s; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php ; server_name domain.Name; #注: 将domain.Name 替换成你的域名 location /GLMzpX/ { #注:修改路径 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; #此处与对应 proxy_set_header Host $http_host; # 向后端传递访客ip proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_requests 25600; keepalive_timeout 300 300; proxy_buffering off; proxy_buffer_size 8k; #后端错误重定向 proxy_intercept_errors on; error_page 400 = URL; # url是一个网站地址。例如:https://www.xxxx.com/ if ($http_host = "domain.Name" ) { #注: 修改 domain.Name 为自己的域名 #v2ray 后端 查看上面"upstream"字段 proxy_pass http://v2ray; } } }