站点
server
{
listen 80;
listen 443 ssl http2;
server_name lvtao.net www.lvtao.net;
index index.php;
root /www/wwwroot/lvtao.net/default/;
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
if ($host != 'lvtao.net'){
return 301 https://lvtao.net$request_uri;
}
ssl_dhparam /cert/lvtao.net/dhparam.pem;
ssl_certificate /cert/lvtao.net/fullchain.pem;
ssl_certificate_key /cert/lvtao.net/privkey.pem;
ssl_session_ticket_key /cert/lvtao.net/session_ticket.key;
ssl_session_tickets on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL_LVTAO:10m;
include ssl.conf;
add_header Public-Key-Pins 'pin-sha256="xxxxxxxxxx"; pin-sha256="xxxxxxxxxxxxxxx" max-age=2592000; includeSubDomains';
ssl_trusted_certificate /cert/lvtao.net/ocsp.pem;
location ~ .*.(gif|jpg|jpeg|png|bmp)$ {
set $width '-';
set $height '-';
#将参数赋值给宽和高
set $width $arg_width;
set $height $arg_height;
#当未设置高度时,仅使用宽度来进行缩放,可以保证图片的正常比例(适用于文章)
if ( $height = '' ) {
set $height '-';
}
#当请求的是原图时(即不带参数),则设置宽高维度为”-”
if ( $http_user_agent ~* '(Android|webOS|iPhone|iPad|iPod|BlackBerry)') {
set $width 480;
}
if ( $width = '' ) {
set $width '-';
set $height '-';
}
#生成缩略图
image_filter resize $width $height;
image_filter_buffer 2M;
image_filter_jpeg_quality 80;
image_filter_transparency on;
expires max;
access_log off;
limit_rate_after 10k;
limit_rate 100k;
}
}
ssl.conf
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:EECDH+AES256;
#ssl_ecdh_curve X25519:P-256:P-384;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 119.29.29.29 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'self'; child-src 'none'; object-src 'none'; frame-ancestors 'none'";