From 8dae75f5d2565280e8c8954a4257497504659b09 Mon Sep 17 00:00:00 2001
From: hyh <hongyuanhua@changeself.com>
Date: Wed, 26 Nov 2025 14:00:52 +0800
Subject: [PATCH] =?UTF-8?q?=E8=AF=AD=E6=B3=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 site/nginx/nginx.conf | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/site/nginx/nginx.conf b/site/nginx/nginx.conf
index 808708a9..315d7083 100644
--- a/site/nginx/nginx.conf
+++ b/site/nginx/nginx.conf
@@ -62,9 +62,11 @@ http {
         # 如果证书链文件单独存在，取消下面的注释并指定路径
         # ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
 
-        # SSL 安全配置
+        # SSL 安全配置 - 兼容移动设备和Firefox
+        # 支持 TLS 1.2 和 1.3，确保移动设备兼容性
         ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+        # 使用更兼容的密码套件，确保移动设备和Firefox支持
+        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA';
         ssl_prefer_server_ciphers off;
         ssl_session_cache shared:SSL:10m;
         ssl_session_timeout 10m;
@@ -72,16 +74,23 @@ http {
         
         # SSL 优化配置
         ssl_buffer_size 8k;
-        ssl_stapling on;
-        ssl_stapling_verify on;
-        resolver 8.8.8.8 8.8.4.4 valid=300s;
-        resolver_timeout 5s;
-
-        # 安全头
+        # 如果证书链不完整，OCSP Stapling 可能导致 Firefox 和移动设备无法验证
+        # 暂时禁用 OCSP Stapling 以提高兼容性
+        # 如果证书链完整，可以重新启用
+        ssl_stapling off;
+        ssl_stapling_verify off;
+        # resolver 8.8.8.8 8.8.4.4 valid=300s;
+        # resolver_timeout 5s;
+
+        # 安全头 - 兼容移动设备
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Content-Type-Options "nosniff" always;
         add_header X-XSS-Protection "1; mode=block" always;
+        
+        # 移动设备优化
+        # 确保移动设备可以正确解析内容类型
+        add_header Vary "Accept-Encoding" always;
 
         # 反向代理到 Next.js 应用
         location / {