root
/
X1_Site
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

语法

feature/web_v4.0
hyh 3 weeks ago
parent
ac102c01de
commit
8dae75f5d2
1 changed files with 17 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 25
      site/nginx/nginx.conf

25
site/nginx/nginx.conf
View File

@ -62,9 +62,11 @@ http {
# 如果证书链文件单独存在,取消下面的注释并指定路径
# ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
# SSL 安全配置
# SSL 安全配置 - 兼容移动设备和Firefox
# 支持 TLS 1.2 1.3,确保移动设备兼容性
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# 使用更兼容的密码套件,确保移动设备和Firefox支持
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
@ -72,17 +74,24 @@ http {
# SSL 优化配置
ssl_buffer_size 8k;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# 安全头
# 如果证书链不完整,OCSP Stapling 可能导致 Firefox 和移动设备无法验证
# 暂时禁用 OCSP Stapling 以提高兼容性
# 如果证书链完整,可以重新启用
ssl_stapling off;
ssl_stapling_verify off;
# resolver 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
# 安全头 - 兼容移动设备
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# 移动设备优化
# 确保移动设备可以正确解析内容类型
add_header Vary "Accept-Encoding" always;
# 反向代理到 Next.js 应用
location / {
proxy_pass http://marketing-site:3000;

Write Preview
Loading…
Cancel
Save