-
-
Save Zerek-Cheng/8a2f8b0795ea8b19738adf6d36f61134 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
listen 443 ssl; | |
server_name *.minio.xxxxxxxxx.com; | |
ssl_certificate /etc/nginx/ssl/*.minio.xxxxxxxxx.com.fullchain.pem; | |
ssl_certificate_key /etc/nginx/ssl/*.minio.xxxxxxxxx.com.key; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | |
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA: DES-CBC3-SHA:!DSS'; | |
ssl_prefer_server_ciphers on; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
#选配 优化属性 | |
ignore_invalid_headers off; | |
client_max_body_size 1000m; | |
proxy_buffering off; | |
#必须 防止请求头丢失 | |
underscores_in_headers on; | |
#选配 优化属性 | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
add_header Pragma "no-cache"; | |
#选配 优化属性 | |
# 针对缺失"X-Content-Type-Options"头漏洞整改建议 | |
add_header X-Content-Type-Options nosniff; #影响demo服务登出等功能 | |
# 针对缺失"X-XSS-Protection"头漏洞整改建议 | |
add_header X-XSS-Protection "1; mode=block"; | |
# 针对点击劫持:X-Frame-Options头缺失漏洞的整改建议 | |
#add_header X-Frame-Options "SAMEORIGIN"; | |
# 针对缺少HTTP Strict-Transport-Security头漏洞的整改建议 | |
add_header Strict-Transport-Security "max-age=31536000;includeSubdomains;"; | |
location / { | |
# set $subdomain "$host"; | |
# if ($host ~* "^(.*?)\.minio\.xxxxxxxxx\.com$") { | |
# set $subdomain "/$1"; | |
# } | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header Connection Keep-Alive; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
add_header Access-Control-Allow-Origin *; | |
proxy_set_header Host $host; | |
proxy_pass http://127.0.0.1:9000; | |
} | |
} | |
server { | |
listen 80; | |
listen 443 ssl; | |
server_name minio.xxxxxxxxx.com; | |
ssl_certificate /etc/nginx/ssl/*.minio.xxxxxxxxx.com.fullchain.pem; | |
ssl_certificate_key /etc/nginx/ssl/*.minio.xxxxxxxxx.com.key; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | |
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA: DES-CBC3-SHA:!DSS'; | |
ssl_prefer_server_ciphers on; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
#选配 优化属性 | |
ignore_invalid_headers off; | |
client_max_body_size 1000m; | |
proxy_buffering off; | |
#必须 防止请求头丢失 | |
underscores_in_headers on; | |
#选配 优化属性 | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
add_header Pragma "no-cache"; | |
#选配 优化属性 | |
# 针对缺失"X-Content-Type-Options"头漏洞整改建议 | |
add_header X-Content-Type-Options nosniff; #影响demo服务登出等功能 | |
# 针对缺失"X-XSS-Protection"头漏洞整改建议 | |
add_header X-XSS-Protection "1; mode=block"; | |
# 针对点击劫持:X-Frame-Options头缺失漏洞的整改建议 | |
#add_header X-Frame-Options "SAMEORIGIN"; | |
# 针对缺少HTTP Strict-Transport-Security头漏洞的整改建议 | |
add_header Strict-Transport-Security "max-age=31536000;includeSubdomains;"; | |
location / { | |
proxy_set_header Host "minio.xxxxxxxxx.com"; | |
proxy_pass http://127.0.0.1:9000; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment