Created
June 23, 2017 13:07
-
-
Save ivmm/80e4b2baff4573a2af54af149bc1cb72 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream redis { | |
server 127.0.0.1:6379; | |
keepalive 512; | |
} | |
server { | |
listen 80; | |
server_name www.mf8.biz mf8.biz; | |
access_log off; | |
index index.html index.htm index.php; | |
rewrite ^/(.*)$ https://www.mf8.biz/$1 permanent; | |
} | |
server { | |
##开启 HTTPS 和 HTTP/2 | |
listen 443 ssl http2; | |
##ECC证书部分 | |
ssl_certificate /usr/local/openresty/nginx/conf/ssl/www.mf8.biz-ecc.crt; #ECC证书 | |
ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/www.mf8.biz-ecc.key; #ECC密钥 | |
ssl_ct_static_scts /usr/local/openresty/nginx/conf/ssl/sct-1/; #ECC证书的透明证书 | |
ssl_certificate /usr/local/openresty/nginx/conf/ssl/www.mf8.biz.crt; #RSA证书 | |
ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/www.mf8.biz.key; #RSA密钥 | |
ssl_ct_static_scts /usr/local/openresty/nginx/conf/ssl/sct-2/; #RSA证书的透明证书 | |
##SSL增强安全设置部分 | |
add_header Strict-Transport-Security max-age=15768000; #HSTS设置 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; | |
ssl_ct on; #开启透明证书 | |
ssl_prefer_server_ciphers on; | |
ssl_session_timeout 10m; | |
ssl_session_cache builtin:1000 shared:SSL:10m; | |
ssl_buffer_size 1400; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
server_name www.mf8.biz mf8.biz; | |
access_log off; | |
index index.html index.htm index.php; | |
include /usr/local/openresty/nginx/conf/rewrite/wordpress.conf; | |
include /usr/local/openresty/nginx/conf/vhost/blockip.conf; | |
root /data/wwwroot/mf8; | |
location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ { | |
valid_referers none blocked *.mf8.biz www.mf8.biz mf8.biz; | |
} | |
set $skip_cache 0; | |
#POST请求直接调用后端 | |
if ($request_method = POST) { | |
set $skip_cache 1; | |
} | |
if ($query_string != "") { | |
set $skip_cache 1; | |
} | |
#不要缓存以下部分 | |
if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") { | |
set $skip_cache 1; | |
} | |
#不缓存登陆用户和最近评论的用户 | |
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { | |
set $skip_cache 1; | |
} | |
location /redis-fetch { | |
internal ; | |
set $redis_key $args; | |
redis_pass redis; | |
} | |
location /redis-store { | |
internal ; | |
set_unescape_uri $key $arg_key ; | |
redis2_query set $key $echo_request_body; | |
redis2_query expire $key 14400; | |
redis2_pass redis; | |
} | |
location ~ [^/]\.php(/|$) { | |
set $key "nginx-cache:$scheme$request_method$host$request_uri"; | |
try_files $uri =404; | |
srcache_fetch_skip $skip_cache; | |
srcache_store_skip $skip_cache; | |
srcache_response_cache_control off; | |
set_escape_uri $escaped_key $key; | |
srcache_fetch GET /redis-fetch $key; | |
srcache_store PUT /redis-store key=$escaped_key; | |
more_set_headers 'X-Cache $srcache_fetch_status'; | |
more_set_headers 'X-Store $srcache_store_status'; | |
#fastcgi_pass remote_php_ip:9000; | |
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; | |
fastcgi_index index.php; | |
include fastcgi.conf; | |
fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/:/proc/"; | |
} | |
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { | |
expires 30d; | |
access_log off; | |
} | |
location ~ .*\.(js|css)?$ { | |
expires 7d; | |
access_log off; | |
} | |
location ~ /\.ht { | |
deny all; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment