Skip to content

Instantly share code, notes, and snippets.

@lixingcong
Last active October 15, 2016 16:34
Show Gist options
  • Save lixingcong/276ae24f8a0bedd147ac7489f3c58fc2 to your computer and use it in GitHub Desktop.
Save lixingcong/276ae24f8a0bedd147ac7489f3c58fc2 to your computer and use it in GitHub Desktop.
nginx reverse proxy for google
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
limit_req_zone $binary_remote_addr zone=setfreq:10m rate=10r/s;
limit_req zone=setfreq burst=50 nodelay;
upstream www.google.com {
server 216.58.217.206:443 weight=34;
server 172.217.4.142:443 weight=33;
server 216.58.193.206:443 weight=33;
}
include mime.types;
default_type application/octet-stream;
#access_log logs/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
gzip_http_version 1.0;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
server {
listen 80 reuseport;
server_name MY_DOMAIN.COM;
#charset koi8-r;
#access_log logs/host.access.log main;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ http://www.baidu.com permanent;
}
location /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
}
server {
server_name MY_DOMAIN.COM;
listen 443 ssl http2 fastopen=2 reuseport;
ssl on;
ssl_certificate /root/ng/acme-tiny/chained.pem;
ssl_certificate_key /root/ng/acme-tiny/domain.key;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
# oscp
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /root/ng/acme-tiny/full_chained.pem;
resolver 8.8.8.8;
# https://github.com/cuber/ngx_http_google_filter_module
location / {
google on;
google_scholar on;
google_language "en";
}
# forbid spider
if ($http_user_agent ~* "qihoobot|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot"){
return 403;
}
location /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
# forbid illegal domain request
if ( $host != $server_name ) {
return 403;
}
}
}
#! /bin/bash
# https://github.com/diafygi/acme-tiny
export ACME_TINY_DIR=/root/ng/acme-tiny
cd $ACME_TINY_DIR && python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /var/www/challenges/ > signed.crt || exit
cd $ACME_TINY_DIR && wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem
cd $ACME_TINY_DIR && cat signed.crt intermediate.pem > chained.pem
cd $ACME_TINY_DIR && wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem
cd $ACME_TINY_DIR && cat intermediate.pem root.pem > full_chained.pem
nginx -s reload
if [ $? = '0' ];then
echo renew cert ok!
fi
@lixingcong
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment