terrywang · July 28, 2022 23:28
diff --git a/nginx.conf b/nginx.conf
 server {
    listen 80;
    # listen [::]:80 default ipv6only=on;
    server_name log.terry.im;

    # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
    location / {
        return 301 https://$host$request_uri;
    }
 }

 server {
    # listen 443 ssl;
    listen 443 ssl http2;

    server_name log.terry.im;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/lego/.lego/certificates/terry.im.crt;
    ssl_certificate_key /path/to/lego/.lego/certificates/terry.im.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m; # 10m about 40k sessions
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
    # openssl dhparam -out /path/to/dhparams_4096.pem 4096
    ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

    # modern configuration, tweak to your needs
    # ssl_protocols TLSv1.2 TLSv1.3;
    ssl_protocols TLSv1.3;
    # ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
    # ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
    ssl_prefer_server_ciphers on;

    # intermediate configuration, tweak to your needs
    # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
    add_header Strict-Transport-Security "max-age=63072000; always;";

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/lego/.lego/certificates/terry.im.crt;

    # resolver <IP DNS resolver> valid=300s;
    # resolver_timeout 5s;
    resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
    resolver_timeout 5s;

    root /var/www/terry.im/log;
    index index.php index.html index.htm;

    # rewrite ^(.*)$ $scheme://www.terry.im$1;

    access_log /var/log/nginx/log.terry.im-access.log;
    error_log /var/log/nginx/log.terry.im-error.log;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to index.html
        try_files $uri $uri/ /index.html;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ^~ /.well-known/ {
        allow all;
    }

    location ~ /\. {
        deny all;
    }

    location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
        deny all;
    }

    # Browser cache
    location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm)$ {
        expires 30d;
        log_not_found off;
    }

 }
	server {
	listen 80;
	# listen [::]:80 default ipv6only=on;
	server_name log.terry.im;

	# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
	location / {
	return 301 https://$host$request_uri;
	}
	}

	server {
	# listen 443 ssl;
	listen 443 ssl http2;

	server_name log.terry.im;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /path/to/lego/.lego/certificates/terry.im.crt;
	ssl_certificate_key /path/to/lego/.lego/certificates/terry.im.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m; # 10m about 40k sessions
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
	# openssl dhparam -out /path/to/dhparams_4096.pem 4096
	ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

	# modern configuration, tweak to your needs
	# ssl_protocols TLSv1.2 TLSv1.3;
	ssl_protocols TLSv1.3;
	# ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
	# ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305\|ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
	ssl_prefer_server_ciphers on;

	# intermediate configuration, tweak to your needs
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
	add_header Strict-Transport-Security "max-age=63072000; always;";

	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /path/to/lego/.lego/certificates/terry.im.crt;

	# resolver <IP DNS resolver> valid=300s;
	# resolver_timeout 5s;
	resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
	resolver_timeout 5s;

	root /var/www/terry.im/log;
	index index.php index.html index.htm;

	# rewrite ^(.*)$ $scheme://www.terry.im$1;

	access_log /var/log/nginx/log.terry.im-access.log;
	error_log /var/log/nginx/log.terry.im-error.log;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to index.html
	try_files $uri $uri/ /index.html;
	}

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ^~ /.well-known/ {
	allow all;
	}

	location ~ /\. {
	deny all;
	}

	location ~* (?:\.(?:bak\|config\|sql\|fla\|psd\|ini\|log\|sh\|inc\|swp\|dist)\|~)$ {
	deny all;
	}

	# Browser cache
	location ~* ^.+\.(css\|js\|jpg\|jpeg\|gif\|png\|ico\|gz\|svg\|svgz\|ttf\|otf\|woff\|eot\|mp4\|ogg\|ogv\|webm)$ {
	expires 30d;
	log_not_found off;
	}

	}