server { listen 80; listen 443 ssl; http2 on; server_name undressing.top www.undressing.top; index index.html index.htm; ssl_certificate ssl/undressing.top.crt; ssl_certificate_key ssl/undressing.top.key; ssl_session_timeout 5m; # 优化加密套件配置,移除不安全的算法 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES; # 移除不安全的 TLSv1.1,只保留 TLSv1.2 和 TLSv1.3 ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; # 启用 SSL session 缓存,提高性能 ssl_session_cache shared:SSL:10m; ssl_session_tickets off; root /data/web/client_web; autoindex off; # 禁用目录列表 # 安全头部 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; location ~ /\. { deny all; access_log off; log_not_found off; } location ~* (\.git|\.env|composer\.json|\.log|\.sql)$ { deny all; } location ^~ /api/ { proxy_pass http://10.0.0.167:8110; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-Port $remote_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header REMOTE-HOST $remote_addr; proxy_connect_timeout 60s; proxy_send_timeout 600s; proxy_read_timeout 600s; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # 缓冲配置,提高性能 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } location / { root /data/web/client_web; index index.html index.htm; try_files $uri $uri/ /index.html; } }