api/nginx_config_optimized.conf

server {
    listen 80;
    listen 443 ssl;
    http2 on;

    server_name  undressing.top  www.undressing.top;
    index index.html index.htm;
    ssl_certificate  ssl/undressing.top.crt;
    ssl_certificate_key ssl/undressing.top.key;
    ssl_session_timeout 5m;
    # 优化加密套件配置，移除不安全的算法
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
    # 移除不安全的 TLSv1.1，只保留 TLSv1.2 和 TLSv1.3
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    # 启用 SSL session 缓存，提高性能
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    
    root /data/web/client_web;
    autoindex off;  # 禁用目录列表
    
    # 安全头部
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
    location ~* (\.git|\.env|composer\.json|\.log|\.sql)$ {
        deny all;
    }
    location ^~ /api/ {
      proxy_pass http://10.0.0.167:8110;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Real-Port $remote_port;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_set_header REMOTE-HOST $remote_addr;
      
      proxy_connect_timeout 60s;
      proxy_send_timeout 600s;
      proxy_read_timeout 600s;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      # 缓冲配置，提高性能
      proxy_buffering on;
      proxy_buffer_size 4k;
      proxy_buffers 8 4k;
    }
    location / {
      root /data/web/client_web;
      index index.html index.htm;
      try_files $uri $uri/ /index.html;
    }
}