更多配置
解耦模式
include extend/acme.conf;
# 必须配置解析器以解析 ACME 服务器域名
# 使用 Google 或 Cloudflare 的公共 DNS,或者使用 Docker 内部 DNS (127.0.0.11)
# resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver 8.8.8.8 1.1.1.1 valid=300s ipv6=off;
# 如果是在 Docker 内部,也可以尝试使用 Docker 的内置解析器
# resolver 127.0.0.11 ipv6=off;
# 定义共享内存区域,用于存储证书和状态(建议 1M 或更多)
acme_shared_zone zone=ngx_acme_shared:1M;
# 定义 ACME 发行者
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
state_path /etc/nginx/acme/letsencrypt;
accept_terms_of_service;
contact mailto:admin@example.com;
}
acme_issuer zerossl {
uri https://acme.zerossl.com/v2/DV90;
state_path /etc/nginx/acme/zerossl;
accept_terms_of_service;
contact mailto:admin@example.com;
external_account_key <EAB_ID> data:<EAB_HMAC_KEY>;
}
acme_issuer google {
uri https://dv.acme-v02.api.pki.goog/directory;
state_path /etc/nginx/acme/google;
accept_terms_of_service;
contact mailto:admin@example.com;
external_account_key <EAB_ID> data:<EAB_HMAC_KEY>;
}
# wildcard/acme.conf
include extend/ssl.conf;
# 关联发行者并请求证书
# acme_certificate zerossl;
# acme_certificate letsencrypt;
# 使用模块提供的嵌入式变量加载证书和密钥
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
# 推荐:启用证书缓存以提高性能
ssl_certificate_cache max=10;
# extend/ssl.conf
#listen [::]:443 ssl ipv6only=off reuseport;
#listen [::]:443 quic reuseport ipv6only=off;
listen 443 ssl;
listen 443 quic;
listen [::]:443 ssl;
listen [::]:443 quic;
# 监听 IPv4 和 IPv6 的 443 端口,启用 SSL
http2 on;
http3 on;
# 仅启用 TLSv1.3
ssl_protocols TLSv1.2 TLSv1.3;
# 默认密码套件
ssl_ciphers DEFAULT;
# 优先使用服务器指定的密码套件
ssl_prefer_server_ciphers on;
# 启用 SSL 会话缓存,提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 设置 SSL 缓冲区大小,优化性能
ssl_buffer_size 1400;
# 设置 HSTS 头部,强制客户端使用 HTTPS
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
# Alt-Svc 指示浏览器支持 HTTP/3
add_header Alt-Svc 'h3=":443"; ma=86400';
# 启用 OCSP stapling,提高证书验证效率
ssl_stapling off;
ssl_stapling_verify off;
# 错误页重定向,HTTP 1.1 协议的 401 Unauthorized 状态码已被废弃,使用 403 Forbidden
error_page 403 https://$host$request_uri;
# conf.d/example.com.conf
server {
listen 80;
listen [::]:80;
server_name example.com;
include extend/http_to_https.conf;
}
server {
server_name example.com;
acme_certificate letsencrypt;
include wildcard/acme.conf;
}
extend/http_to_https.conf
# extend/http_to_https.conf
if ($skip_https_redirect = 1) {
return 301 https://$host$request_uri;
}
禁止 ClaudeBot 爬虫、设置 HTTP 跳转 HTTPS 参数
# extend/maps.conf
map $http_user_agent $bad_bot {
default 0;
"~*ClaudeBot" 1;
}
map $host $skip_https_redirect {
default 1; # 默认要重定向
}
- extend/robots_disallow.conf
# extend/robots_disallow.conf
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
}
在 conf.d/example.com.conf 需要使用禁止爬虫的域名配置中追加
# conf.d/example.com.conf
server {
include extend/robots_disallow.conf;
}
扩展
反向代理
# conf.d/example.com.conf
server {
location / {
proxy_pass http://ntfy;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 3m;
proxy_send_timeout 3m;
proxy_read_timeout 3m;
client_max_body_size 0; # Stream request body to backend
}
}
上游文件
# extend/upstreams.conf
upstream server1 {
server 127.0.0.1:8080;
}
upstream server2 {
server host.docker.internal:9120;
}
upstream server3 {
server other_server:8989;
}