完整Nginx配置分享
https 配置分享
vim
server {
listen 80;
listen 443 ssl;
server_name preview.smartadmin.vip;
# 配置https证书
ssl_certificate /home/ssl/smartadmin.vip/smartadmin.vip.pem;
ssl_certificate_key /home/ssl/smartadmin.vip/smartadmin.vip.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# 配置 gzip 压缩
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_comp_level 3;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
# 禁用 OPTIONS 请求
if ($request_method ~* OPTIONS) {
return 403;
}
# 前端 配置
location / {
alias /home/smart-admin-v3-preview/dist/;
try_files $uri $uri/ /index.html last;
index index.html;
expires -1;
}
# 后端api配置
location /smart-admin-api/ {
#反向代理的java地址
proxy_pass http://127.0.0.1:1024/smart-admin-api/;
proxy_redirect off;
#设置代理消息头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
#设置没有缓存[此处很重要,必须设置,不然有些浏览器对get请求会缓存,引发不必要的bug]
expires -1;
#一些安全配置
add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
#设置跨域方法
add_header X-Frame-Options "ALLOW-FROM preview.smartadmin.vip";
add_header Content-Security-Policy "frame-ancestors preview.smartadmin.vip";
}
# 后端api swagger和knife4j配置
location /v3/api-docs/ {
proxy_pass http://127.0.0.1:1024/smart-admin-api/v3/api-docs/;
proxy_redirect off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
add_header X-Frame-Options "ALLOW-FROM preview.smartadmin.vip";
add_header Content-Security-Policy "frame-ancestors preview.smartadmin.vip";
expires -1;
}
}
http 配置分享
感谢 @imajinyun大佬分享的 http 的配置
vim
server {
listen 80;
listen [::]:80;
server_name api.xxx.com;
access_log /www/wwwlogs/api.xxx.com.log combined;
error_log /www/wwwlogs/api.xxx.com.err;
index index.html index.htm;
root /www/wwwroot/your-project/smart-web/dist;
client_body_timeout 60s;
client_header_timeout 60s;
client_max_body_size 20m;
add_header Referrer-Policy 'origin' always;
add_header Content-Security-Policy "default-src 'self' *.xxx.com data: https: 'unsafe-inline'; frame-ancestors 'self' *.xxx.com" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Download-Options noopen;
add_header X-Frame-Options "ALLOW-FROM *.xxx.com";
add_header X-XSS-Protection "1; mode=block";
add_header X-Permitted-Cross-Domain-Policies none;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header Set-Cookie "Path=/; HttpOnly; Secure";
add_header Access-Control-Allow-Origin '*.xxx.com';
add_header Access-Control-Allow-Credentials 'true';
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
error_page 404 /404.html;
error_page 502 /502.html;
location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|swf|flv|mp4)$ {
valid_referers none blocked *.xxx.com api.xxx.com;
if ($invalid_referer) {
return 403;
}
}
location / {
expires epoch;
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_pass http://127.0.0.1:1024/api/;
proxy_redirect off;
proxy_buffering off;
expires -1;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
location /wechat/xxx.txt {
default_type text/html;
return 200 "xxxxx";
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$ {
expires 7d;
access_log off;
}
location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
deny all;
return 403;
}
location /.well-known {
allow all;
}
}