端口
server {
# 监听端口
listen 80;
# 开启 https
listen 443 ssl;
# 开启 http2
listen 443 ssl http2;
# 监听80端口并支持 IPv6
listen [::]:80;
# 监听80端口只支持 IPv6协议
listen [::]:80 ipv6only=on;
}
域名
server {
# 监听的域名
server_name yourdomain.com;
# 监听泛域名
server_name *.yourdomain.com;
# 监听所有顶级域名
server_name yourdomain.*;
# 侦听未指定的主机名(侦听IP地址本身)
server_name "";
}
重定向
server {
listen 80;
server_name www.yourdomain.com;
return 301 http://yourdomain.com$request_uri;
}
server {
listen 80;
server_name www.yourdomain.com;
# 拦截url中存在的/redirect-url,并将浏览器地址重定向到指定域名
location /redirect-url {
return 301 http://otherdomain.com;
}
}
负载均衡
# 后台服务器
upstream node_js {
server 192.168.1.1:3000;
server 192.168.1.2:4000;
}
server {
listen 80;
server_name yourdomain.com;
location / {
proxy_pass http://node_js;
}
}
SSL 协议
server {
listen 443 ssl;
server_name yourdomain.com;
ssl on;
# https证书路径
ssl_certificate /path/to/cert.pem;
# https密钥
ssl_certificate_key /path/to/privatekey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/fullchain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 1h;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security max-age=15768000;
}
# Permanent Redirect for HTTP to HTTPS
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
安全配置
iframe
iframe嵌套网页时,通过X-Frame-Options响应头控制是否允许被嵌套访问。
# 将改行配置添加到 http、server 或location中
add_header X-Frame-Options "SAMEORIGIN always";
X-Frame-Options参数:
DENY该页面不允许被任何iframe嵌入,相同域名也不允许。add_header X-Frame-Options DENY;SAMEORIGIN相同域名页面的iframe嵌入。add_header X-Frame-Options SAMEORIGIN;ALLOW-FROM url配置指定域名,允许白名单中域名的iframe嵌入add_header X-Frame-Options "域名1 域名2 域名3";- ALLOWALL
允许任何域名的
iframe嵌入。add_header X-Frame-Options ALLOWALL;