server {
# 修改端口
listen *:443 ssl;
# 主机名
server_name xxx.xxx.com;
# allow large uploads of files
client_max_body_size 1G;
# optimize downloading files larger than 1G
#proxy_max_temp_file_size 2G;
# SSL证书文件位置,相对路径默认从nginx配置目录conf下开始
ssl_certificate cert/xxx.com.crt;
ssl_certificate_key cert/xxx.com.key;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# HSTS Config 开启此配置后默认所有当前域名的二级域名开启https访问,如果不是全站部署HTTPS。不建议打开。打开后无法关闭
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / {
# Use IPv4 upstream address instand of DNS name to avoid attempts by nginx to use IPv6 DNS lookup
proxy_pass http://127.0.0.1:29010;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "$scheme";
}
}