64 lines
1.8 KiB
Plaintext
64 lines
1.8 KiB
Plaintext
# Nginx 配置 —— shizhui.xyz 静态站点
|
||
# 放到服务器 /etc/nginx/sites-available/shizhui 并软链到 sites-enabled
|
||
# 证书由 certbot (DNS-01) 签发:/etc/letsencrypt/live/shizhui.xyz/
|
||
|
||
# HTTP:保留 ACME 验证路径,其余跳转 HTTPS
|
||
server {
|
||
listen 80;
|
||
listen [::]:80;
|
||
server_name shizhui.xyz www.shizhui.xyz;
|
||
|
||
# Let's Encrypt ACME 验证(webroot,备用)
|
||
location ^~ /.well-known/acme-challenge/ {
|
||
root /var/www/letsencrypt;
|
||
default_type "text/plain";
|
||
try_files $uri =404;
|
||
}
|
||
|
||
location / {
|
||
return 301 https://$host$request_uri;
|
||
}
|
||
}
|
||
|
||
# HTTPS 主站
|
||
server {
|
||
listen 443 ssl;
|
||
listen [::]:443 ssl;
|
||
http2 on;
|
||
server_name shizhui.xyz www.shizhui.xyz;
|
||
|
||
ssl_certificate /etc/letsencrypt/live/shizhui.xyz/fullchain.pem;
|
||
ssl_certificate_key /etc/letsencrypt/live/shizhui.xyz/privkey.pem;
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
ssl_prefer_server_ciphers off;
|
||
ssl_session_cache shared:SSL:10m;
|
||
ssl_session_timeout 1d;
|
||
|
||
root /var/www/shizhui;
|
||
index index.html;
|
||
|
||
# 安全响应头
|
||
add_header X-Content-Type-Options "nosniff" always;
|
||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||
|
||
# gzip 压缩
|
||
gzip on;
|
||
gzip_types text/css application/javascript application/json image/svg+xml application/xml;
|
||
gzip_min_length 1024;
|
||
|
||
# 静态资源缓存(带 hash 的构建产物可长缓存)
|
||
location /_astro/ {
|
||
expires 1y;
|
||
add_header Cache-Control "public, immutable";
|
||
}
|
||
|
||
# Astro 构建生成的是目录式路由(/blog/ -> /blog/index.html)
|
||
location / {
|
||
try_files $uri $uri/ $uri.html =404;
|
||
}
|
||
|
||
error_page 404 /404.html;
|
||
}
|