修改Nginx的 域名.com.conf、上傳ca.cer、修改偽靜態 rewrite

修改Nginx的 域名.com.conf、上傳ca.cer、修改偽靜態 rewrite

--------------------------
修改 域名.com.conf
--------------------------

vi /etc/nginx/sites-available/域名.com.conf



server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;
    http2 on;

	server_name 域名.com;

	root /var/www/域名.com;
	index index.html index.htm index.php default.html default.htm default.php;

	ssl_certificate /etc/nginx/ssl/fullchain.cer;
	ssl_certificate_key /etc/nginx/ssl/域名.com.key;
	ssl_trusted_certificate /etc/nginx/ssl/ca.cer;

	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_protocols TLSv1.3;
	ssl_prefer_server_ciphers off;
                ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
	ssl_stapling on;
	ssl_stapling_verify on;

                include rewrite/ips.conf;

	resolver 1.1.1.1 8.8.8.8 valid=300s;
	resolver_timeout 10s;

	add_header Alt-Svc 'h3=":443"; ma=86400';
                add_header QUIC-Status $http3;
                add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
                add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:";
                add_header X-Frame-Options "SAMEORIGIN";


                location ~ \.php$ {
                        include snippets/fastcgi-php.conf;
                        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
                       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                       include   fastcgi_params;
                }
                 brotli on;
                 brotli_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/octet-stream;

                gzip on;
               gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/octet-stream;


        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            allow all;
        }

        location ~ /\.
        {
            deny all;
        }
}




ESC儲存並離開
:wq




---------------------------------------------
下載 ca.cer 並上傳到 /etc/nginx/ssl/ 目錄
---------------------------------------------

在 /root/.acme.sh/域名.com_ecc 目錄底下，下載 ca.cer

使用SFTP，將 ca.cer 再上傳到 /etc/nginx/ssl/ 目錄


如果不做此步驟，會有錯誤訊息
nginx: [emerg] cannot load certificate "/etc/nginx/ssl/ca.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/nginx/ssl/ca.cer, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed






--------------------------
偽靜態 rewrite
--------------------------

建立偽靜態 rewrite 存放的目錄
mkdir -p /etc/nginx/rewrite


寫入ips論壇的偽靜態
vi /etc/nginx/rewrite/ips.conf


location / {
        try_files  $uri $uri/ /index.php;
  }

location ~^(/page/).*(.php)$ {
    try_files  $uri $uri/ /index.php;
}

location /api/ {
  if (!-e $request_filename){
    rewrite ^/api/(.*)$ /api/index.php;
  }
}



ESC儲存並離開
:wq





------------------
重新載入Nginx
------------------

重新載入Nginx

nginx -t


nginx -s reload




開啟瀏覽器，現在可進入網站了

https://域名.com/

本帖最后于7月13日7月13日，由Jack编辑