vps nginx

1. user nginx;
2. worker_processes auto;
3.  
4. error_log /var/log/nginx/error.log notice;
5. pid /var/run/nginx.pid;
6.  
7. events {
8. worker_connections 1024;
9. }
10.  
11. http {
12. log_format main '[$time_local] $proxy_protocol_addr "$http_referer" "$http_user_agent"';
13. access_log /var/log/nginx/access.log main;
14.  
15. map $http_upgrade $connection_upgrade {
16. default upgrade;
17. "" close;
18. }
19.  
20. map $proxy_protocol_addr $proxy_forwarded_elem {
21. ~^[0-9.]+$ "for=$proxy_protocol_addr";
22. ~^[0-9A-Fa-f:.]+$ "for=\"[$proxy_protocol_addr]\"";
23. default "for=unknown";
24. }
25.  
26. map $http_forwarded $proxy_add_forwarded {
27. "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
28. default "$proxy_forwarded_elem";
29. }
30.  
31. server {
32. listen 80;
33. return 301 https://$host$request_uri;
34. }
35.  
36. server {
37. # http2 on; 这条指令出现在1.25.1版本中 https://nginx.org/en/docs/http/ngx_http_v2_module.html
38. # listen 127.0.0.1:8003 ssl proxy_protocol;
39. # http2 on;
40.  
41. listen 127.0.0.1:8003 ssl http2 proxy_protocol;
42.  
43. set_real_ip_from 127.0.0.1;
44.  
45. ssl_certificate /usr/local/etc/xray/server.crt; # 证书文件，通常不区分扩展名，证书文件需要使用fullchain（全SSL证书链）
46. ssl_certificate_key /usr/local/etc/xray/server.key; # 私钥文件，通常不区分扩展名
47.  
48. ssl_protocols TLSv1.2 TLSv1.3;
49. ssl_ciphers TLS13_AES_128_GCM_SHA256:TLS13_AES_256_GCM_SHA384:TLS13_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
50.  
51. ssl_session_timeout 1d;
52. ssl_session_cache shared:SSL:10m;
53. ssl_session_tickets off;
54.  
55. ssl_stapling on;
56. ssl_stapling_verify on;
57. ssl_trusted_certificate /usr/local/etc/xray/server.crt;
58. resolver 1.1.1.1 valid=60s;
59. resolver_timeout 2s;
60.  
61. # 使用 https://www.digitalocean.com/community/tools/nginx 生成的反向代理配置
62. location / {
63. sub_filter $proxy_host $host;
64. sub_filter_once off;
65.  
66. set $website ; # 反向代理的网站
67. proxy_pass https://$website;
68. resolver 1.1.1.1;
69.  
70. proxy_set_header Host $proxy_host;
71.  
72. proxy_http_version 1.1;
73. proxy_cache_bypass $http_upgrade;
74.  
75. proxy_ssl_server_name on;
76.  
77. proxy_set_header Upgrade $http_upgrade;
78. proxy_set_header Connection $connection_upgrade;
79. proxy_set_header X-Real-IP $proxy_protocol_addr;
80. proxy_set_header Forwarded $proxy_add_forwarded;
81. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
82. proxy_set_header X-Forwarded-Proto $scheme;
83. proxy_set_header X-Forwarded-Host $host;
84. proxy_set_header X-Forwarded-Port $server_port;
85.  
86. proxy_connect_timeout 60s;
87. proxy_send_timeout 60s;
88. proxy_read_timeout 60s;
89. }
90. }
91. }