-
Notifications
You must be signed in to change notification settings - Fork 407
/
1_nginx.conf
118 lines (94 loc) · 4.72 KB
/
1_nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
stream {
map $ssl_preread_server_name $backend_name {
z1.xx.yy http1; #z1.xx.yy更改为自己规划对应http/1.1 server的域名
z2.xx.yy http2; #z2.xx.yy更改为自己规划对应http/2 server的域名
}
upstream http1 {
server 127.0.0.1:1443; #转给http/1.1 server本地监听端口
}
upstream http2 {
server 127.0.0.1:2443; #转给http/2 server本地监听端口
}
server {
listen 443; #IPv4,tcp 443监听端口。
listen [::]:443; #IPv6,tcp 443监听端口。无IPv6,此项可以删除。
ssl_preread on;
proxy_protocol on; #启用PROXY protocol发送
proxy_pass $backend_name;
}
}
http {
include mime.types;
default_type application/octet-stream;
log_format proxy '$proxy_protocol_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log proxy;
sendfile on;
keepalive_timeout 65;
server {
listen 80; #IPv4,http默认监听端口。
listen [::]:80; #IPv6,http默认监听端口。无IPv6,此项可以删除。
return 301 https://$host$request_uri; #http自动跳转https,让网站看起来更真实。
}
server {
listen 127.0.0.1:1443 ssl proxy_protocol; #http/1.1 server本地监听端口,并启用PROXY protocol接收。
set_real_ip_from 127.0.0.1;
server_name z1.xx.yy; #限定域名访问(禁止以ip方式访问网站),更改为自己的对应域名。
ssl_certificate /home/tls/wildcard_.xx.yy/wildcard_.xx.yy.crt; #换成自己的通配符证书或SAN证书,绝对路径。
ssl_certificate_key /home/tls/wildcard_.xx.yy/wildcard_.xx.yy.key; #换成自己的通配符密钥或SAN密钥,绝对路径。
ssl_protocols TLSv1.2 TLSv1.3; #TLSv1.3可能需要源码编译才支持,见此部分README.md说明。
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
location = /HALdGZ9k { #与vless+ws应用中path对应
proxy_redirect off;
proxy_pass http:https://127.0.0.1:2001; #转发给本机vless+ws监听端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location = /ss1v2ray { #与Xray-plugin或v2ray-plugin模块中path对应
proxy_redirect off;
proxy_pass http:https://127.0.0.1:2002; #转发给本机Xray-plugin或v2ray-plugin监听端口
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用HSTS
location / {
root /var/www/html/; #更改为自己存放的web文件路径
index index.html index.htm;
}
}
server {
listen 127.0.0.1:2443 ssl http2 proxy_protocol; #http/2 server本地监听端口,并启用PROXY protocol接收。
set_real_ip_from 127.0.0.1;
server_name z2.xx.yy; #限定域名访问(禁止以ip方式访问网站),更改为自己的对应域名。
ssl_certificate /home/tls/wildcard_.xx.yy/wildcard_.xx.yy.crt; #换成自己的通配符证书或SAN证书,绝对路径。
ssl_certificate_key /home/tls/wildcard_.xx.yy/wildcard_.xx.yy.key; #换成自己的通配符密钥或SAN密钥,绝对路径。
ssl_protocols TLSv1.2 TLSv1.3; #TLSv1.3可能需要源码编译才支持,见此部分README.md说明。
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
location /cdngrpc { #与vless+grpc应用中serviceName对应
grpc_pass grpc:https://127.0.0.1:2009; #转发给本机vless+grpc监听端口
}
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #启用HSTS
location / {
root /var/www/html/; #更改为自己存放的web文件路径
index index.html index.htm;
}
}
}