|
| 1 | +server { |
| 2 | + listen 443 ssl http2; |
| 3 | + server_name assets.fastgit.org; |
| 4 | + root /www/wwwroot/fg; |
| 5 | + |
| 6 | + ssl_stapling on; |
| 7 | + ssl_stapling_verify on; |
| 8 | + ssl_trusted_certificate /var/www/cert/fg.pem; |
| 9 | + |
| 10 | + ssl_certificate /var/www/cert/fg.pem; |
| 11 | + ssl_certificate_key /var/www/cert/fg.key; |
| 12 | + |
| 13 | + # Run following command & set permission before configuring |
| 14 | + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /var/lib/nginx/dhparam.pem |
| 15 | + ssl_dhparam /var/lib/nginx/dhparam.pem; |
| 16 | + |
| 17 | + ssl_protocols TLSv1.2 TLSv1.3; |
| 18 | + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; |
| 19 | + ssl_prefer_server_ciphers off; |
| 20 | + |
| 21 | + ssl_session_cache shared:SSL:10m; |
| 22 | + ssl_session_timeout 60m; |
| 23 | + ssl_session_tickets off; |
| 24 | + |
| 25 | + client_max_body_size 2G; |
| 26 | + error_page 497 https://$host$request_uri; |
| 27 | + |
| 28 | + # SSL |
| 29 | + location ~ \.well-known { |
| 30 | + allow all; |
| 31 | + } |
| 32 | + |
| 33 | + # Fuck Search Engine |
| 34 | + location /robots.txt { |
| 35 | + allow all; |
| 36 | + } |
| 37 | + |
| 38 | + #PROXY-START/ |
| 39 | + location ~* \.(php|jsp|cgi|asp|aspx)$ |
| 40 | + { |
| 41 | + proxy_pass https://github.githubassets.com; |
| 42 | + proxy_set_header Host github.githubassets.com; |
| 43 | + proxy_set_header X-Real-IP $remote_addr; |
| 44 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 45 | + proxy_set_header REMOTE-HOST $remote_addr; |
| 46 | + } |
| 47 | + |
| 48 | + location / |
| 49 | + { |
| 50 | + proxy_pass https://github.githubassets.com; |
| 51 | + proxy_set_header Host github.githubassets.com; |
| 52 | + proxy_set_header X-Real-IP $remote_addr; |
| 53 | + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| 54 | + proxy_set_header REMOTE-HOST $remote_addr; |
| 55 | + add_header X-Cache $upstream_cache_status; |
| 56 | + proxy_ignore_headers Set-Cookie Cache-Control expires; |
| 57 | + proxy_cache cache_one; |
| 58 | + proxy_cache_key $host$uri$is_args$args; |
| 59 | + proxy_cache_valid 200 304 301 302 480m; |
| 60 | + expires 12h; |
| 61 | + } |
| 62 | + |
| 63 | + # Block search engine |
| 64 | + # if ($http_user_agent ~* "qihoobot|Baiduspider|Bingbot|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot") |
| 65 | + # { |
| 66 | + # return 403; |
| 67 | + # } |
| 68 | + |
| 69 | + # Anti Agent Bot DDoS |
| 70 | + # If behind CDN, use folloing commented code |
| 71 | + # if ($http_x_forwarded_for != $remote_addr) { |
| 72 | + # return 503; |
| 73 | + # } |
| 74 | + if ($proxy_add_x_forwarded_for != $remote_addr) { |
| 75 | + return 503; |
| 76 | + } |
| 77 | + |
| 78 | + access_log /www/wwwlogs/assets.fastgit.org.log; |
| 79 | + error_log /www/wwwlogs/assets.fastgit.org.error.log; |
| 80 | +} |
0 commit comments