旧博客迁移文章,内容可能已失去价值,仅为留念,做了简单重新排版,勉强可看。
本配置参考资料众多,这里仅列出具有重要指导意义的两处吧!
Dolphin 学长的译文:通过 nginx 代理 Ghost 的高性能配置
屈光宇的博客:JerryQu 的小站
按理说,出于安全考虑不应该把服务器的配置贴出来的,但是也为了分享和学习,新人就是要多把错误暴露出来嘛!删除了一些敏感项,贴出来让大家指证。黑客哥哥不要来黑偶啊,偶可没有什么被黑的价值,服务器里什么都没有(怎么感觉会产生此地无银三百两的效果,勾起黑客哥哥的好奇心呢!),在腾讯云没有道哥罩,我好怕,我的服务器不想做肉鸡。。。
好了,进入正题:
说明:
本站https证书使用的是Letsencrypt证书,nginx 基于 Cloudfare 提供 OpenSSL Patch 编译,Openssl版本为 OpenSSL_1_0_2-stable,并添加了 nginx-ct 模块,
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 60;
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
gzip_http_version 1.0;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
server_tokens off;
server_names_hash_bucket_size 64;
}
upstream ghost_upstream {
server unix:/dev/shm/ghost.sock;
keepalive 64;
}
proxy_cache_path /var/www/cache/nginx/proxy_cache_path levels=1:2 keys_zone=STATIC:100m inactive=24h max_size=512m;
proxy_temp_path /var/www/cache/nginx/proxy_temp_path;
proxy_cache_key $host$uri$is_args$args;
server {
listen 443 ssl http2 reuseport;
server_name www.funnyang.com;
ssl on;
keepalive_timeout 300;
ssl_certificate /var/www/ssl/chained.pem;
ssl_certificate_key /var/www/ssl/domain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#CloudFlare’s cipher suites configuration
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_session_tickets on;
ssl_buffer_size 1400;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /var/www/ssl/chained.pem;
resolver 8.8.4.4 8.8.8.8 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 10s;
ssl_stapling_file /var/www/ssl/ocsp/ocsp.resp;
ssl_dhparam /var/www/ssl/dhparams_2048.pem;
ssl_ct on;
ssl_ct_static_scts /var/www/ssl/SCTS;
add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection 1;
add_header X-Cache $upstream_cache_status;
proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;
proxy_hide_header X-Powered-By;
#204 Page for Android
location /generate_204 { return 204;}
location /content/images {
alias /path/to/ghost/content/images;
access_log off;
etag on;
expires max;
}
location /assets {
alias /path/to/ghost/content/themes/casper/assets;
access_log off;
etag on;
expires max;
}
location ~ ^/(?:ghost|signout) {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://ghost_upstream;
add_header Cache-Control "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0";
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
location / {
proxy_cache STATIC;
proxy_cache_valid 200 304 30m;
proxy_cache_valid 404 1m;
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
proxy_cache_use_stale updating error timeout invalid_header http_500 http_502;
proxy_http_version 1.1;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://ghost_upstream;
expires 10m;
}
}
server {
listen 80;
server_name funnyang.com www.funnyang.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
#204 Page for Android
location /generate_204 { return 204; }
#Letsencrypt Certs Update Server
location ^~ /.well-known/acme-challenge/ {
alias /var/www/challenges/;
try_files $uri =404;
}
location / { return 301 https://www.funnyang.com$request_uri;}
}
server {
listen 443;
server_name funnyang.com;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
return 301 https://www.funnyang.com$request_uri;
}
具体为什么这么配置,可参考上面的提供的两处资料来源,尤其在 JerryQu 的小站 学到很多东西,本人就不重复造轮子了,并且部分配置个人还理解不到位,怕误导了人!
祝君折腾愉快!
本文链接:https://blog.xiaoyuyu.cn/post/nginx代理ghost的高性能配置.html,参与评论 »
--EOF--
发表于 2016-02-26 04:58:00。
本站使用「署名 4.0 国际」创作共享协议,转载请注明作者及原网址。更多说明 »
提醒:本文最后更新于 3130 天前,文中所描述的信息可能已发生改变,请谨慎使用。
Comments