Create: 2023-11-20
Update: 2025-07-29
颁发自签名证书干掉 443
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert/key.key -out /etc/nginx/cert/cert.crt配置 nginx 添加如下配置
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
ssl_certificate /etc/nginx/cert/cert.crt;
ssl_certificate_key /etc/nginx/cert/key.key;
# 直接403
# return 403;
index index.html;
root /var/www/html;
}
网站需配置 server_name 为域名
另外创建目录存放网站文件限制只允许 cdn 地址
防止获得 ip 地址通过 hosts 指向绕过
server {
# HTTP3
listen 443 quic reuseport;
listen [::]:443 quic reuseport;
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
#仅允许cfip访问
include cf-ips.conf;
deny all;
server_name $配置自己的域名;
ssl_certificate $配置自己的;
ssl_certificate_key $配置自己的;
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers off;
index index.html;
root /var/www/blog;
error_page 404 /404.html;
# HTTP3
add_header Alt-Svc 'h3=":443"; ma=86400';
}必须写入 nginx 的根目录, 否则上方配置 include 需使用绝对路径
/etc/nginx/cf-ips.conf
#ipv4
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
#ipv6
allow 2400:cb00::/32;
allow 2606:4700::/32;
allow 2803:f800::/32;
allow 2405:b500::/32;
allow 2405:8100::/32;
allow 2a06:98c0::/29;
allow 2c0f:f248::/32;持续更新中