Create: 2023-11-20
Update: 2026-05-10
颁发自签名证书干掉 443
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/cert/key.key -out /etc/nginx/cert/cert.crt禁止通过IP访问
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
ssl_certificate /etc/nginx/cert/cert.crt;
ssl_certificate_key /etc/nginx/cert/key.key;
return 444;
# index index.html;
# root /var/www/html;
}以下为具体的业务配置
server {
listen 443 ssl;
listen 443 quic reuseport;
listen [::]:443 ssl;
listen [::]:443 quic reuseport;
http2 on;
#仅允许cfip访问
include cf-ips.conf;
deny all;
server_name $配置自己的域名;
ssl_certificate $配置自己的证书;
ssl_certificate_key $配置自己的证书;
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers off;
index index.html;
root /var/www/html;
error_page 404 /404.html;
# HTTP3
add_header Alt-Svc 'h3=":443"; ma=86400';
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}限制只允许 cdn 地址
必须写入 nginx 的根目录, 否则上方配置 include 需使用绝对路径
/root/cf-ips-update.sh
#!/usr/bin/env bash
# 配置
CF_IP_FILE="/etc/nginx/cf-ips.conf" # 输出文件
TMP_FILE="/tmp/cf-ips.tmp"
# Cloudflare 官方 IP 列表
CF_IPV4_URL="https://www.cloudflare.com/ips-v4"
CF_IPV6_URL="https://www.cloudflare.com/ips-v6"
# 写入文件头
echo "# Generated by cf-ips-update.sh on $(date)" > "$TMP_FILE"
# 下载 IPv4
echo "# IPv4" >> "$TMP_FILE"
curl -sf "$CF_IPV4_URL" | while read ip; do
echo "allow $ip;" >> "$TMP_FILE"
done
# 下载 IPv6
echo -e "\n# IPv6" >> "$TMP_FILE"
curl -sf "$CF_IPV6_URL" | while read ip; do
echo "allow $ip;" >> "$TMP_FILE"
done
# 替换旧文件
mv "$TMP_FILE" "$CF_IP_FILE"
chmod 644 "$CF_IP_FILE"
echo "Cloudflare IP list updated: $CF_IP_FILE"添加定时任务自动更新
40 7 * * * /root/cf-ips-update.sh持续更新中