|
|
server |
|
|
{ |
|
|
listen 8080 |
|
|
listen 443 ssl http2; |
|
|
server_name sdns.kbsml.com; |
|
|
index index.php index.html index.htm default.php default.htm default.html; |
|
|
root /opt/AdGuardHome; |
|
|
|
|
|
ssl_certificate /opt/AdGuardHome/sdns.kbsml.com.crt; |
|
|
ssl_certificate_key /opt/AdGuardHome/sdns.kbsml.com.key; |
|
|
ssl_protocols TLSv1.2 TLSv1.3; |
|
|
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+CHACHA20]:TLS13+AESGCM+AES256:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA; |
|
|
ssl_prefer_server_ciphers on; |
|
|
ssl_early_data on; |
|
|
ssl_ecdh_curve X25519:P-256:P-384; |
|
|
ssl_session_cache shared:SSL:10m; |
|
|
ssl_session_timeout 10m; |
|
|
error_page 500 https://$host$request_uri; |
|
|
|
|
|
ssl_stapling on; |
|
|
location / { |
|
|
proxy_redirect off; |
|
|
proxy_http_version 1.1; |
|
|
proxy_set_header Upgrade $http_upgrade; |
|
|
proxy_set_header Connection “upgrade”; |
|
|
proxy_set_header Host $host; |
|
|
proxy_set_header X-Real-IP $remote_addr; |
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
|
proxy_pass http://127.0.0.1:3000; |
|
|
} |
|
|
|
|
|
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|css|js)$ { |
|
|
proxy_pass http://127.0.0.1:3000; |
|
|
proxy_set_header Host $host; |
|
|
proxy_set_header X-Forwarded-For $remote_addr; |
|
|
} |
|
|
|
|
|
location /dns-query { |
|
|
proxy_http_version 1.1; |
|
|
proxy_set_header Host $http_host; |
|
|
proxy_buffering off; |
|
|
proxy_redirect off; |
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
|
proxy_pass https://sdns.kbsml.com:4433/dns-query |
|
|
} |
|
|
|
|
|
} |
在上面的配置最下面加上下面的代码,注意是上面最后一个“}”下面加。。。。恶心恶心
|
|
stream { |
|
|
server { |
|
|
listen *:853 ssl; |
|
|
proxy_pass 127.0.0.1:5353; |
|
|
proxy_connect_timeout 10s; |
|
|
preread_timeout 15s; |
|
|
} |
|
|
|
|
|
|
|
|
ssl_certificate /opt/AdGuardHome/sdns.kbsml.com.crt; |
|
|
ssl_certificate_key /opt/AdGuardHome/sdns.kbsml.com.key; |
|
|
|
|
|
ssl_session_timeout 1d; |
|
|
ssl_session_tickets off; |
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3; |
|
|
ssl_prefer_server_ciphers on; |
|
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; |
|
|
|
|
|
ssl_session_cache shared:DoT:10m; |
|
|
|
|
|
log_format dot ‘$remote_addr\t-\t-\t[$time_local]\t$ssl_protocol\t’ |
|
|
‘$ssl_session_reused\t$ssl_cipher\t$ssl_server_name\t$status\t’ |
|
|
‘$bytes_sent\t$bytes_received’; |
|
|
|
|
|
access_log /var/log/nginx/dot.log dot; |
|
|
} |
|
|
systemctl daemon-reload |
|
|
systemctl restart nginx |
要发表评论,您必须先登录。