Nginx 反向代理nextcloud https配置
warning:
这篇文章距离上次修改已过1428天,其中的内容可能已经有所变动。
由于vps的配置比较低,使用nextcloud比较吃资源,就把nextcloud从腾讯轻量迁移到了另一个配置稍微好点的vps上面。
不过之前都是使用秋水的lamp一键脚本,apache有点吃内存,所以就自己花了几天时间学习编译nginx,自己做配置。填过几个坑后nextcloud终于由apache成功迁移到了nginx,并且没有使用一键脚本搭建web环境。
但是nextcloud的vps网络情况现在变的有点差,所以就用了腾讯云轻量去反代,开始时,腾讯云轻量的web环境是apache,随便配置一下就能反代成功。后面又把腾讯云轻量的web环境也换成了Nginx,但是在反代后chrome上面出现了ERR_HTTP2_PROTOCOL_ERROR为了解决这个问题折腾了好多啊,同样的配置在火狐浏览器下面反向代理后没有问题,但是在chrome下就是ERR_HTTP2_PROTOCOL_ERROR。找了好久也没有发现什么办法解决,最后好像是原站点和反代站点配置都使用了HTTP2问题解决。
站点Nextcloud的Nginx配置
upstream php-handler {
server unix:/run/php/php7.4-fpm.sock;
}
server {
listen 8443 ssl http2;
server_name 域名;
#include /etc/nginx/conf/ssl.conf;
# Enable SSL cache to speed up for return visitors
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
# Specify cipher
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# Enable TLS
charset utf-8;
ssl_certificate /www/ssl/cert/fullchain.cer;
ssl_certificate_key /www/ssl/cert/key.key;
# OCSP
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /www/ssl/cert/ca.cer;
# To serve smaller requests (json/html/images etc) smaller ssl_buffer_size reduces latency but adds overhead
# larger value decreases overhead but adds latency. Thus if TTFB is critical, use a smaller value (<=4K). See:
# https://github.com/igrigorik/istlsfastyet.com/issues/63
ssl_buffer_size 4k;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /data/www/nextcloud;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
rewrite /.well-known/carddav /remote.php/dav permanent;
rewrite /.well-known/caldav /remote.php/dav permanent;
# set max upload size
client_max_body_size 10240M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=31536000;includeSubDomains; preload;";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
反向代理站点 Nginx配置
server
{
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name 域名2;
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
# Enable SSL cache to speed up for return visitors
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 4h;
ssl_protocols TLSv1.2 TLSv1.3;
# Specify cipher
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
#ssl_ciphers EECDH+CHACHA20:EECDH+AES256:EECDH+3DES:EECDH+AESGCM:AES256+EDH;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EDH';
# Enable TLS
charset utf-8;
ssl_certificate /www/ssl/cert/fullchain.cer;
ssl_certificate_key /www/ssl/cert/key.key;
# OCSP
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /www/ssl/cert/ca.cer;
# To serve smaller requests (json/html/images etc) smaller ssl_buffer_size reduces latency but adds overhead
# larger value decreases overhead but adds latency. Thus if TTFB is critical, use a smaller value (<=4K). See:
# https://github.com/igrigorik/istlsfastyet.com/issues/63
ssl_buffer_size 4k;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header Referrer-Policy "no-referrer" always;
add_header X-XSS-Protection "1; mode=block" always;
http2_max_field_size 16k;
http2_max_header_size 128k;
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 2 4k;
proxy_busy_buffers_size 4k;
proxy_temp_path /data/nginx_cache/nginx_proxy_tmp 1 2;
proxy_max_temp_file_size 100M;
proxy_temp_file_write_size 8k;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
http2_chunk_size 300k;
# set max upload size
client_max_body_size 1024M;
location / {
proxy_pass https://域名:8443;
http2_push_preload on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_ssl_name $host;
proxy_ssl_server_name on;
proxy_cache my_zone;
proxy_cache_key $uri$is_args$args;
proxy_cache_valid 200 10m;
proxy_cache_valid 301 302 5m;
proxy_cache_valid any 1m;
proxy_cache_min_uses 3;
proxy_cache_use_stale error http_500 http_502 http_503 http_504;
}
access_log /data/wwwlog/ssl_access.log;
error_log /data/wwwlog/ssl_error.log;
}