配置nginx

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
	
	# 关闭服务器版本号的显示
	server_tokens off;

	# 配置访问日志格式
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
        	        '$status $body_bytes_sent "$http_referer" '
                	'"$http_user_agent" "$http_x_forwarded_for"';
	
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;


	# 配置缓存和超时
    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;
    client_body_timeout 12;
    client_header_timeout 12;
    send_timeout 10;

    # 配置防止DDoS攻击
    #limit_req zone=one burst=5 nodelay;
    #limit_conn_zone $binary_remote_addr zone=addr:10m;
    #limit_conn addr 5;
	
	server {
 		#SSL 默认访问端口号为 443
 		listen 443 ssl;
 		#请填写绑定证书的域名
 		server_name lychee.icu; 
 		#请填写证书文件的相对路径或绝对路径
 		ssl_certificate  /etc/nginx/lychee.icu_bundle.crt; 
 		#请填写私钥文件的相对路径或绝对路径
 		ssl_certificate_key /etc/nginx/lychee.icu.key; 
 		ssl_session_timeout 5m;
 		#请按照以下套件配置，配置加密套件，写法遵循 openssl 标准。
 		ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
 		#请按照以下协议配置
 		ssl_protocols TLSv1.2 TLSv1.3;
 		ssl_prefer_server_ciphers on;

		 # 配置防止文件泄露
    	location ~ /\. {
    	    deny all;
    	}
	
    	# 配置防止敏感信息泄露
    	location ~* (php|cgi|pl|py|jsp|asp|sh|xml)$ {
    	    deny all;
    	    return 403;
    	}
	
    	# 配置防止目录遍历
    	location ~ ^/uploads/(.*)$ {
    	    try_files $uri =404;
    	}
	
    	# 配置防止SQL注入和XSS攻击
    	location ~ /(admin|login|phpmyadmin) {
    	    fastcgi_param PHP_VALUE "security.limit_extensions = .php";
    	    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    	    include fastcgi_params;
    	}
	
    	# 配置防止恶意脚本执行
    	location ~* ^/(wp-admin|wp-login)\.php$ {
    	    fastcgi_param PHP_VALUE "disable_functions = exec,passthru,shell_exec,system";
    	    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    	    include fastcgi_params;
    	}
	
    	# 配置防止访问未授权的文件
    	location ~ /\.(htaccess|htpasswd|git) {
    	    deny all;
    	}
	
    	# 配置防止直接访问PHP文件
    	location ~ \.php$ {
    	    deny all;
    	}
	}
	server {
		listen 80;
		#请填写绑定证书的域名
		server_name cloud.tencent.com; 
		#把http的域名请求转成https
		return 301 https://$host$request_uri; 
	}
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}