map $http_origin $corsHost_admin_merck { default 0; "~https://m.merck.hbraas.com" https://m.merck.hbraas.com; "~https://home.merck.hbraas.com" https://home.merck.hbraas.com; } #limit_req_zone $remote_addr zone=gj_limited:10m rate=10r/m; #limit_req_zone $binary_remote_addr zone=gjone:10m rate=10r/m; server { server_name admin.merck.hbraas.com; # access_log /data1/wwwlogs/merck.admin.access.log combined; # error_log /data1/wwwlogs/merck.admin.error.log; ## --- logs section begin ---- # 目录名:需要先创建日志目录,然后chown -R www $proj 修改所有者 access_log /www/log/nginx/merck/admin.nginx.access.log main; error_log /www/log/nginx/merck/admin.nginx.error.log; #set $proj 'merck'; #set $subsys 'admin'; #access_log /data/wwwlogs/${proj}/${subsys}_${year}${month}${day}_nginx_access.log main; #error_log /data/wwwlogs/${proj}/${subsys}_${year}${month}${day}_nginx_error.log; ## --- logs section end ---- # listen 80; listen 443 ssl; # ssl on; ssl_certificate /www/cert/merck/fullchain.pem; ssl_certificate_key /www/cert/merck/privkey.pem; ssl_session_timeout 10m; # Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1 ssl_protocols TLSv1.2; # Enable modern TLS cipher suites ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; ssl_prefer_server_ciphers on; root /www/merck_main/huiyuan/backend/web; index index.php index.html index.htm; # include vhost/updating; error_page 403 =404 /404.html; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location ~ ^/proxy/(.+)$ { resolver 8.8.8.8; set $realpath $1; set $lastpath $realpath$is_args$args; proxy_set_header Referer ''; proxy_pass http://$lastpath; } location ~ ^/admin/(.*) { # limit_req zone=gjone burst=5 nodelay; rewrite ^/admin/(.*) /$1 break; root /www/merck_main/huiyuan/backend/web; } location ~ .*\.(php|php5)$ { # limit_req zone=gj_limited burst=5 nodelay; add_header Access-Control-Allow-Origin $corsHost_admin_merck; add_header 'Access-Control-Allow-Credentials' 'true'; add_header 'Access-Control-Allow-Methods' 'GET,PUT,POST,OPTIONS'; add_header 'X-Content-Type-Options' 'nosniff'; add_header X-XSS-Protection '1'; add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains; preload'; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Content-Security-Policy "script-src *.hbraas.com;frame-ancestors 'self';object-src 'none'"; #fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_pass php74:9000; fastcgi_index index.php; include fastcgi.conf; } location ~ ^/static/inventory/(.*) { # limit_req zone=gjone burst=5 nodelay; rewrite ^/static/inventory/(.*) /$1 break; root /www/merck_main/huiyuan/modules/inventory/views; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ { root /www/merck_main/huiyuan/backend/views; expires 30d; access_log off; } location ~ /order.html$ { root /www/merck_main/error; expires 30d; access_log off; } location ~ .*\.(js|css|html)$ { root /www/merck_main/huiyuan/backend/views; add_header X-Content-Type-Options 'nosniff'; add_header X-XSS-Protection '1'; add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains; preload'; add_header Referrer-Policy "strict-origin-when-cross-origin"; # add_header Content-Security-Policy "default-src"; add_header Content-Security-Policy "script-src *.hbraas.com;frame-ancestors 'self';object-src 'none'"; expires 7d; access_log off; } } server { listen 80; server_name admin.merck.hbraas.com; rewrite ^/(.*) https://$server_name$request_uri? permanent; }