phpEnv/nginx/sites/merck/admin.merck.hbraas.com.conf

map $http_origin $corsHost_admin_merck {
	default 0;
	"~https://m.merck.hbraas.com" https://m.merck.hbraas.com;
	"~https://home.merck.hbraas.com" https://home.merck.hbraas.com;
}

#limit_req_zone $remote_addr zone=gj_limited:10m rate=10r/m;
#limit_req_zone $binary_remote_addr zone=gjone:10m rate=10r/m;
server {
	server_name admin.merck.hbraas.com;
	#    access_log /data1/wwwlogs/merck.admin.access.log combined;
	#    error_log /data1/wwwlogs/merck.admin.error.log;


	## --- logs section begin ----
	# 目录名：需要先创建日志目录，然后chown -R www $proj 修改所有者
	access_log /www/log/nginx/merck/admin.nginx.access.log main;
	error_log /www/log/nginx/merck/admin.nginx.error.log;

	#set $proj 'merck';
	#set $subsys 'admin';
	#access_log /data/wwwlogs/${proj}/${subsys}_${year}${month}${day}_nginx_access.log main;
	#error_log  /data/wwwlogs/${proj}/${subsys}_${year}${month}${day}_nginx_error.log;
	## --- logs section end ----

	#     listen 80;
	listen 443 ssl;
	# ssl on;
	ssl_certificate /www/cert/merck/fullchain.pem;
	ssl_certificate_key /www/cert/merck/privkey.pem;
	ssl_session_timeout 10m;
	# Enable TLSv1.2, disable SSLv3.0, TLSv1.0 and TLSv1.1
	ssl_protocols TLSv1.2;

	# Enable modern TLS cipher suites
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
	ssl_prefer_server_ciphers on;

	root /www/merck_main/huiyuan/backend/web;
	index index.php index.html index.htm;
	# include vhost/updating;

	error_page 403 =404 /404.html;


	location /nginx_status {
		stub_status on;
		access_log off;
		allow 127.0.0.1;
		deny all;
	}
	location ~ ^/proxy/(.+)$ {
		resolver 8.8.8.8;
		set $realpath $1;
		set $lastpath $realpath$is_args$args;
		proxy_set_header Referer '';
		proxy_pass http://$lastpath;
	}
	location ~ ^/admin/(.*) {
		#       limit_req zone=gjone burst=5 nodelay;
		rewrite ^/admin/(.*) /$1 break;
		root /www/merck_main/huiyuan/backend/web;
	}
	location ~ .*\.(php|php5)$ {
		#	limit_req zone=gj_limited burst=5 nodelay;
		add_header Access-Control-Allow-Origin $corsHost_admin_merck;
		add_header 'Access-Control-Allow-Credentials' 'true';
		add_header 'Access-Control-Allow-Methods' 'GET,PUT,POST,OPTIONS';
		add_header 'X-Content-Type-Options' 'nosniff';
		add_header X-XSS-Protection '1';
		add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains; preload';
		add_header Referrer-Policy "strict-origin-when-cross-origin";
		add_header Content-Security-Policy "script-src *.hbraas.com;frame-ancestors 'self';object-src 'none'";
		#fastcgi_pass unix:/dev/shm/php-cgi.sock;
		fastcgi_pass php74:9000;
		fastcgi_index index.php;
		include fastcgi.conf;
	}

	location ~ ^/static/inventory/(.*) {
		#	limit_req zone=gjone burst=5 nodelay;
		rewrite ^/static/inventory/(.*) /$1 break;
		root /www/merck_main/huiyuan/modules/inventory/views;
	}

	location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico)$ {
		root /www/merck_main/huiyuan/backend/views;
		expires 30d;
		access_log off;
	}
	location ~ /order.html$ {
		root /www/merck_main/error;
		expires 30d;
		access_log off;
	}
	location ~ .*\.(js|css|html)$ {
		root /www/merck_main/huiyuan/backend/views;
		add_header X-Content-Type-Options 'nosniff';
		add_header X-XSS-Protection '1';
		add_header Strict-Transport-Security 'max-age=63072000; includeSubdomains; preload';
		add_header Referrer-Policy "strict-origin-when-cross-origin";
		#        add_header  Content-Security-Policy  "default-src";
		add_header Content-Security-Policy "script-src *.hbraas.com;frame-ancestors 'self';object-src 'none'";
		expires 7d;
		access_log off;
	}
}
server {
	listen 80;
	server_name admin.merck.hbraas.com;
	rewrite ^/(.*) https://$server_name$request_uri? permanent;
}