Nginx 反向代理nextcloud https配置

由于vps的配置比较低,使用nextcloud比较吃资源,就把nextcloud从腾讯轻量迁移到了另一个配置稍微好点的vps上面。
不过之前都是使用秋水的lamp一键脚本,apache有点吃内存,所以就自己花了几天时间学习编译nginx,自己做配置。填过几个坑后nextcloud终于由apache成功迁移到了nginx,并且没有使用一键脚本搭建web环境。

但是nextcloud的vps网络情况现在变的有点差,所以就用了腾讯云轻量去反代,开始时,腾讯云轻量的web环境是apache,随便配置一下就能反代成功。后面又把腾讯云轻量的web环境也换成了Nginx,但是在反代后chrome上面出现了ERR_HTTP2_PROTOCOL_ERROR为了解决这个问题折腾了好多啊,同样的配置在火狐浏览器下面反向代理后没有问题,但是在chrome下就是ERR_HTTP2_PROTOCOL_ERROR。找了好久也没有发现什么办法解决,最后好像是原站点和反代站点配置都使用了HTTP2问题解决。

站点Nextcloud的Nginx配置

    upstream php-handler {
    server  unix:/run/php/php7.4-fpm.sock;
}
server {
    listen 8443 ssl http2;
    server_name 域名;
    #include       /etc/nginx/conf/ssl.conf;
    # Enable SSL cache to speed up for return visitors
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 4h;
    ssl_protocols TLSv1.2 TLSv1.3;

    # Specify cipher
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    # Enable TLS
    charset utf-8;
    ssl_certificate    /www/ssl/cert/fullchain.cer;
    ssl_certificate_key    /www/ssl/cert/key.key;

    # OCSP
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate  /www/ssl/cert/ca.cer;

    # To serve smaller requests (json/html/images etc) smaller ssl_buffer_size reduces latency but adds overhead
    # larger value decreases overhead but adds latency. Thus if TTFB is critical, use a smaller value (<=4K). See:
    # https://github.com/igrigorik/istlsfastyet.com/issues/63
    ssl_buffer_size 4k;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;
    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;
    # Path to the root of your installation
    root /data/www/nextcloud;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
    rewrite /.well-known/carddav /remote.php/dav permanent;
    rewrite /.well-known/caldav /remote.php/dav permanent;
    # set max upload size
    client_max_body_size 10240M;
    fastcgi_buffers 64 4K;
    # Disable gzip to avoid the removal of the ETag header
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
 
 
    location / {
        rewrite ^ /index.php$uri;
    }
 

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
 
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;


    }
 

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }
 
 
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=31536000;includeSubDomains; preload;";
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;


        # Optional: Don't log access to assets

        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

反向代理站点 Nginx配置

    server
{
    listen 80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name 域名2;

    if ($server_port !~ 443){
        rewrite ^(/.*)$ https://$host$1 permanent;
    }

    # Enable SSL cache to speed up for return visitors
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 4h;
    ssl_protocols TLSv1.2 TLSv1.3;

    # Specify cipher
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    #ssl_ciphers EECDH+CHACHA20:EECDH+AES256:EECDH+3DES:EECDH+AESGCM:AES256+EDH;
    #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EDH';

    # Enable TLS
    charset utf-8;
    ssl_certificate    /www/ssl/cert/fullchain.cer;
    ssl_certificate_key    /www/ssl/cert/key.key;

    # OCSP
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate  /www/ssl/cert/ca.cer;

    # To serve smaller requests (json/html/images etc) smaller ssl_buffer_size reduces latency but adds overhead
    # larger value decreases overhead but adds latency. Thus if TTFB is critical, use a smaller value (<=4K). See:
    # https://github.com/igrigorik/istlsfastyet.com/issues/63
    ssl_buffer_size 4k;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header Referrer-Policy "no-referrer" always;
    add_header X-XSS-Protection "1; mode=block" always;
    http2_max_field_size 16k;
    http2_max_header_size 128k;

        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 2 4k;
        proxy_busy_buffers_size 4k;
        proxy_temp_path /data/nginx_cache/nginx_proxy_tmp 1 2;
        proxy_max_temp_file_size 100M;
        proxy_temp_file_write_size 8k;


    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    http2_chunk_size             300k;
    # set max upload size
    client_max_body_size 1024M;

    location / {
    proxy_pass https://域名:8443;
    http2_push_preload on;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_ssl_name $host;
    proxy_ssl_server_name on;

    proxy_cache my_zone;
    proxy_cache_key    $uri$is_args$args;
    proxy_cache_valid 200 10m;
    proxy_cache_valid 301 302 5m;
    proxy_cache_valid any 1m;
    proxy_cache_min_uses 3;
    proxy_cache_use_stale error http_500 http_502 http_503 http_504;
        }
access_log  /data/wwwlog/ssl_access.log;
error_log  /data/wwwlog/ssl_error.log;
}

添加新评论