From 1fd4d6b542abf8a561042092c7b90eeb908f1736 Mon Sep 17 00:00:00 2001 From: huangfeng Date: Mon, 7 Apr 2025 10:17:43 +0800 Subject: [PATCH] =?UTF-8?q?perf:=20=E6=9B=B4=E6=96=B0ssl=E5=AF=B9=E5=BA=94?= =?UTF-8?q?=E7=9A=84=E5=AE=89=E5=85=A8=E5=A4=B4=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ncac/package/80-ssl.conf | 6 ++++++ ncac/package/cac-ssl.conf | 13 +++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 ncac/package/80-ssl.conf diff --git a/ncac/package/80-ssl.conf b/ncac/package/80-ssl.conf new file mode 100644 index 0000000..3987f3a --- /dev/null +++ b/ncac/package/80-ssl.conf @@ -0,0 +1,6 @@ +server { + listen 80; + server_name cacserver; + + rewrite ^/(.*)$ https://$host/$1 permanent; +} diff --git a/ncac/package/cac-ssl.conf b/ncac/package/cac-ssl.conf index a3f07dd..d20a4d8 100644 --- a/ncac/package/cac-ssl.conf +++ b/ncac/package/cac-ssl.conf @@ -1,6 +1,19 @@ server { listen 443 ssl; server_name cacserver; + # 安全头配置 + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Content-Security-Policy + "default-src 'self'; + connect-src 'self' data:; + script-src 'self' 'unsafe-inline' 'unsafe-eval'; + worker-src 'self' blob:; + img-src 'self' data:; + style-src 'self' 'unsafe-inline'; + font-src 'self'; + frame-ancestors 'none';" always; + add_header X-Frame-Options "SAMEORIGIN" always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; ssl_certificate /home/xydl/cert/ca.cert;