准备

lnmp vhost add

server {
  listen 80;
  # listen [::]:80;
  server_name vault.yourdomain.com;
  index index.html index.htm index.php default.html default.htm default.php;
  root /home/wwwroot/vault.yourdomain.com;
  
  include rewrite/none.conf;
  # error_page   404   /404.html;
  
  # Deny access to PHP files in specific directory
  # location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
  
  include enable-php.conf;
  
  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
    expires 30d;
  }
  
  location ~ .*\.(js|css)?$ {
    expires 12h;
  }
  
  location ~ /.well-known {
    allow all;
  }
  
  location ~ /\. {
    deny all;
  }
  
  access_log off;
}

server {
  listen 443 ssl http2;
  # listen [::]:443 ssl http2;
  server_name vault.yourdomain.com;
  index index.html index.htm index.php default.html default.htm default.php;
  root /home/wwwroot/vault.yourdomain.com;
  
  ssl_certificate /usr/local/nginx/conf/ssl/vault.yourdomain.com/fullchain.cer;
  ssl_certificate_key /usr/local/nginx/conf/ssl/vault.yourdomain.com/vault.bitwarden.in.key;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
  ssl_session_cache builtin:1000 shared:SSL:10m;
  # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
  ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
  
  include rewrite/none.conf;
  # error_page   404   /404.html;
  
  # Deny access to PHP files in specific directory
  # location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
  
  include enable-php.conf;
  
  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
    expires 30d;
  }
  
  location ~ .*\.(js|css)?$ {
    expires 12h;
  }
  
  location ~ /.well-known {
    allow all;
  }
  
  location ~ /\. {
    deny all;
  }
  
  access_log off;
}

client_max_body_size 128M; # 允许大型附件

location / {
  proxy_pass http://127.0.0.1:8443;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}

location /notifications/hub {
  proxy_pass http://127.0.0.1:3012;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
}

location /notifications/hub/negotiate {
  proxy_pass http://127.0.0.1:8443;
}

location /admin {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_pass http://127.0.0.1:8443;
}

return 301 https://$server_name$request_uri;

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
  expires 30d;
}

location ~ .*\.(js|css)?$ {
  expires 12h;
}

server {
  listen 80;
  # listen [::]:80;
  server_name vault.yourdomain.com;
  index index.html index.htm index.php default.html default.htm default.php;
  root /home/wwwroot/vault.yourdomain.com;
  
  return 301 https://$server_name$request_uri; #设置 http 跳转到 https
  
  include rewrite/none.conf;
  # error_page   404   /404.html;
  
  # Deny access to PHP files in specific directory
  # location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
  
  include enable-php.conf;
  
  access_log off;
}

server {
  listen 443 ssl http2;
  # listen [::]:443 ssl http2;
  server_name vault.yourdomain.com;
  index index.html index.htm index.php default.html default.htm default.php;
  root /home/wwwroot/vault.yourdomain.comn;
  
  ssl_certificate /usr/local/nginx/conf/ssl/vault.yourdomain.com/fullchain.cer;
  ssl_certificate_key /usr/local/nginx/conf/ssl/vault.yourdomain.com/vault.bitwarden.in.key;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
  ssl_session_cache builtin:1000 shared:SSL:10m;
  # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
  ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
  
  include rewrite/none.conf;
  # error_page   404   /404.html;
  
  # Deny access to PHP files in specific directory
  # location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
  
  include enable-php.conf;
  
  # ==设置反向代理开始== #
  client_max_body_size 128M; #允许大型附件
  
  location / {
    proxy_pass http://127.0.0.1:8443;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:8443;
  }
  
  location /admin {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://127.0.0.1:8443;
  }
  # ==设置反向代理结束== #
  
  location ~ /.well-known {
    allow all;
  }
  
  location ~ /\. {
    deny all;
  }
  
  access_log off;
}

/etc/init.d/nginx restart