4.6 KiB
4.6 KiB
server { listen 80; listen 443 ssl; listen 443 quic; http2 on;
# 捕获子域名变量 $subdomain
server_name yunzer.com.cn ~^(?<subdomain>.+)\.yunzer\.com\.cn$;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/api.yunzer.cn/public;
#CERT-APPLY-CHECK--START
include /www/server/panel/vhost/nginx/well-known/yunzer.com.cn.conf;
#CERT-APPLY-CHECK--END
include /www/server/panel/vhost/nginx/extension/yunzer.com.cn/*.conf;
# --- SSL 配置 START ---
set $isRedcert 1;
if ($server_port != 443) {
set $isRedcert 2;
}
if ( $uri ~ /\.well-known/ ) {
set $isRedcert 1;
}
if ($isRedcert != 1) {
rewrite ^(/.*)$ https://$host$1 permanent;
}
ssl_certificate /www/server/panel/vhost/cert/yunzer.com.cn/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/yunzer.com.cn/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_tickets on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
add_header Alt-Svc 'quic=":443"; h3=":443"; h3-29=":443"; h3-27=":443";h3-25=":443"; h3-T050=":443"; h3-Q050=":443";h3-Q049=":443";h3-Q048=":443"; h3-Q046=":443"; h3-Q043=":443"';
error_page 497 https://$host$request_uri;
# --- SSL 配置 END ---
#ERROR-PAGE-START
error_page 404 /404.html;
#ERROR-PAGE-END
# --- 安全与防盗链拦截 START ---
location ~* (\.user.ini|\.htaccess|\.htpasswd|\.env.*|\.project|\.bashrc|\.bash_profile|\.bash_logout|\.DS_Store|\.gitignore|\.gitattributes|LICENSE|README\.md|CLAUDE\.md|CHANGELOG\.md|CHANGELOG|CONTRIBUTING\.md|TODO\.md|FAQ\.md|composer\.json|composer\.lock|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml|\.\w+~|\.swp|\.swo|\.bak(up)?|\.old|\.tmp|\.temp|\.log|\.sql(\.gz)?|docker-compose\.yml|docker\.env|Dockerfile|\.csproj|\.sln|Cargo\.toml|Cargo\.lock|go\.mod|go\.sum|phpunit\.xml|phpunit\.xml|pom\.xml|build\.gradl|pyproject\.toml|requirements\.txt|application(-\w+)?\.(ya?ml|properties))$ {
return 404;
}
location ~* /(\.git|\.svn|\.bzr|\.vscode|\.claude|\.idea|\.ssh|\.github|\.npm|\.yarn|\.pnpm|\.cache|\.husky|\.turbo|\.next|\.nuxt|node_modules|runtime)/ {
return 404;
}
location ~ \.well-known {
allow all;
}
if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
return 403;
}
# --- 安全与防盗链拦截 END ---
# --- 静态资源与缓存 START ---
location ^~ /themes/ {
root /www/wwwroot/api.yunzer.cn/public;
try_files $uri $uri/ =404;
expires 12h;
access_log off;
}
location ~ ^/(template(?:[1-9]\d?|100))/(.*)$ {
alias /www/wwwroot/api.yunzer.cn/public/themes/$1/$2;
try_files $uri $uri/ =404;
expires 12h;
access_log off;
}
location ~* \.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
error_log /dev/null;
access_log /dev/null;
}
location ~* \.(js|css)$ {
expires 12h;
error_log /dev/null;
access_log /dev/null;
}
# --- 静态资源与缓存 END ---
# --- 核心路由与 PHP 解析 START ---
# 1. 根目录的 *.html,交给 ThinkPHP 处理
location ~* ^/(.+\.html)$ {
try_files /themes/template3/$1 /index.php?$query_string;
}
# 2. 唯一且正确的 PHP 解析块(解决了直接下载的问题)
location ~ [^/]\.php(/|$) {
# 引入宝塔的 PHP FastCGI 配置,确保 PHP 正常执行
include enable-php-82.conf;
# 传递自定义子域名参数给 ThinkPHP
fastcgi_param HTTP_SUBDOMAIN $subdomain;
fastcgi_param HTTP_MAIN_DOMAIN yunzer.com.cn;
}
# 3. 统一入口(ThinkPHP 默认伪静态):先找真实文件,找不到再交给 index.php
location / {
# 当访问的路径没有对应静态文件时,将请求回退到 ThinkPHP 前端入口。
# 使用 /index.php$uri 让内部请求变成 /index.php/portfolio 这类形式,
# 从而使 ThinkPHP 能从 pathinfo 中拿到 portfolio,并匹配 Route::get(':page', ...)
# 保留 query_string(用于 ?page=n 之类分页参数)
try_files $uri $uri/ /index.php$uri$is_args$args;
}
# --- 核心路由与 PHP 解析 END ---
access_log /www/wwwlogs/yunzer.com.cn.log;
error_log /www/wwwlogs/yunzer.com.cn.error.log;
}