tls1.3_von

cn.yimian.xyz/nginx/nginx.conf

@@ -41,24 +41,4 @@ http {
     include /mnt/etc/common/nginx/conf.d/*.conf;
     include /mnt/etc/cn.yimian.xyz/nginx/conf.d/*.conf;
 
-    server {
-
-         listen       80 default_server;
-         listen       [::]:80 default_server;
-         listen       443 ssl http2 default_server;
-         listen       [::]:443 ssl http2 default_server;
-         server_name  _;
- 
-         ssl_certificate "/mnt/config/ssl/yimian.xyz/yimian.xyz.crt";
-         ssl_certificate_key "/mnt/config/ssl/yimian.xyz/yimian.xyz.key";
-         ssl_session_cache shared:SSL:1m;
-         ssl_session_timeout  10m;
-         ssl_ciphers HIGH:!aNULL:!MD5;
-         ssl_prefer_server_ciphers on;
- 
-         location / {
-            rewrite ^(.*)$  https://ushio.cool/;
-         }
-     }
-
 }

common/nginx/conf.d/_.conf

@@ -0,0 +1,30 @@
+server {
+
+    listen       80 default_server;
+    listen       [::]:80 default_server;
+    listen       443 ssl http2 default_server;
+    listen       [::]:443 ssl http2 default_server;
+    server_name  _;
+
+    ssl_certificate "/mnt/config/ssl/yimian.xyz/yimian.xyz.crt";
+    ssl_certificate_key "/mnt/config/ssl/yimian.xyz/yimian.xyz.key";
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+    ssl_dhparam /mnt/etc/common/nginx/dhparam;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    location / {
+        rewrite ^(.*)$  https://ushio.cool/;
+    }
+}

common/nginx/dhparam

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

home.yimian.xyz/nginx/nginx.conf

@@ -38,27 +38,6 @@ http {
     # Load modular configuration files from the /etc/nginx/conf.d directory.
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
-
-    server {
-
-         listen       80 default_server;
-         listen       [::]:80 default_server;
-         listen       443 ssl http2 default_server;
-         listen       [::]:443 ssl http2 default_server;
-         server_name  _;
- 
-         ssl_certificate "/mnt/config/ssl/yimian.xyz/yimian.xyz.crt";
-         ssl_certificate_key "/mnt/config/ssl/yimian.xyz/yimian.xyz.key";
-         ssl_session_cache shared:SSL:1m;
-         ssl_session_timeout  10m;
-         ssl_ciphers HIGH:!aNULL:!MD5;
-         ssl_prefer_server_ciphers on;
- 
-         location / {
-            rewrite ^(.*)$  https://ushio.cool/;
-         }
-     }
-
     include /mnt/etc/common/nginx/conf.d/*.conf;
     include /mnt/etc/home.yimian.xyz/nginx/conf.d/*.conf;
 }

usa.yimian.xyz/nginx/conf.d/v-china-tunnel.yimian.xyz.conf

@@ -13,6 +13,18 @@ server {
     ssl_certificate         /mnt/config/ssl/yimian.xyz/yimian.xyz.crt;
     ssl_certificate_key     /mnt/config/ssl/yimian.xyz/yimian.xyz.key;
 
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+
     location / {
         proxy_pass http://v-china:81/;
         proxy_read_timeout 300s;

usa.yimian.xyz/nginx/conf.d/v-china.yimian.xyz.conf

@@ -1,17 +1,32 @@
+# generated 2021-08-23, Mozilla Guideline v5.6, nginx 1.21.1, OpenSSL 1.1.1d, modern configuration, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.21.1&config=modern&openssl=1.1.1d&ocsp=false&guideline=5.6
 server {
-    listen       80;
-    #listen       [::]:80;
+    listen 80;
+    listen [::]:80;
     server_name  v-china.yimian.xyz;
-    rewrite ^(.*)$  https://$host$1 permanent;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
-   #listen 80;
-    listen 443 ssl;
-    server_name v-china.yimian.xyz;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name  v-china.yimian.xyz;
 
     ssl_certificate         /mnt/config/ssl/yimian.xyz/yimian.xyz.crt;
     ssl_certificate_key     /mnt/config/ssl/yimian.xyz/yimian.xyz.key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
     location / {
         proxy_pass http://v-china:80/;
@@ -24,7 +39,4 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
    } 
-
-
 }
-

usa.yimian.xyz/nginx/conf.d/vmess.yimian.xyz.conf

@@ -13,6 +13,18 @@ server {
     ssl_certificate         /mnt/config/ssl/yimian.xyz/yimian.xyz.crt;
     ssl_certificate_key     /mnt/config/ssl/yimian.xyz/yimian.xyz.key;
 
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+
     location / {
         proxy_pass http://v2ray:10808/;
         proxy_read_timeout 300s;

usa.yimian.xyz/nginx/nginx.conf

@@ -39,25 +39,6 @@ http {
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
 
-    server {
-
-         listen       80 default_server;
-         listen       [::]:80 default_server;
-         listen       443 ssl http2 default_server;
-         listen       [::]:443 ssl http2 default_server;
-         server_name  _;
- 
-         ssl_certificate "/mnt/config/ssl/yimian.xyz/yimian.xyz.crt";
-         ssl_certificate_key "/mnt/config/ssl/yimian.xyz/yimian.xyz.key";
-         ssl_session_cache shared:SSL:1m;
-         ssl_session_timeout  10m;
-         ssl_ciphers HIGH:!aNULL:!MD5;
-         ssl_prefer_server_ciphers on;
- 
-         location / {
-            rewrite ^(.*)$  https://ushio.cool/;
-         }
-     }
 
     include /mnt/etc/common/nginx/conf.d/*.conf;
     include /mnt/etc/usa.yimian.xyz/nginx/conf.d/*.conf;