Nginx 静态博客托管
完整配置
server {
listen 80;
server_name sslepy.online www.sslepy.online;
return 301 https://sslepy.online$request_uri;
}
server {
listen 443 ssl http2;
server_name www.sslepy.online;
return 301 https://sslepy.online$request_uri;
ssl_certificate /etc/ssl/trustasia/sslepy.online.crt;
ssl_certificate_key /etc/ssl/trustasia/sslepy.online.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
}
server {
listen 443 ssl http2;
server_name sslepy.online;
root /srv/sslepy/current;
index index.html;
ssl_certificate /etc/ssl/trustasia/sslepy.online.crt;
ssl_certificate_key /etc/ssl/trustasia/sslepy.online.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
# 性能
gzip on;
gzip_types text/plain text/css application/javascript application/json image/svg+xml;
gzip_min_length 1024;
gzip_vary on;
# 缓存
location ~* \.(webp|woff2|css|js)$ {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
}
# 安全头
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# 友好 URL
location / {
try_files $uri $uri/ $uri.html =404;
}
# 404
error_page 404 /404.html;
}
关键点
1. 强制 HTTPS + www 重定向
return 301 https://...$request_uri 比 rewrite 高效。
2. gzip_types 别漏了 image/svg+xml
SVG 文件没启用 gzip 会大很多(典型 SVG 体积减少 60%)。
3. 缓存策略
- HTML →
no-cache(每次校验) - CSS/JS/图片 →
30d ?v=xxx版本号让 Hugo 自动破坏缓存
4. 安全头
X-Frame-Options 防点击劫持。X-Content-Type-Options 防 MIME 嗅探。
评论