server {
		server_name www.aqzt.com aqzt.com;
		listen 443 ssl;
        server_tokens        off;
		index index.php index.html index.htm;
		root /home/s.aqzt.com;
		
ssl                  on;	
ssl_ct               on;
ssl_ct_static_scts  /usr/local/nginx/conf/scts;

ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_dhparam dhparam2048.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_session_cache          shared:SSL:50m;
ssl_session_timeout  5m;
ssl_prefer_server_ciphers on;

ssl_session_tickets        on;
ssl_session_ticket_key     session_ticket.key;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate server.chained.crt;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 15s;

error_page 500 502 503 504 404 /404.html;
  if ($host != 'aqzt.com' ) {
        rewrite          ^/(.*)$  https://aqzt.com/$1 permanent;
    }
		location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
				expires      30d;
		}

		location ~ .*\.(js|css)?$ {
				expires      12h;
		}

    location / {
        proxy_http_version       1.1;
##下面这条是启用HSTS，域名全部要HTTPS访问，强行要求使用SSL访问，谨慎开启哦！##
        add_header               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
		
        add_header               X-Frame-Options "deny";
        add_header               X-Content-Type-Options nosniff;
        add_header               Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: http://ip.qgy18.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";

##下面这条要根据证书文件来生成，具体后面再说##
        add_header               Public-Key-Pins 'pin-sha256="lgQssFfElw1lSDPalWc2+LgIfuutPEPOiqsjeXhbDZI="; pin-sha256="zACFqsA1d4bQJtD0PHTV4EOSR56S62ao9DnhIrJkzCE="; max-age=2592000; includeSubDomains';

        add_header               Cache-Control no-cache;

        proxy_ignore_headers     Set-Cookie;

        proxy_hide_header        Vary;
        proxy_hide_header        X-Powered-By;

        proxy_set_header         X-Via            QingDao.Aliyun;
        proxy_set_header         Connection       "";
        proxy_set_header         Host             aqzt.com;
        proxy_set_header         X-Real_IP        $remote_addr;
        proxy_set_header         X-Forwarded-For  $proxy_add_x_forwarded_for;

        #proxy_pass               http://127.0.0.1:9095;
rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last;
rewrite ^([^\.]*)/article-([0-9]+)-([0-9]+)\.html$ $1/portal.php?mod=view&aid=$2&page=$3 last;
rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last;
rewrite ^([^\.]*)/([a-z]+)-(.+)\.html$ $1/$2.php?rewrite=$3 last;
    }

 location ~ \.php($|/){
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include        fastcgi_params;
            set $path_info "";
            set $real_script_name $fastcgi_script_name;
            if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
                set $real_script_name $1;
                set $path_info $2;
            }
            fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
            fastcgi_param SCRIPT_NAME $real_script_name;
            fastcgi_param PATH_INFO $path_info;
                        fastcgi_param  PHP_VALUE         open_basedir=$document_root:/tmp/:/proc/;
    }

		access_log  /home/wwwlog/bbs.aqzt.com/access_https.log access;
		error_log  /home/wwwlog/bbs.aqzt.com/error_https.log error;
	}