enable ssl_early_data, default enable http2, option to enable brotli, fix shellcheck

Signed-off-by: Zoey <zoey@z0ey.de>
2025-08-03 16:03:38 +00:00 · 2023-01-20 08:09:52 +01:00
parent e0be3a5ea3
commit 45895ac53e
33 changed files with 367 additions and 261 deletions
--- a/rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/brotli.conf
@@ -0,0 +1,4 @@
+brotli on;
+brotli_types *;
+brotli_comp_level 11;
+brotli_static on;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/default.conf
@@ -13,6 +13,7 @@ server {

  server_name _;

+  include conf.d/include/brotli.conf;
  include conf.d/include/force-ssl.conf;
  include conf.d/include/tls-ciphers.conf;
  include conf.d/include/acme-challenge.conf;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/proxy.conf
@@ -1,11 +1,13 @@
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Port $server_port;
+proxy_set_header Early-Data $ssl_early_data;
 proxy_set_header X-Forwarded-Scheme $scheme;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header Accept-Encoding "";
 proxy_set_header Host $host;

-proxy_http_version 1.1;
 proxy_ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2;
+proxy_http_version 1.1;
+
 proxy_pass $forward_scheme://$server:$port$request_uri;
--- a/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/tls-ciphers.conf
@@ -1,3 +1,8 @@
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_early_data on;
+
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
 ssl_session_tickets off;
--- a/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/no-server-name.conf
@@ -17,6 +17,7 @@ server {
    server_name "";
    return 444;

+    include conf.d/include/brotli.conf;
    include conf.d/include/force-ssl.conf;
    include conf.d/include/tls-ciphers.conf;
    include conf.d/include/block-exploits.conf;
--- a/rootfs/usr/local/nginx/conf/conf.d/npm.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/npm.conf
@@ -7,6 +7,7 @@ server {
    add_header alt-svc 'h3=":443"; ma=86400, h3-29=":443"; ma=86400';

    server_name _;
+    include conf.d/include/brotli.conf;
    include conf.d/include/force-ssl.conf;
    include conf.d/include/tls-ciphers.conf;
    include conf.d/include/block-exploits.conf;
@@ -24,6 +25,7 @@ server {
        
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header Early-Data $ssl_early_data;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
@@ -33,8 +35,6 @@ server {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
-        proxy_read_timeout 15m;
-        proxy_send_timeout 15m;
    }

    location / {