主要配置

#############################################主站
server {
    listen       80;
    server_name  iape.ltd www.iape.ltd;
    include vhost/_iape.ltd.cav.cnf;
    location / {
        rewrite ^/(.*)$ https://iape.ltd/$1 permanent;
    }
}
server {
    server_name iape.ltd;
    include vhost/_iape.ltd.ssl.cnf;
    root   /.../iape.ltd/public/www;
    include vhost/_iape.ltd.php.cnf;
}
#############################################静态资源
server {
    listen       80;
    server_name  static.iape.ltd;
    include vhost/_iape.ltd.cav.cnf;
    include vhost/_iape.ltd.php.cnf;
}
server {
    server_name static.iape.ltd;
    include vhost/_iape.ltd.ssl.cnf;
    root   /.../iape.ltd/public/static;
    include vhost/_iape.ltd.php.cnf;
}

配置包含文件

vhost/_iape.ltd.cav.cnf
证书验证

access_log        /dev/null;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 444;
}
# CA认证
location ^~ /..../.../ {
    alias /.../ssl-challenges/;
    try_files $uri =404;
}

vhost/_iape.ltd.ssl.cnf
开启了https和http2

listen 443 ssl http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_certificate /.../ssl-encrypt1.pem;
ssl_certificate_key /.../domain1.key;
ssl_session_timeout 5m;

vhost/_iape.ltd.php.cnf
nginx解析php通用配置

if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
    return 444;
}
index  index.html index.php;
location ~* \.(?!php) {
    access_log off;
    try_files $uri =404;
    if ($http_origin ~* "^https?://[^/]*iape\.ltd$") {
        add_header        Cache-Control public;
        add_header        Cache-Control must-revalidate;
        add_header Access-Control-Allow-Origin '$http_origin';
        expires 30d;
    }
}
try_files $uri $uri/ @rewrite;
location / {
    rewrite ^/(.*)$ /index.php?_url=/$1;
}
location ~ \.php$ {
    try_files $uri =404;
    include fastcgi.conf;
    fastcgi_pass unix:/.../php.sock;
}