server { listen 80 default_server; listen [::]:80 default_server; server_name _; location / { return 444; } } server { #sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt listen 443 ssl default_server; listen [::]:443 ssl default_server; server_name _; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; location / { return 444; } } server { listen 80; server_name example.com 1.example.com 2.example.com; return 301 https://$host$request_uri; }
nginx 对于 80 返回 444 (直接切断连接),443 选择 ssl_reject_handshake IP 白名单,只允许 CF 的 IP 访问 感觉不放心的话可以配合 CF 的 Argo Tunnel 使用,直接不暴露端口到公网