# SSL 安全参数 (适用于 Let's Encrypt 证书)
# 此文件被 init-ssl.sh 复制到容器内 /etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS：强制浏览器只用 HTTPS 连接（去掉 includeSubDomains，避免影响其他未配置 HTTPS 的子域名）
add_header Strict-Transport-Security "max-age=31536000" always;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

# SSL session 优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# DH 参数 (如果生成了 dhparam.pem)
# ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# ── 安全响应头 ──────────────────────────────────────────────────────
# 防点击劫持：禁止页面被嵌入 iframe
add_header X-Frame-Options "SAMEORIGIN" always;
# 防 MIME 类型嗅探
add_header X-Content-Type-Options "nosniff" always;
# 启用浏览器内置 XSS 过滤（旧浏览器兼容）
add_header X-XSS-Protection "1; mode=block" always;
# 限制 Referer 信息泄露
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 隐藏 nginx 版本号（在 nginx.conf 中配合 server_tokens off 使用）
# Content Security Policy：按需调整，当前允许同源 + 必要的外部资源
# frame-ancestors 额外放开微信支付收银台来源，避免微信 H5 支付 iframe 被拦截
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' res.wx.qq.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; connect-src 'self' https:; frame-ancestors 'self' https://wx.tenpay.com https://*.weixin.qq.com https://*.qq.com;" always;