proxy_cache_path /JsdelivrCache levels=1:2 keys_zone=jsdelivr:50m max_size=10g inactive=1200d 
use_temp_path=off;
server {
    listen 80;
    server_name cdn.xxx.com;
    return       301 https://cdn.xxx.com$request_uri;
}
server {
    listen 443 ssl http2;
    ssl_certificate /root/.acme.sh/xxx.com/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xxx.com/xxx.com.key;
# 注意检查上面证书的路径，live 下的证书文件夹名是否含有 www，如果没有，请在上面两行中删除 www.

    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE";
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    error_page 497 301 https://$http_host$request_uri;

# HSTS (ngx_https_headers_module is required) (31536000 seconds = 12 months)
# add_header Strict-Transport-Security "max-age=31536000" always;

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    root  /usr/share/nginx/html; 
    server_name cdn.xxx.com;
    location /
    {
        proxy_pass https://cdn.jsdelivr.net;
        proxy_set_header Host cdn.jsdelivr.net;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_ssl_server_name on;
        add_header X-Cache $upstream_cache_status;
        proxy_ignore_headers Set-Cookie Cache-Control expires;
        proxy_cache jsdelivr;
        proxy_cache_key $host$uri$is_args$args;
        proxy_cache_valid 200  365d;
        expires 365d;
    }
}