103 lines
3.3 KiB
Nginx Configuration File
103 lines
3.3 KiB
Nginx Configuration File
|
events {
|
||
|
|
worker_connections 1024;
|
||
|
|
}
|
||
|
|
|
||
|
|
http {
|
||
|
|
include /etc/nginx/mime.types;
|
||
|
|
default_type application/octet-stream;
|
||
|
|
|
||
|
|
sendfile on;
|
||
|
|
keepalive_timeout 65;
|
||
|
|
|
||
|
|
# 静态网站服务器
|
||
|
|
server {
|
||
|
|
listen 80;
|
||
|
|
server_name localhost;
|
||
|
|
|
||
|
|
# 网页根目录
|
||
|
|
root /usr/share/nginx/html;
|
||
|
|
index index.html index.htm;
|
||
|
|
|
||
|
|
# ===== 移除冲突的 X-Frame-Options,改用 CSP =====
|
||
|
|
# 删除以下两行:
|
||
|
|
# proxy_hide_header X-Frame-Options;
|
||
|
|
# add_header X-Frame-Options SAMEORIGIN always;
|
||
|
|
|
||
|
|
# 使用 CSP frame-ancestors 替代(更灵活、现代)
|
||
|
|
# 配置说明:
|
||
|
|
# - 'self':允许同源页面嵌入
|
||
|
|
# - https://your-trusted-domain.com:允许特定域名嵌入(替换成你的实际域名)
|
||
|
|
# - 多个域名用空格分隔
|
||
|
|
add_header Content-Security-Policy "frame-ancestors 'self' https://www.airzhihui.com https://www.rszhihui.com;" always;
|
||
|
|
|
||
|
|
# 如果完全不需要被任何页面嵌入,使用:
|
||
|
|
# add_header Content-Security-Policy "frame-ancestors 'none';" always;
|
||
|
|
|
||
|
|
# 如果允许任何域名嵌入(不推荐,安全风险):
|
||
|
|
# add_header Content-Security-Policy "frame-ancestors *;" always;
|
||
|
|
|
||
|
|
# ========== aircrawl 反向代理 ==========
|
||
|
|
# 无斜杠时重定向到带斜杠
|
||
|
|
location = /aircrawl {
|
||
|
|
return 302 /aircrawl/;
|
||
|
|
}
|
||
|
|
|
||
|
|
location /aircrawl/ {
|
||
|
|
proxy_pass http://118.25.129.153:1030/;
|
||
|
|
proxy_set_header Host $host;
|
||
|
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
|
|
||
|
|
# 隐藏上游可能返回的 X-Frame-Options(避免冲突)
|
||
|
|
proxy_hide_header X-Frame-Options;
|
||
|
|
|
||
|
|
# 为反向代理单独设置 CSP(可选)
|
||
|
|
add_header Content-Security-Policy "frame-ancestors 'self' https://www.airzhihui.com;" always;
|
||
|
|
|
||
|
|
# WebSocket 支持
|
||
|
|
proxy_http_version 1.1;
|
||
|
|
proxy_set_header Upgrade $http_upgrade;
|
||
|
|
proxy_set_header Connection "upgrade";
|
||
|
|
}
|
||
|
|
|
||
|
|
# 1. 明确拒绝 PHP 请求
|
||
|
|
location ~* \.(php|phtml|asp|aspx|jsp)$ {
|
||
|
|
access_log off;
|
||
|
|
return 404;
|
||
|
|
}
|
||
|
|
|
||
|
|
# 2. 头像静态资源
|
||
|
|
location /api/profile/avatar/ {
|
||
|
|
alias /mydata/docker/piaoruo/upload/avatar/;
|
||
|
|
try_files $uri =404;
|
||
|
|
expires 7d;
|
||
|
|
access_log off;
|
||
|
|
add_header Cache-Control "public";
|
||
|
|
|
||
|
|
# 安全头
|
||
|
|
add_header X-Content-Type-Options nosniff;
|
||
|
|
}
|
||
|
|
|
||
|
|
# 静态文件缓存设置
|
||
|
|
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
|
||
|
|
# 排除头像路径,避免冲突
|
||
|
|
if ($request_uri ~* "^/api/profile/avatar/") {
|
||
|
|
break;
|
||
|
|
}
|
||
|
|
expires 1y;
|
||
|
|
add_header Cache-Control "public, immutable";
|
||
|
|
}
|
||
|
|
|
||
|
|
# HTML 文件不缓存
|
||
|
|
location ~* \.html$ {
|
||
|
|
expires -1;
|
||
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
||
|
|
}
|
||
|
|
|
||
|
|
# SPA 路由支持
|
||
|
|
location / {
|
||
|
|
try_files $uri $uri/ /index.html;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|