ok1

2026-06-12 11:48:17 +08:00
parent ee26bc6d7a
commit 8c93377659
45 changed files with 12786 additions and 1716 deletions
@@ -0,0 +1,256 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log;
+pid /run/nginx.pid;
+
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+# 新增 WebSocket 专用日志格式
+    log_format websocket '$remote_addr [$time_local] "$request" '
+                        '$status $upstream_status $body_bytes_sent';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 2048;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    include /etc/nginx/conf.d/*.conf;
+
+    # HTTP 重定向到 HTTPS
+    server {
+        listen       80;
+        server_name  www.airzhihui.com 123.57.71.170;
+        return 301 https://www.airzhihui.com$request_uri;
+    }
+
+    # HTTPS 服务器
+    server {
+        listen       443 ssl http2;
+        server_name  www.airzhihui.com;
+
+        # SSL 配置
+        ssl_certificate     /mydata/cert/www.airzhihui.com.pem;
+        ssl_certificate_key /mydata/cert/www.airzhihui.com.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+        ssl_session_tickets off;
+
+        # 安全头部
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
+        # 静态资源
+        root /mydata/www/piao/;
+        index index.html;
+
+        # 前端路由（Vue/React SPA 支持）
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+      # 静态头像文件（优先级最高）
+          location ^~ /api/profile/avatar/ {
+              alias /mydata/upload/piao/avatar/;  # 关键修正：使用宿主机路径
+              try_files $uri =404;
+              expires 7d;
+              access_log off;
+              add_header Cache-Control "public";
+          }
+
+      # 通用静态资源（排除已单独处理的头像路径）
+      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2)$ {
+          # 排除 /api/profile/avatar/ 路径
+          if ($request_uri ~* "^/api/profile/avatar/") {
+              break;
+          }
+          expires 30d;
+          access_log off;
+          add_header Cache-Control "public";
+      }
+ # WebSocket 代理配置
+        location /api/websocket/eterm {
+            proxy_pass http://123.57.71.170:1024/websocket/eterm;
+
+            # WebSocket 必须配置
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+
+            # 连接超时设置
+            proxy_read_timeout 86400s;
+            proxy_send_timeout 86400s;
+            proxy_connect_timeout 5s;
+
+            # 安全控制
+#             allow 192.168.1.0/24;
+#             allow 123.57.71.170;
+#             deny all;
+
+            # 日志记录
+            access_log /var/log/nginx/websocket.log websocket;
+        }
+
+       # 代理HTTP接口
+       location /api/ {
+           proxy_pass http://123.57.71.170:1024/;
+           proxy_set_header Host $host;
+           proxy_set_header X-Real-IP $remote_addr;
+           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+           proxy_set_header X-Forwarded-Proto $scheme;
+       }
+       location /airfly/ {
+           proxy_pass http://118.25.129.153:1025/airfly/;  # 关键：末尾必须加斜杠
+
+           # 请求头透传
+           proxy_set_header Host $host;
+           proxy_set_header X-Real-IP $remote_addr;
+           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+           proxy_set_header X-Forwarded-Proto $scheme;
+
+           # Cookie 路径重写（与后端 context-path 匹配）
+           proxy_cookie_path /airfly /airfly;  # 保持路径一致
+
+           # 安全头控制（允许 iframe 嵌入）
+           proxy_hide_header X-Frame-Options;
+           add_header Content-Security-Policy "frame-ancestors 'self' www.airzhihui.com";
+
+           # 其他优化
+           proxy_redirect off;
+           proxy_http_version 1.1;
+       }
+    }
+
+
+
+    # HTTP 重定向到 HTTPS
+    server {
+        listen       80;
+        server_name  www.rszhihui.com;
+        return 301 https://$host$request_uri;
+    }
+
+    # HTTPS 反向代理
+    server {
+        listen       443 ssl http2;
+        server_name  www.rszhihui.com;
+
+        ssl_certificate     /mydata/cert/www.rszhihui.com.pem;
+        ssl_certificate_key /mydata/cert/www.rszhihui.com.key;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+        ssl_session_tickets off;
+
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
+        location / {
+            proxy_pass http://123.57.71.170:8088;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_cache_bypass $http_upgrade;
+
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 120s;
+            proxy_read_timeout 120s;
+        }
+    }
+
+
+
+    # ==============================================
+    # 新增：AI 子域名配置 ai.rszhihui.com
+    # ==============================================
+
+    # HTTP 重定向到 HTTPS：ai.rszhihui.com
+    server {
+        listen       80;
+        server_name  ai.rszhihui.com;
+        return 301 https://$host$request_uri;
+    }
+
+    # HTTPS 反向代理 AI 服务：ai.rszhihui.com
+    server {
+        listen       443 ssl http2;
+        server_name  ai.rszhihui.com;
+
+        # 使用通配符或单独为 ai.rszhihui.com 签发的证书
+        ssl_certificate     /mydata/cert/ai.rszhihui.com.pem;      # 建议使用 *.rszhihui.com 或包含 ai.rszhihui.com 的证书
+        ssl_certificate_key /mydata/cert/ai.rszhihui.com.key;
+
+        # SSL 安全配置（同上）
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+        ssl_session_tickets off;
+
+        # 安全头：允许被自己的主站嵌入（关键！）
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+
+        # ✅ 允许被 https://www.rszhihui.com 嵌入
+        add_header Content-Security-Policy "frame-ancestors 'self' https://www.rszhihui.com;";
+        # 或者更开放：允许所有来源嵌入（不推荐生产环境）
+        # add_header Content-Security-Policy "frame-ancestors *;";
+
+        # 可选：如果不希望 X-Frame-Options 干扰，可以隐藏或不设置
+        # proxy_hide_header X-Frame-Options;  # 如果后端返回了，可隐藏
+
+        # 代理到 AI 服务
+        location / {
+            proxy_pass http://118.25.129.153/;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # 超时设置
+            proxy_connect_timeout 30s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
+
+            # 日志（便于调试）
+            access_log /var/log/nginx/ai_rszhihui_access.log main;
+            error_log /var/log/nginx/ai_rszhihui_error.log;
+        }
+    }
+}