piaowu/doc/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
# 新增 WebSocket 专用日志格式
    log_format websocket '$remote_addr [$time_local] "$request" '
                        '$status $upstream_status $body_bytes_sent';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    # HTTP 重定向到 HTTPS
    server {
        listen       80;
        server_name  www.airzhihui.com 123.57.71.170;
        return 301 https://www.airzhihui.com$request_uri;
    }

    # HTTPS 服务器
    server {
        listen       443 ssl http2;
        server_name  www.airzhihui.com;

        # SSL 配置
        ssl_certificate     /mydata/cert/www.airzhihui.com.pem;
        ssl_certificate_key /mydata/cert/www.airzhihui.com.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

        # 安全头部
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        # 静态资源
        root /mydata/www/piao/;
        index index.html;

        # 前端路由（Vue/React SPA 支持）
        location / {
            try_files $uri $uri/ /index.html;
        }

      # 静态头像文件（优先级最高）
          location ^~ /api/profile/avatar/ {
              alias /mydata/upload/piao/avatar/;  # 关键修正：使用宿主机路径
              try_files $uri =404;
              expires 7d;
              access_log off;
              add_header Cache-Control "public";
          }

      # 通用静态资源（排除已单独处理的头像路径）
      location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2)$ {
          # 排除 /api/profile/avatar/ 路径
          if ($request_uri ~* "^/api/profile/avatar/") {
              break;
          }
          expires 30d;
          access_log off;
          add_header Cache-Control "public";
      }
 # WebSocket 代理配置
        location /api/websocket/eterm {
            proxy_pass http://123.57.71.170:1024/websocket/eterm;

            # WebSocket 必须配置
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;

            # 连接超时设置
            proxy_read_timeout 86400s;
            proxy_send_timeout 86400s;
            proxy_connect_timeout 5s;

            # 安全控制
#             allow 192.168.1.0/24;
#             allow 123.57.71.170;
#             deny all;

            # 日志记录
            access_log /var/log/nginx/websocket.log websocket;
        }

       # 代理HTTP接口
       location /api/ {
           proxy_pass http://123.57.71.170:1024/;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
       location /airfly/ {
           proxy_pass http://118.25.129.153:1025/airfly/;  # 关键：末尾必须加斜杠

           # 请求头透传
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;

           # Cookie 路径重写（与后端 context-path 匹配）
           proxy_cookie_path /airfly /airfly;  # 保持路径一致

           # 安全头控制（允许 iframe 嵌入）
           proxy_hide_header X-Frame-Options;
           add_header Content-Security-Policy "frame-ancestors 'self' www.airzhihui.com";

           # 其他优化
           proxy_redirect off;
           proxy_http_version 1.1;
       }
    }



    # HTTP 重定向到 HTTPS
    server {
        listen       80;
        server_name  www.rszhihui.com;
        return 301 https://$host$request_uri;
    }

    # HTTPS 反向代理
    server {
        listen       443 ssl http2;
        server_name  www.rszhihui.com;

        ssl_certificate     /mydata/cert/www.rszhihui.com.pem;
        ssl_certificate_key /mydata/cert/www.rszhihui.com.key;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        location / {
            proxy_pass http://123.57.71.170:8088;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_cache_bypass $http_upgrade;

            proxy_connect_timeout 60s;
            proxy_send_timeout 120s;
            proxy_read_timeout 120s;
        }
    }



    # ==============================================
    # 新增：AI 子域名配置 ai.rszhihui.com
    # ==============================================

    # HTTP 重定向到 HTTPS：ai.rszhihui.com
    server {
        listen       80;
        server_name  ai.rszhihui.com;
        return 301 https://$host$request_uri;
    }

    # HTTPS 反向代理 AI 服务：ai.rszhihui.com
    server {
        listen       443 ssl http2;
        server_name  ai.rszhihui.com;

        # 使用通配符或单独为 ai.rszhihui.com 签发的证书
        ssl_certificate     /mydata/cert/ai.rszhihui.com.pem;      # 建议使用 *.rszhihui.com 或包含 ai.rszhihui.com 的证书
        ssl_certificate_key /mydata/cert/ai.rszhihui.com.key;

        # SSL 安全配置（同上）
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

        # 安全头：允许被自己的主站嵌入（关键！）
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";

        # ✅ 允许被 https://www.rszhihui.com 嵌入
        add_header Content-Security-Policy "frame-ancestors 'self' https://www.rszhihui.com;";
        # 或者更开放：允许所有来源嵌入（不推荐生产环境）
        # add_header Content-Security-Policy "frame-ancestors *;";

        # 可选：如果不希望 X-Frame-Options 干扰，可以隐藏或不设置
        # proxy_hide_header X-Frame-Options;  # 如果后端返回了，可隐藏

        # 代理到 AI 服务
        location / {
            proxy_pass http://118.25.129.153/;

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            # 超时设置
            proxy_connect_timeout 30s;
            proxy_send_timeout 60s;
            proxy_read_timeout 60s;

            # 日志（便于调试）
            access_log /var/log/nginx/ai_rszhihui_access.log main;
            error_log /var/log/nginx/ai_rszhihui_error.log;
        }
    }
}