bot_ym
/
water-management-system
Прати 6
Волим 0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
智慧水务管理系统 - 精河县供水工程综合管理平台
88 Комити
2 Гране
Дрво: 81ca9d6e74
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '81ca9d6e74'
${ noResults }
water-management-system/deploy/production/nginx/nginx.conf

nginx.conf 9.6KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283 
  1. # ============================================================

  2. # 生产环境 Nginx 配置

  3. # 支持 HTTPS, HTTP/2, 安全 headers, 限流, WebSocket

  4. # ============================================================

  5. 

  6. user nginx;

  7. worker_processes auto;

  8. worker_rlimit_nofile 65535;

  9. pid /run/nginx.pid;

  10. error_log /var/log/nginx/error.log warn;

  11. 

  12. events {

  13.     worker_connections 4096;

  14.     multi_accept on;

  15.     use epoll;

  16. }

  17. 

  18. http {

  19.     include       /etc/nginx/mime.types;

  20.     default_type  application/octet-stream;

  21. 

  22.     # ==================== 日志格式 ====================

  23.     log_format main '$remote_addr - $remote_user [$time_local] "$request" '

  24.                     '$status $body_bytes_sent "$http_referer" '

  25.                     '"$http_user_agent" "$http_x_forwarded_for" '

  26.                     'rt=$request_time';

  27. 

  28.     log_format json escape=json '{'

  29.         '"time":"$time_iso8601",'

  30.         '"remote_addr":"$remote_addr",'

  31.         '"request":"$request",'

  32.         '"status":$status,'

  33.         '"body_bytes_sent":$body_bytes_sent,'

  34.         '"referer":"$http_referer",'

  35.         '"user_agent":"$http_user_agent",'

  36.         '"request_time":$request_time,'

  37.         '"upstream_response_time":"$upstream_response_time"'

  38.     '}';

  39. 

  40.     access_log /var/log/nginx/access.log json;

  41. 

  42.     # ==================== 基础优化 ====================

  43.     sendfile           on;

  44.     tcp_nopush         on;

  45.     tcp_nodelay        on;

  46.     keepalive_timeout  65;

  47.     keepalive_requests 1000;

  48.     types_hash_max_size 2048;

  49.     server_names_hash_bucket_size 128;

  50.     client_max_body_size 50m;

  51.     client_body_buffer_size 128k;

  52. 

  53.     # ==================== Gzip 压缩 ====================

  54.     gzip on;

  55.     gzip_vary on;

  56.     gzip_proxied any;

  57.     gzip_comp_level 6;

  58.     gzip_buffers 16 8k;

  59.     gzip_http_version 1.1;

  60.     gzip_min_length 1024;

  61.     gzip_types

  62.         text/plain

  63.         text/css

  64.         text/xml

  65.         text/javascript

  66.         application/json

  67.         application/javascript

  68.         application/x-javascript

  69.         application/xml

  70.         application/xml+rss

  71.         application/vnd.ms-fontobject

  72.         font/opentype

  73.         image/svg+xml

  74.         image/x-icon;

  75. 

  76.     # ==================== 限流配置 ====================

  77.     # 全局 API 限流: 每秒 30 个请求

  78.     limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/s;

  79.     # 登录接口限流: 每分钟 10 个请求

  80.     limit_req_zone $binary_remote_addr zone=login_limit:10m rate=10r/m;

  81.     # WebSocket 连接数限制

  82.     limit_conn_zone $binary_remote_addr zone=ws_conn_limit:10m;

  83. 

  84.     # ==================== 上游服务 ====================

  85.     upstream gateway {

  86.         server wm-gateway:8080;

  87.         keepalive 32;

  88.     }

  89. 

  90.     # ==================== HTTP → HTTPS 跳转 ====================

  91.     server {

  92.         listen 80;

  93.         listen [::]:80;

  94.         server_name _;

  95. 

  96.         # Let's Encrypt 验证路径

  97.         location /.well-known/acme-challenge/ {

  98.             root /var/www/certbot;

  99.             allow all;

  100.         }

  101. 

  102.         # 其余请求全部 301 跳转到 HTTPS

  103.         location / {

  104.             return 301 https://$host$request_uri;

  105.         }

  106.     }

  107. 

  108.     # ==================== HTTPS 主服务 ====================

  109.     server {

  110.         listen 443 ssl http2;

  111.         listen [::]:443 ssl http2;

  112.         server_name _;

  113. 

  114.         # ==================== SSL 证书 ====================

  115.         # Let's Encrypt 证书路径(使用 certbot 自动生成)

  116.         ssl_certificate     /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;

  117.         ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

  118.         ssl_trusted_certificate /etc/letsencrypt/live/${DOMAIN}/chain.pem;

  119. 

  120.         # SSL 优化

  121.         ssl_session_timeout 1d;

  122.         ssl_session_cache shared:SSL:50m;

  123.         ssl_session_tickets off;

  124. 

  125.         # SSL 协议和加密套件

  126.         ssl_protocols TLSv1.2 TLSv1.3;

  127.         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

  128.         ssl_prefer_server_ciphers off;

  129. 

  130.         # OCSP Stapling

  131.         ssl_stapling on;

  132.         ssl_stapling_verify on;

  133.         resolver 8.8.8.8 8.8.4.4 valid=300s;

  134.         resolver_timeout 5s;

  135. 

  136.         # ==================== 安全 Headers ====================

  137.         add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

  138.         add_header X-Frame-Options "SAMEORIGIN" always;

  139.         add_header X-Content-Type-Options "nosniff" always;

  140.         add_header X-XSS-Protection "1; mode=block" always;

  141.         add_header Referrer-Policy "strict-origin-when-cross-origin" always;

  142.         add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

  143.         add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss: ws: https:; frame-ancestors 'self';" always;

  144. 

  145.         # 隐藏 Nginx 版本

  146.         server_tokens off;

  147. 

  148.         # ==================== 前端静态资源 ====================

  149.         root /usr/share/nginx/html;

  150.         index index.html;

  151. 

  152.         location / {

  153.             try_files $uri $uri/ /index.html;

  154. 

  155.             # HTML 文件不缓存(确保更新及时生效)

  156.             location ~* \.html$ {

  157.                 expires -1;

  158.                 add_header Cache-Control "no-cache, no-store, must-revalidate";

  159.             }

  160.         }

  161. 

  162.         # 静态资源长期缓存(带 hash 的文件名)

  163.         location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|map)$ {

  164.             expires 1y;

  165.             add_header Cache-Control "public, immutable";

  166.             access_log off;

  167.         }

  168. 

  169.         # ==================== API 反向代理 ====================

  170.         location /api/ {

  171.             limit_req zone=api_limit burst=50 nodelay;

  172.             limit_req_status 429;

  173. 

  174.             proxy_pass http://gateway/;

  175.             proxy_http_version 1.1;

  176.             proxy_set_header Host $host;

  177.             proxy_set_header X-Real-IP $remote_addr;

  178.             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  179.             proxy_set_header X-Forwarded-Proto $scheme;

  180.             proxy_set_header X-Request-ID $request_id;

  181.             proxy_set_header Connection "";

  182. 

  183.             proxy_connect_timeout 30s;

  184.             proxy_send_timeout 60s;

  185.             proxy_read_timeout 120s;

  186. 

  187.             proxy_buffering on;

  188.             proxy_buffer_size 4k;

  189.             proxy_buffers 8 16k;

  190.             proxy_busy_buffers_size 32k;

  191. 

  192.             # 文件上传大小限制

  193.             client_max_body_size 50m;

  194.         }

  195. 

  196.         # 登录接口严格限流

  197.         location ~* ^/api/(auth|login|oauth) {

  198.             limit_req zone=login_limit burst=5 nodelay;

  199.             limit_req_status 429;

  200. 

  201.             proxy_pass http://gateway;

  202.             proxy_http_version 1.1;

  203.             proxy_set_header Host $host;

  204.             proxy_set_header X-Real-IP $remote_addr;

  205.             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  206.             proxy_set_header X-Forwarded-Proto $scheme;

  207.         }

  208. 

  209.         # ==================== WebSocket 代理 ====================

  210.         location /ws/ {

  211.             limit_conn ws_conn_limit 10;

  212. 

  213.             proxy_pass http://gateway/ws/;

  214.             proxy_http_version 1.1;

  215.             proxy_set_header Upgrade $http_upgrade;

  216.             proxy_set_header Connection "upgrade";

  217.             proxy_set_header Host $host;

  218.             proxy_set_header X-Real-IP $remote_addr;

  219.             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  220.             proxy_set_header X-Forwarded-Proto $scheme;

  221. 

  222.             proxy_connect_timeout 7d;

  223.             proxy_send_timeout 7d;

  224.             proxy_read_timeout 7d;

  225.         }

  226. 

  227.         # ==================== MQTT over WebSocket ====================

  228.         location /mqtt {

  229.             proxy_pass http://wm-emqx:8083/mqtt;

  230.             proxy_http_version 1.1;

  231.             proxy_set_header Upgrade $http_upgrade;

  232.             proxy_set_header Connection "upgrade";

  233.             proxy_set_header Host $host;

  234.             proxy_read_timeout 3600s;

  235.         }

  236. 

  237.         # ==================== GeoServer GIS 代理 ====================

  238.         location /geoserver/ {

  239.             proxy_pass http://wm-geoserver:8080/geoserver/;

  240.             proxy_set_header Host $host;

  241.             proxy_set_header X-Real-IP $remote_addr;

  242.             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  243.             proxy_set_header X-Forwarded-Proto $scheme;

  244. 

  245.             # GIS 数据可能较大

  246.             client_max_body_size 100m;

  247.             proxy_read_timeout 300s;

  248.         }

  249. 

  250.         # ==================== MinIO 对象存储代理 ====================

  251.         location /minio/ {

  252.             proxy_pass http://wm-minio:9000/;

  253.             proxy_set_header Host $host;

  254.             proxy_set_header X-Real-IP $remote_addr;

  255.             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  256.             proxy_set_header X-Forwarded-Proto $scheme;

  257. 

  258.             client_max_body_size 500m;

  259.         }

  260. 

  261.         # ==================== 健康检查 ====================

  262.         location /health {

  263.             access_log off;

  264.             return 200 '{"status":"UP"}';

  265.             add_header Content-Type application/json;

  266.         }

  267. 

  268.         # 禁止访问隐藏文件

  269.         location ~ /\. {

  270.             deny all;

  271.             access_log off;

  272.             log_not_found off;

  273.         }

  274. 

  275.         # 错误页面

  276.         error_page 404 /index.html;

  277.         error_page 500 502 503 504 /50x.html;

  278.         location = /50x.html {

  279.             root /usr/share/nginx/html;

  280.             internal;

  281.         }

  282.     }

  283. }