# Nginx配置文件 - 生产环境 (HTTPS版本) # 用于Vue3前端静态文件服务和API代理 # # HTTPS证书配置说明: # 1. 将SSL证书文件放置在 /etc/nginx/ssl/ 目录下 # 2. 证书文件: /etc/nginx/ssl/server.crt # 3. 私钥文件: /etc/nginx/ssl/server.key # 4. 如使用Let's Encrypt,路径为 /etc/letsencrypt/live// # HTTP -> HTTPS 重定向 server { listen 80; server_name _; # 健康检查端点(不重定向,供负载均衡器使用) location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } # 所有其他HTTP请求重定向到HTTPS location / { return 301 https://$host$request_uri; } } # HTTPS主服务 server { listen 443 ssl http2; server_name _; # SSL证书配置 ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; # TLS协议版本(仅允许TLS 1.2和1.3) ssl_protocols TLSv1.2 TLSv1.3; # 强密码套件 ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers on; # SSL会话缓存 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # OCSP Stapling(需要CA证书链) # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/ssl/chain.crt; # 生产环境日志配置 access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log error; # 安全响应头 # HTTP Strict Transport Security (HSTS) - 强制HTTPS,有效期1年,包含子域名 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # 禁止在iframe中嵌入(防止点击劫持) add_header X-Frame-Options "SAMEORIGIN" always; # 禁止MIME类型嗅探 add_header X-Content-Type-Options "nosniff" always; # XSS保护 add_header X-XSS-Protection "1; mode=block" always; # Referrer策略 add_header Referrer-Policy "strict-origin-when-cross-origin" always; # 内容安全策略 add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'" always; # 权限策略(禁用不需要的浏览器功能) add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always; # Gzip压缩配置 gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; # 静态文件服务 location / { root /usr/share/nginx/html; index index.html index.htm; try_files $uri $uri/ /index.html; # 生产环境缓存配置 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; } location ~* \.(html)$ { expires 1h; add_header Cache-Control "public"; } } # API代理到后端服务 location /prod-api/ { proxy_pass http://anxin-backend:8080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 生产环境代理配置 proxy_connect_timeout 10s; proxy_send_timeout 10s; proxy_read_timeout 10s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; # 限制请求大小 client_max_body_size 5m; # 代理缓存配置 proxy_cache_bypass $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Upgrade $http_upgrade; } # 健康检查端点 location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } # 拒绝访问敏感文件 location ~ /\. { deny all; access_log off; log_not_found off; } location ~ ~$ { deny all; access_log off; log_not_found off; } }