xiaoyu/anxin-ruoyi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c5e49b0bbc
anxin-ruoyi/docker/configs/nginx.conf.prod

155 lines
4.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Nginx配置文件 - 生产环境 (HTTPS版本)
# 用于Vue3前端静态文件服务和API代理
#
# HTTPS证书配置说明:
# 1. 将SSL证书文件放置在 /etc/nginx/ssl/ 目录下
# 2. 证书文件: /etc/nginx/ssl/server.crt
# 3. 私钥文件: /etc/nginx/ssl/server.key
# 4. 如使用Let's Encrypt路径为 /etc/letsencrypt/live/<domain>/
# HTTP -> HTTPS 重定向
server {
listen 80;
server_name _;
# 健康检查端点(不重定向,供负载均衡器使用)
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 所有其他HTTP请求重定向到HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS主服务
server {
listen 443 ssl http2;
server_name _;
# SSL证书配置
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# TLS协议版本仅允许TLS 1.2和1.3
ssl_protocols TLSv1.2 TLSv1.3;
# 强密码套件
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
# SSL会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling需要CA证书链
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/chain.crt;
# 生产环境日志配置
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log error;
# 安全响应头
# HTTP Strict Transport Security (HSTS) - 强制HTTPS有效期1年包含子域名
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 禁止在iframe中嵌入防止点击劫持
add_header X-Frame-Options "SAMEORIGIN" always;
# 禁止MIME类型嗅探
add_header X-Content-Type-Options "nosniff" always;
# XSS保护
add_header X-XSS-Protection "1; mode=block" always;
# Referrer策略
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 内容安全策略
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'" always;
# 权限策略(禁用不需要的浏览器功能)
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
# Gzip压缩配置
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
# 静态文件服务
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
# 生产环境缓存配置
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
location ~* \.(html)$ {
expires 1h;
add_header Cache-Control "public";
}
}
# API代理到后端服务
location /prod-api/ {
proxy_pass http://anxin-backend:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 生产环境代理配置
proxy_connect_timeout 10s;
proxy_send_timeout 10s;
proxy_read_timeout 10s;
proxy_buffering on;
proxy_buffer_size 4k;
proxy_buffers 8 4k;
# 限制请求大小
client_max_body_size 5m;
# 代理缓存配置
proxy_cache_bypass $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Upgrade $http_upgrade;
}
# 健康检查端点
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# 拒绝访问敏感文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ ~$ {
deny all;
access_log off;
log_not_found off;
}
}
Reference in New Issue View Git Blame Copy Permalink