yidongliang
/
gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gateway/nginx.conf.gateway

192 lines
7.5 KiB
Plaintext
Raw Normal View History

init
2025-06-22 14:46:32 +08:00
# 这是网关 Nginx 的配置文件
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30s;
keepalive_requests 1000;
# 安全响应头
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
# 对于 X-Frame-Options根据你的需求设置 SAMEORIGIN 或 DENY
add_header X-Frame-Options SAMEORIGIN;
# add_header Referrer-Policy "strict-origin-when-cross-origin"; # 可选
# --- SSL 配置 ---
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# --- 后端服务定义 (在 Docker 网络中通常使用服务名) ---
# 如果 sys-ui 和 lmg-ui 的服务名是 "sys-ui-container" 和 "lmg-ui-container"
# 它们需要在同一个 Docker 网络中运行,并且可以通过这些服务名访问到它们的 80 端口
upstream sys_ui_backend {
server sys-ui-container:80;
}
upstream lmg_ui_backend {
server lmg-ui-container:80;
}
# 你的后端 API 服务
upstream sys_api {
server sys_backend_service:19902; # 替换为你的实际后端服务名或IP
}
upstream lmg_api {
server lmg_backend_service:19904; # 替换为你的实际后端服务名或IP
}
# 认证服务
upstream auth_api {
server auth_backend_service:19902; # 替换为你的实际后端服务名或IP
}
# --- 网关服务配置 ---
# sys-ui Server Block
server {
listen 8000 ssl reuseport;
server_name your-domain.com; # 替换为你的域名或IP
# SSL 证书配置 (如果与 http 块重复server 块配置会覆盖)
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 统一代理头配置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# --- sys-ui 静态资源服务 ---
location / {
proxy_pass http://sys_ui_backend; # 将所有请求代理到 sys-ui 容器
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 如果 sys-ui 的 Nginx 配置了 try_files这里不需要再配置
# 理论上 Nginx 是直接代理到 sys-ui 的 80 端口,所以 sys-ui 内部的 Nginx 会处理 try_files
# 如果你想让网关直接提供静态文件,可以像之前一样复制 dist 文件到网关目录,但这样就不是单独部署 UI 容器了
}
# --- sys-ui 后端 API 代理 ---
location /api/sys/ {
proxy_pass https://sys_api/api/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off; # 生产环境建议开启验证
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://sys_api/ /api/sys/; # 重写 Location 头
}
# --- 认证服务代理 ---
location /auth/ {
proxy_pass https://auth_api/auth/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://auth_api/ /auth/; # 重写 Location 头
}
}
# lmg-ui Server Block
server {
listen 8001 ssl reuseport;
server_name your-domain.com; # 替换为你的域名或IP
# SSL 配置
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 统一代理头配置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# --- lmg-ui 静态资源服务 ---
location / {
proxy_pass http://lmg_ui_backend; # 将所有请求代理到 lmg-ui 容器
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# --- lmg-ui 后端 API 代理 ---
location /api/lmg/ {
proxy_pass https://lmg_api/api/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://lmg_api/ /api/lmg/; # 重写 Location 头
}
# --- 跨系统访问 Sys API (如果 lmg-ui 需要访问 sys API) ---
location /api/sys/ {
proxy_pass https://sys_api/api/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://sys_api/ /api/sys/; # 重写 Location 头
}
}
}