diff --git a/nginx.conf.gateway b/nginx.conf.gateway index bbde7c4..aa51156 100644 --- a/nginx.conf.gateway +++ b/nginx.conf.gateway @@ -50,15 +50,31 @@ http { server { listen 8001 ssl; server_name 106.52.199.114; - ssl_certificate /etc/nginx/certs/gateway.crt; + ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate_key /etc/nginx/certs/gateway.key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_verify_client off; # ↓ 允许自签名证书 + ssl_verify_depth 0; # 统一代理头(确保IdentityServer获取真实客户端信息) proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + # 单独处理发现文档,确保issuer正确 + location = /.well-known/openid-configuration { + proxy_pass https://sys_api/.well-known/openid-configuration; + + # 动态修改返回的JSON中的URL + proxy_set_header Accept-Encoding ""; + sub_filter_types application/json; + sub_filter_once off; + sub_filter 'https://sys-api:19902' 'https://$host:8001'; + sub_filter 'https://sys_api' 'https://$host:8001'; + } # 所有IdentityServer路由(无需/auth前缀) location / { proxy_pass https://sys_api; @@ -70,17 +86,6 @@ http { # 关键:重写后端返回的Location头(防止重定向到内部端口) proxy_redirect https://sys-api:19902/ https://$host:8001/; } - # 单独处理发现文档,确保issuer正确 - location = /.well-known/openid-configuration { - proxy_pass https://sys_api/.well-known/openid-configuration; - - # 动态修改返回的JSON中的URL - proxy_set_header Accept-Encoding ""; - sub_filter_types application/json; - sub_filter_once off; - sub_filter 'https://sys-api:19902' 'https://$host:8001'; - sub_filter 'https://sys_api' 'https://$host:8001'; - } } # ------------------------------- @@ -89,9 +94,15 @@ http { server { listen 8000 ssl; server_name 106.52.199.114; - ssl_certificate /etc/nginx/certs/gateway.crt; + ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate_key /etc/nginx/certs/gateway.key; - ssl_protocols TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_verify_client off; # ↓ 允许自签名证书 + ssl_verify_depth 0; # API路由 location /api/sys/ { proxy_pass https://sys_api/api/; @@ -146,9 +157,15 @@ http { server { listen 8002 ssl; server_name 106.52.199.114; - ssl_certificate /etc/nginx/certs/gateway.crt; + ssl_certificate /etc/nginx/certs/gateway.crt; ssl_certificate_key /etc/nginx/certs/gateway.key; - ssl_protocols TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_verify_client off; # ↓ 允许自签名证书 + ssl_verify_depth 0; # API路由 location /api/lmg/ { proxy_pass https://lmg_api/api/;