证书问题

nginx.conf.gateway

@@ -50,15 +50,31 @@ http {
     server {
         listen 8001 ssl;
         server_name 106.52.199.114;
-        ssl_certificate     /etc/nginx/certs/gateway.crt;
+        ssl_certificate /etc/nginx/certs/gateway.crt;
         ssl_certificate_key /etc/nginx/certs/gateway.key;
-        ssl_protocols       TLSv1.2 TLSv1.3;
-        ssl_ciphers         HIGH:!aNULL:!MD5;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_client off;  # ↓ 允许自签名证书
+        ssl_verify_depth 0;
         # 统一代理头（确保IdentityServer获取真实客户端信息）
         proxy_set_header Host              $host;
         proxy_set_header X-Real-IP         $remote_addr;
         proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+                # 单独处理发现文档，确保issuer正确
+        location = /.well-known/openid-configuration {
+            proxy_pass https://sys_api/.well-known/openid-configuration;
+            
+            # 动态修改返回的JSON中的URL
+            proxy_set_header Accept-Encoding "";
+            sub_filter_types application/json;
+            sub_filter_once off;
+            sub_filter 'https://sys-api:19902' 'https://$host:8001';
+            sub_filter 'https://sys_api' 'https://$host:8001';
+        }
         # 所有IdentityServer路由（无需/auth前缀）
         location / {
             proxy_pass https://sys_api;
@@ -70,17 +86,6 @@ http {
             # 关键：重写后端返回的Location头（防止重定向到内部端口）
             proxy_redirect https://sys-api:19902/ https://$host:8001/;
         }
-        # 单独处理发现文档，确保issuer正确
-        location = /.well-known/openid-configuration {
-            proxy_pass https://sys_api/.well-known/openid-configuration;
-            
-            # 动态修改返回的JSON中的URL
-            proxy_set_header Accept-Encoding "";
-            sub_filter_types application/json;
-            sub_filter_once off;
-            sub_filter 'https://sys-api:19902' 'https://$host:8001';
-            sub_filter 'https://sys_api' 'https://$host:8001';
-        }
     }
 
     # -------------------------------
@@ -89,9 +94,15 @@ http {
     server {
         listen 8000 ssl;
         server_name 106.52.199.114;
-        ssl_certificate     /etc/nginx/certs/gateway.crt;
+        ssl_certificate /etc/nginx/certs/gateway.crt;
         ssl_certificate_key /etc/nginx/certs/gateway.key;
-        ssl_protocols       TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_client off;  # ↓ 允许自签名证书
+        ssl_verify_depth 0;
         # API路由
         location /api/sys/ {
             proxy_pass https://sys_api/api/;
@@ -146,9 +157,15 @@ http {
     server {
         listen 8002 ssl;
         server_name 106.52.199.114;
-        ssl_certificate     /etc/nginx/certs/gateway.crt;
+        ssl_certificate /etc/nginx/certs/gateway.crt;
         ssl_certificate_key /etc/nginx/certs/gateway.key;
-        ssl_protocols       TLSv1.2 TLSv1.3;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_client off;  # ↓ 允许自签名证书
+        ssl_verify_depth 0;
         # API路由
         location /api/lmg/ {
             proxy_pass https://lmg_api/api/;