# 这是网关 Nginx 的配置文件 user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; use epoll; multi_accept on; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 30s; keepalive_requests 1000; # 安全响应头 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; # 对于 X-Frame-Options,根据你的需求设置 SAMEORIGIN 或 DENY add_header X-Frame-Options SAMEORIGIN; # add_header Referrer-Policy "strict-origin-when-cross-origin"; # 可选 # --- SSL 配置 --- ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # --- 后端服务定义 (在 Docker 网络中通常使用服务名) --- # 如果 sys-ui 和 lmg-ui 的服务名是 "sys-ui-container" 和 "lmg-ui-container" # 它们需要在同一个 Docker 网络中运行,并且可以通过这些服务名访问到它们的 80 端口 upstream sys_ui_backend { server sys-ui-container:80; } upstream lmg_ui_backend { server lmg-ui-container:80; } # 你的后端 API 服务 upstream sys_api { server sys_backend_service:19902; # 替换为你的实际后端服务名或IP } upstream lmg_api { server lmg_backend_service:19904; # 替换为你的实际后端服务名或IP } # 认证服务 upstream auth_api { server auth_backend_service:19902; # 替换为你的实际后端服务名或IP } # --- 网关服务配置 --- # sys-ui Server Block server { listen 8000 ssl reuseport; server_name your-domain.com; # 替换为你的域名或IP # SSL 证书配置 (如果与 http 块重复,server 块配置会覆盖) ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # 统一代理头配置 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # --- sys-ui 静态资源服务 --- location / { proxy_pass http://sys_ui_backend; # 将所有请求代理到 sys-ui 容器 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 如果 sys-ui 的 Nginx 配置了 try_files,这里不需要再配置 # 理论上 Nginx 是直接代理到 sys-ui 的 80 端口,所以 sys-ui 内部的 Nginx 会处理 try_files # 如果你想让网关直接提供静态文件,可以像之前一样复制 dist 文件到网关目录,但这样就不是单独部署 UI 容器了 } # --- sys-ui 后端 API 代理 --- location /api/sys/ { proxy_pass https://sys_api/api/; proxy_ssl_server_name on; proxy_ssl_session_reuse off; proxy_ssl_verify off; # 生产环境建议开启验证 proxy_set_header Host $proxy_host; proxy_set_header Authorization $http_authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_redirect https://sys_api/ /api/sys/; # 重写 Location 头 } # --- 认证服务代理 --- location /auth/ { proxy_pass https://auth_api/auth/; proxy_ssl_server_name on; proxy_ssl_session_reuse off; proxy_ssl_verify off; proxy_set_header Host $proxy_host; proxy_set_header Authorization $http_authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_redirect https://auth_api/ /auth/; # 重写 Location 头 } } # lmg-ui Server Block server { listen 8001 ssl reuseport; server_name your-domain.com; # 替换为你的域名或IP # SSL 配置 ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # 统一代理头配置 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # --- lmg-ui 静态资源服务 --- location / { proxy_pass http://lmg_ui_backend; # 将所有请求代理到 lmg-ui 容器 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # --- lmg-ui 后端 API 代理 --- location /api/lmg/ { proxy_pass https://lmg_api/api/; proxy_ssl_server_name on; proxy_ssl_session_reuse off; proxy_ssl_verify off; proxy_set_header Host $proxy_host; proxy_set_header Authorization $http_authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_redirect https://lmg_api/ /api/lmg/; # 重写 Location 头 } # --- 跨系统访问 Sys API (如果 lmg-ui 需要访问 sys API) --- location /api/sys/ { proxy_pass https://sys_api/api/; proxy_ssl_server_name on; proxy_ssl_session_reuse off; proxy_ssl_verify off; proxy_set_header Host $proxy_host; proxy_set_header Authorization $http_authorization; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_redirect https://sys_api/ /api/sys/; # 重写 Location 头 } } }