yidongliang
/
gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gateway/nginx.conf.gateway

203 lines
7.7 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# Gzip 压缩1
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Sys 系统 API
upstream sys_api {
server sys-api:8001;
}
# Lmg 系统 API
upstream lmg_api {
server lmg-api:19903;
}
# Sys 系统 UI
upstream sys_ui {
server sys-ui:80;
}
# Lmg 系统 UI
upstream lmg_ui {
server lmg-ui:80;
}
# -------------------------------
# 2. Sys系统服务 (8000)
# -------------------------------
server {
listen 8000 ssl;
server_name 106.52.199.114;
ssl_certificate /etc/nginx/certs/gateway.crt;
ssl_certificate_key /etc/nginx/certs/gateway.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_verify_client off; # ↓ 允许自签名证书
ssl_verify_depth 0;
# API路由
location /api/sys/ {
proxy_pass https://sys_api/api/;
proxy_ssl_server_name on;
proxy_ssl_verify off;
proxy_set_header Authorization $http_authorization;
}
# 认证服务代理
location /auth/ {
# 关键 1: 移除路径中的 /auth/ 前缀
proxy_pass https://sys_api/; # 末尾的 / 确保路径替换
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
# 关键 2: 覆盖 Host 头,模拟 Vite 的 changeOrigin=true
proxy_set_header Host $proxy_host; # 设置为目标地址的 Host
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Authorization $http_authorization; # 传递 Authorization 头
# 其他标准代理头
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 关键 4: 重写后端返回的 Location 头(解决重定向端口丢失)
proxy_redirect https://sys_api:19902/ http://$host:$server_port/auth/;
proxy_redirect https://sys_api/ http://$host:$server_port/auth/;
}
location /connect/ {
# 关键 1: 移除路径中的 /auth/ 前缀
proxy_pass https://sys_api/; # 末尾的 / 确保路径替换
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
# 关键 2: 覆盖 Host 头,模拟 Vite 的 changeOrigin=true
proxy_set_header Host $proxy_host; # 设置为目标地址的 Host
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Authorization $http_authorization; # 传递 Authorization 头
# 其他标准代理头
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 关键 4: 重写后端返回的 Location 头(解决重定向端口丢失)
proxy_redirect https://sys_api:19902/ http://$host:$server_port/auth/;
proxy_redirect https://sys_api/ http://$host:$server_port/auth/;
}
location = /auth/.well-known/openid-configuration {
proxy_pass https://sys_api/.well-known/openid-configuration;
# 动态修改返回的JSON中的URL
proxy_set_header Accept-Encoding "";
sub_filter_types application/json;
sub_filter_once off;
sub_filter 'https://sys-api:19902' 'https://$host:8001';
sub_filter 'https://sys_api' 'https://$host:8001';
}
# UI前端路由
location / {
proxy_pass http://sys_ui;
proxy_set_header Host $host;
}
}
# -------------------------------
# 3. Lmg系统服务 (8002)
# -------------------------------
server {
listen 8002 ssl;
server_name 106.52.199.114;
ssl_certificate /etc/nginx/certs/gateway.crt;
ssl_certificate_key /etc/nginx/certs/gateway.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_verify_client off; # ↓ 允许自签名证书
ssl_verify_depth 0;
# API路由
location /api/lmg/ {
proxy_pass https://lmg_api/api/;
proxy_ssl_server_name on;
proxy_ssl_verify off;
proxy_set_header Authorization $http_authorization;
}
# UI前端路由基础路径需配置为/lmg/
location /lmg/ {
proxy_pass http://lmg_ui/; # 注意末尾的/
proxy_set_header Host $host;
}
location /auth/ {
# 关键 1: 移除路径中的 /auth/ 前缀
proxy_pass https://sys_api/; # 末尾的 / 确保路径替换
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
# 关键 2: 覆盖 Host 头,模拟 Vite 的 changeOrigin=true
proxy_set_header Host $proxy_host; # 设置为目标地址的 Host
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Authorization $http_authorization; # 传递 Authorization 头
# 其他标准代理头
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 关键 4: 重写后端返回的 Location 头(解决重定向端口丢失)
proxy_redirect https://sys_api:19902/ http://$host:$server_port/auth/;
proxy_redirect https://sys_api/ http://$host:$server_port/auth/;
}
location = /auth/.well-known/openid-configuration {
proxy_pass https://sys_api/.well-known/openid-configuration;
# 动态修改返回的JSON中的URL
proxy_set_header Accept-Encoding "";
sub_filter_types application/json;
sub_filter_once off;
sub_filter 'https://sys-api:19902' 'https://$host:8001';
sub_filter 'https://sys_api' 'https://$host:8001';
}
location /api/sys/ {
proxy_pass https://sys_api/api/;
proxy_ssl_server_name on;
proxy_ssl_verify off;
proxy_set_header Authorization $http_authorization;
}
# 根路径重定向到Lmg UI可选
location = / {
return 301 /lmg/;
}
}
}
Reference in New Issue View Git Blame Copy Permalink