yidongliang
/
gateway
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gateway/nginx.conf.gateway

192 lines
7.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 这是网关 Nginx 的配置文件
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30s;
keepalive_requests 1000;
# 安全响应头
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
# 对于 X-Frame-Options根据你的需求设置 SAMEORIGIN 或 DENY
add_header X-Frame-Options SAMEORIGIN;
# add_header Referrer-Policy "strict-origin-when-cross-origin"; # 可选
# --- SSL 配置 ---
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# --- 后端服务定义 (在 Docker 网络中通常使用服务名) ---
# 如果 sys-ui 和 lmg-ui 的服务名是 "sys-ui-container" 和 "lmg-ui-container"
# 它们需要在同一个 Docker 网络中运行,并且可以通过这些服务名访问到它们的 80 端口
upstream sys_ui_backend {
server sys-ui-container:80;
}
upstream lmg_ui_backend {
server lmg-ui-container:80;
}
# 你的后端 API 服务
upstream sys_api {
server sys_backend_service:19902; # 替换为你的实际后端服务名或IP
}
upstream lmg_api {
server lmg_backend_service:19904; # 替换为你的实际后端服务名或IP
}
# 认证服务
upstream auth_api {
server auth_backend_service:19902; # 替换为你的实际后端服务名或IP
}
# --- 网关服务配置 ---
# sys-ui Server Block
server {
listen 8000 ssl reuseport;
server_name your-domain.com; # 替换为你的域名或IP
# SSL 证书配置 (如果与 http 块重复server 块配置会覆盖)
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 统一代理头配置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# --- sys-ui 静态资源服务 ---
location / {
proxy_pass http://sys_ui_backend; # 将所有请求代理到 sys-ui 容器
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 如果 sys-ui 的 Nginx 配置了 try_files这里不需要再配置
# 理论上 Nginx 是直接代理到 sys-ui 的 80 端口,所以 sys-ui 内部的 Nginx 会处理 try_files
# 如果你想让网关直接提供静态文件,可以像之前一样复制 dist 文件到网关目录,但这样就不是单独部署 UI 容器了
}
# --- sys-ui 后端 API 代理 ---
location /api/sys/ {
proxy_pass https://sys_api/api/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off; # 生产环境建议开启验证
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://sys_api/ /api/sys/; # 重写 Location 头
}
# --- 认证服务代理 ---
location /auth/ {
proxy_pass https://auth_api/auth/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://auth_api/ /auth/; # 重写 Location 头
}
}
# lmg-ui Server Block
server {
listen 8001 ssl reuseport;
server_name your-domain.com; # 替换为你的域名或IP
# SSL 配置
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 统一代理头配置
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# --- lmg-ui 静态资源服务 ---
location / {
proxy_pass http://lmg_ui_backend; # 将所有请求代理到 lmg-ui 容器
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# --- lmg-ui 后端 API 代理 ---
location /api/lmg/ {
proxy_pass https://lmg_api/api/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://lmg_api/ /api/lmg/; # 重写 Location 头
}
# --- 跨系统访问 Sys API (如果 lmg-ui 需要访问 sys API) ---
location /api/sys/ {
proxy_pass https://sys_api/api/;
proxy_ssl_server_name on;
proxy_ssl_session_reuse off;
proxy_ssl_verify off;
proxy_set_header Host $proxy_host;
proxy_set_header Authorization $http_authorization;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_redirect https://sys_api/ /api/sys/; # 重写 Location 头
}
}
}
Reference in New Issue View Git Blame Copy Permalink