diff --git a/backend/jiebanke.conf b/backend/jiebanke.conf new file mode 100644 index 0000000..c46c1cf --- /dev/null +++ b/backend/jiebanke.conf @@ -0,0 +1,129 @@ +# Nginx配置文件 - 结伴客后端服务 +# 适用于Node.js Express应用 + +# 定义Node.js应用服务器 +upstream nodejs_backend { + server 127.0.0.1:3100; + keepalive 64; +} + +# HTTP服务器配置 +server { + listen 80; + server_name webapi.jiebanke.com; + + # 重定向所有HTTP请求到HTTPS + return 301 https://$server_name$request_uri; +} + +# HTTPS服务器配置 +server { + listen 443 ssl http2; + server_name webapi.jiebanke.com; + + # SSL证书配置(需要替换为实际证书路径) + ssl_certificate /path/to/your/certificate.crt; + ssl_certificate_key /path/to/your/private.key; + + # SSL安全配置 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # 启用HSTS + add_header Strict-Transport-Security "max-age=31536000" always; + + # 客户端上传大小限制 + client_max_body_size 10M; + + # 日志配置 + access_log /var/log/nginx/webapi.jiebanke.com.access.log; + error_log /var/log/nginx/webapi.jiebanke.com.error.log; + + # API接口代理 + location /api/ { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + proxy_read_timeout 90; + } + + # 管理员API接口代理 + location /admin/ { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + proxy_read_timeout 90; + } + + # 健康检查端点 + location /health { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + # Swagger API文档 + location /api-docs { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + # 上传文件访问 + location /uploads/ { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + # 默认根路径处理 + location / { + proxy_pass http://nodejs_backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_cache_bypass $http_upgrade; + } + + # 安全头设置 + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; +} \ No newline at end of file