taiyi/Kamixitong
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b4a0e949ce
Kamixitong/nginx.conf.example

275 lines
7.6 KiB
Plaintext
Raw Normal View History

版本大更新
2025-12-12 11:35:14 +08:00
# KaMiXiTong Nginx 配置示例
# 用于生产环境的完整 Nginx 配置
# 支持 HTTP/HTTPS、反向代理、静态文件服务
# ==========================================
# 📝 使用说明
# ==========================================
# 1. 复制此文件为: /etc/nginx/sites-available/kamaxitong
# 2. 修改配置中的域名、证书路径等
# 3. 启用站点: sudo ln -s /etc/nginx/sites-available/kamaxitong /etc/nginx/sites-enabled/
# 4. 测试配置: sudo nginx -t
# 5. 重启 Nginx: sudo systemctl reload nginx
# ==========================================
# HTTP 服务器配置(自动重定向到 HTTPS
server {
listen 80;
listen [::]:80;
server_name your-domain.com www.your-domain.com;
# Let's Encrypt 验证目录
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# 其他请求重定向到 HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
# HTTPS 服务器配置
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name your-domain.com www.your-domain.com;
# SSL 证书配置
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
# SSL 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# HSTS 配置(强制 HTTPS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# 根目录
root /var/www/kamaxitong;
index index.html index.htm;
# 最大上传文件大小
client_max_body_size 100M;
# 日志配置
access_log /var/log/nginx/kamaxitong_access.log;
error_log /var/log/nginx/kamaxitong_error.log;
# ==========================================
# 🌐 API 代理配置
# ==========================================
location /api/ {
# 代理到 Flask 应用
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
# 超时设置
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# 缓冲设置
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
# ==========================================
# 🎯 健康检查端点(公开访问)
# ==========================================
location /api/v1/health {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 健康检查不需要认证
access_log off;
}
location /api/v1/ping {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log off;
}
# ==========================================
# 📁 静态文件服务
# ==========================================
# CSS、JS、图片等静态资源
location /static/ {
alias /var/www/kamaxitong/static/;
expires 30d;
add_header Cache-Control "public, immutable";
# 开启 Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json;
}
# 上传文件目录
location /uploads/ {
alias /var/www/kamaxitong/static/uploads/;
expires 7d;
add_header Cache-Control "public";
# 限制访问权限(可选)
# allow 10.0.0.0/8;
# allow 172.16.0.0/12;
# allow 192.168.0.0/16;
# deny all;
}
# ==========================================
# 🎨 Web 前端页面
# ==========================================
location / {
# 尝试直接访问文件,如果不存在则返回 index.htmlSPA 应用)
try_files $uri $uri/ /index.html;
# 设置缓存策略
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
# ==========================================
# 🚫 安全配置
# ==========================================
# 禁止访问隐藏文件
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# 禁止访问备份文件
location ~ ~$ {
deny all;
access_log off;
log_not_found off;
}
# 禁止访问敏感目录
location ~ ^/(logs|instance|certs|scripts|migrations)/ {
deny all;
access_log off;
log_not_found off;
}
# 禁止访问 .env 文件
location ~ /\.env$ {
deny all;
access_log off;
log_not_found off;
}
# 禁止访问 Python 缓存
location ~ __pycache__/ {
deny all;
access_log off;
log_not_found off;
}
# ==========================================
# 📊 监控和统计
# ==========================================
# Nginx 状态页面(仅内部访问)
location /nginx_status {
stub_status on;
access_log off;
# allow 127.0.0.1;
# allow 10.0.0.0/8;
# deny all;
}
}
# ==========================================
# 🔒 SSL 配置(自签名证书示例)
# ==========================================
# 如果使用自签名证书,使用以下配置
# server {
# listen 443 ssl;
# server_name your-domain.com;
#
# ssl_certificate /var/www/kamaxitong/certs/your-domain.com.crt;
# ssl_certificate_key /var/www/kamaxitong/certs/your-domain.com.key;
#
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers off;
#
# location / {
# root /var/www/kamaxitong;
# proxy_pass http://127.0.0.1:5000;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
# }
# ==========================================
# 📈 性能优化配置
# ==========================================
# 在 http 块中添加以下配置
# 开启 Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/xml+rss
application/json
application/xml
image/svg+xml;
# 缓冲区设置
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
client_max_body_size 100m;
# 超时设置
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;
# 隐藏 Nginx 版本号
server_tokens off;
Reference in New Issue Copy Permalink