# KaMiXiTong Nginx 配置示例 # 用于生产环境的完整 Nginx 配置 # 支持 HTTP/HTTPS、反向代理、静态文件服务 # ========================================== # 📝 使用说明 # ========================================== # 1. 复制此文件为: /etc/nginx/sites-available/kamaxitong # 2. 修改配置中的域名、证书路径等 # 3. 启用站点: sudo ln -s /etc/nginx/sites-available/kamaxitong /etc/nginx/sites-enabled/ # 4. 测试配置: sudo nginx -t # 5. 重启 Nginx: sudo systemctl reload nginx # ========================================== # HTTP 服务器配置(自动重定向到 HTTPS) server { listen 80; listen [::]:80; server_name your-domain.com www.your-domain.com; # Let's Encrypt 验证目录 location /.well-known/acme-challenge/ { root /var/www/html; } # 其他请求重定向到 HTTPS location / { return 301 https://$server_name$request_uri; } } # HTTPS 服务器配置 server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name your-domain.com www.your-domain.com; # SSL 证书配置 ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # SSL 安全配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # HSTS 配置(强制 HTTPS) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # 根目录 root /var/www/kamaxitong; index index.html index.htm; # 最大上传文件大小 client_max_body_size 100M; # 日志配置 access_log /var/log/nginx/kamaxitong_access.log; error_log /var/log/nginx/kamaxitong_error.log; # ========================================== # 🌐 API 代理配置 # ========================================== location /api/ { # 代理到 Flask 应用 proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # 缓冲设置 proxy_buffering on; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; } # ========================================== # 🎯 健康检查端点(公开访问) # ========================================== location /api/v1/health { proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 健康检查不需要认证 access_log off; } location /api/v1/ping { proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; access_log off; } # ========================================== # 📁 静态文件服务 # ========================================== # CSS、JS、图片等静态资源 location /static/ { alias /var/www/kamaxitong/static/; expires 30d; add_header Cache-Control "public, immutable"; # 开启 Gzip 压缩 gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json; } # 上传文件目录 location /uploads/ { alias /var/www/kamaxitong/static/uploads/; expires 7d; add_header Cache-Control "public"; # 限制访问权限(可选) # allow 10.0.0.0/8; # allow 172.16.0.0/12; # allow 192.168.0.0/16; # deny all; } # ========================================== # 🎨 Web 前端页面 # ========================================== location / { # 尝试直接访问文件,如果不存在则返回 index.html(SPA 应用) try_files $uri $uri/ /index.html; # 设置缓存策略 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; } } # ========================================== # 🚫 安全配置 # ========================================== # 禁止访问隐藏文件 location ~ /\. { deny all; access_log off; log_not_found off; } # 禁止访问备份文件 location ~ ~$ { deny all; access_log off; log_not_found off; } # 禁止访问敏感目录 location ~ ^/(logs|instance|certs|scripts|migrations)/ { deny all; access_log off; log_not_found off; } # 禁止访问 .env 文件 location ~ /\.env$ { deny all; access_log off; log_not_found off; } # 禁止访问 Python 缓存 location ~ __pycache__/ { deny all; access_log off; log_not_found off; } # ========================================== # 📊 监控和统计 # ========================================== # Nginx 状态页面(仅内部访问) location /nginx_status { stub_status on; access_log off; # allow 127.0.0.1; # allow 10.0.0.0/8; # deny all; } } # ========================================== # 🔒 SSL 配置(自签名证书示例) # ========================================== # 如果使用自签名证书,使用以下配置 # server { # listen 443 ssl; # server_name your-domain.com; # # ssl_certificate /var/www/kamaxitong/certs/your-domain.com.crt; # ssl_certificate_key /var/www/kamaxitong/certs/your-domain.com.key; # # ssl_protocols TLSv1.2 TLSv1.3; # ssl_prefer_server_ciphers off; # # location / { # root /var/www/kamaxitong; # proxy_pass http://127.0.0.1:5000; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # } # } # ========================================== # 📈 性能优化配置 # ========================================== # 在 http 块中添加以下配置 # 开启 Gzip 压缩 gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json application/xml image/svg+xml; # 缓冲区设置 client_body_buffer_size 128k; client_header_buffer_size 1k; large_client_header_buffers 4 4k; client_max_body_size 100m; # 超时设置 client_body_timeout 12; client_header_timeout 12; keepalive_timeout 15; send_timeout 10; # 隐藏 Nginx 版本号 server_tokens off;