Kamixitong/nginx.conf.example

# KaMiXiTong Nginx 配置示例
# 用于生产环境的完整 Nginx 配置
# 支持 HTTP/HTTPS、反向代理、静态文件服务

# ==========================================
# 📝 使用说明
# ==========================================
# 1. 复制此文件为: /etc/nginx/sites-available/kamaxitong
# 2. 修改配置中的域名、证书路径等
# 3. 启用站点: sudo ln -s /etc/nginx/sites-available/kamaxitong /etc/nginx/sites-enabled/
# 4. 测试配置: sudo nginx -t
# 5. 重启 Nginx: sudo systemctl reload nginx
# ==========================================

# HTTP 服务器配置（自动重定向到 HTTPS）
server {
    listen 80;
    listen [::]:80;
    server_name your-domain.com www.your-domain.com;

    # Let's Encrypt 验证目录
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # 其他请求重定向到 HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

# HTTPS 服务器配置
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name your-domain.com www.your-domain.com;

    # SSL 证书配置
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    # SSL 安全配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # HSTS 配置（强制 HTTPS）
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # 根目录
    root /var/www/kamaxitong;
    index index.html index.htm;

    # 最大上传文件大小
    client_max_body_size 100M;

    # 日志配置
    access_log /var/log/nginx/kamaxitong_access.log;
    error_log /var/log/nginx/kamaxitong_error.log;

    # ==========================================
    # 🌐 API 代理配置
    # ==========================================
    location /api/ {
        # 代理到 Flask 应用
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $server_name;

        # 超时设置
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # 缓冲设置
        proxy_buffering on;
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    # ==========================================
    # 🎯 健康检查端点（公开访问）
    # ==========================================
    location /api/v1/health {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # 健康检查不需要认证
        access_log off;
    }

    location /api/v1/ping {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        access_log off;
    }

    # ==========================================
    # 📁 静态文件服务
    # ==========================================
    # CSS、JS、图片等静态资源
    location /static/ {
        alias /var/www/kamaxitong/static/;
        expires 30d;
        add_header Cache-Control "public, immutable";

        # 开启 Gzip 压缩
        gzip on;
        gzip_vary on;
        gzip_min_length 1024;
        gzip_types
            text/plain
            text/css
            text/xml
            text/javascript
            application/javascript
            application/xml+rss
            application/json;
    }

    # 上传文件目录
    location /uploads/ {
        alias /var/www/kamaxitong/static/uploads/;
        expires 7d;
        add_header Cache-Control "public";

        # 限制访问权限（可选）
        # allow 10.0.0.0/8;
        # allow 172.16.0.0/12;
        # allow 192.168.0.0/16;
        # deny all;
    }

    # ==========================================
    # 🎨 Web 前端页面
    # ==========================================
    location / {
        # 尝试直接访问文件，如果不存在则返回 index.html（SPA 应用）
        try_files $uri $uri/ /index.html;

        # 设置缓存策略
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }
    }

    # ==========================================
    # 🚫 安全配置
    # ==========================================
    # 禁止访问隐藏文件
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # 禁止访问备份文件
    location ~ ~$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # 禁止访问敏感目录
    location ~ ^/(logs|instance|certs|scripts|migrations)/ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # 禁止访问 .env 文件
    location ~ /\.env$ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # 禁止访问 Python 缓存
    location ~ __pycache__/ {
        deny all;
        access_log off;
        log_not_found off;
    }

    # ==========================================
    # 📊 监控和统计
    # ==========================================
    # Nginx 状态页面（仅内部访问）
    location /nginx_status {
        stub_status on;
        access_log off;
        # allow 127.0.0.1;
        # allow 10.0.0.0/8;
        # deny all;
    }
}

# ==========================================
# 🔒 SSL 配置（自签名证书示例）
# ==========================================
# 如果使用自签名证书，使用以下配置
# server {
#     listen 443 ssl;
#     server_name your-domain.com;
#
#     ssl_certificate /var/www/kamaxitong/certs/your-domain.com.crt;
#     ssl_certificate_key /var/www/kamaxitong/certs/your-domain.com.key;
#
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_prefer_server_ciphers off;
#
#     location / {
#         root /var/www/kamaxitong;
#         proxy_pass http://127.0.0.1:5000;
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#     }
# }

# ==========================================
# 📈 性能优化配置
# ==========================================
# 在 http 块中添加以下配置

# 开启 Gzip 压缩
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
    text/plain
    text/css
    text/xml
    text/javascript
    application/javascript
    application/xml+rss
    application/json
    application/xml
    image/svg+xml;

# 缓冲区设置
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
client_max_body_size 100m;

# 超时设置
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 15;
send_timeout 10;

# 隐藏 Nginx 版本号
server_tokens off;