# ============================================ # 玩玩云 Nginx 配置模板 # ============================================ # 使用说明: # 1. 将 your-domain.com 替换为你的实际域名 # 2. 将 /usr/share/nginx/html 替换为前端文件实际路径 # 3. 如使用非 Docker 部署,将 backend:40001 改为 127.0.0.1:40001 # ============================================ # HTTP 重定向到 HTTPS server { listen 80; server_name your-domain.com; # Let's Encrypt 验证 location /.well-known/acme-challenge/ { root /var/www/certbot; } # 重定向到 HTTPS location / { return 301 https://$server_name$request_uri; } } # HTTPS 主配置 server { listen 443 ssl http2; server_name your-domain.com; # ============================================ # SSL 证书配置 # ============================================ ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # SSL 安全配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; ssl_session_tickets off; # ============================================ # 安全响应头 # ============================================ add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # 隐藏 Nginx 版本 server_tokens off; # ============================================ # 上传文件大小限制(10GB) # ============================================ client_max_body_size 10G; # ============================================ # 禁止访问隐藏文件和敏感文件 # ============================================ location ~ /\. { deny all; return 404; } location ~ \.(env|git|config|key|pem|crt)$ { deny all; return 404; } # ============================================ # 前端静态文件 # ============================================ location / { root /usr/share/nginx/html; index index.html; try_files $uri $uri/ =404; # 静态资源缓存 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ { expires 30d; add_header Cache-Control "public, immutable"; } } # ============================================ # 后端 API 反向代理 # ============================================ location /api/ { proxy_pass http://backend:40001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; # Cookie 传递配置(验证码 session 需要) proxy_set_header Cookie $http_cookie; proxy_pass_header Set-Cookie; # 大文件上传超时配置(30分钟) proxy_connect_timeout 1800; proxy_send_timeout 1800; proxy_read_timeout 1800; send_timeout 1800; # 大文件上传缓冲优化 proxy_request_buffering off; proxy_buffering off; client_body_buffer_size 128k; } # ============================================ # 分享链接代理 # ============================================ location /s/ { proxy_pass http://backend:40001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }