vue-driven-cloud-storage/nginx/nginx.conf.example

# ============================================
# 玩玩云 Nginx 配置模板
# ============================================
# 使用说明:
# 1. 将 your-domain.com 替换为你的实际域名
# 2. 将 /usr/share/nginx/html 替换为前端文件实际路径
# 3. 如使用非 Docker 部署，将 backend:40001 改为 127.0.0.1:40001
# ============================================

# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name your-domain.com;

    # Let's Encrypt 验证
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # 重定向到 HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}

# HTTPS 主配置
server {
    listen 443 ssl http2;
    server_name your-domain.com;

    # ============================================
    # SSL 证书配置
    # ============================================
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    # SSL 安全配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # ============================================
    # 安全响应头
    # ============================================
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # 隐藏 Nginx 版本
    server_tokens off;

    # ============================================
    # 上传文件大小限制（10GB）
    # ============================================
    client_max_body_size 10G;

    # ============================================
    # 禁止访问隐藏文件和敏感文件
    # ============================================
    location ~ /\. {
        deny all;
        return 404;
    }

    location ~ \.(env|git|config|key|pem|crt)$ {
        deny all;
        return 404;
    }

    # ============================================
    # 前端静态文件
    # ============================================
    location / {
        root /usr/share/nginx/html;
        index index.html;
        try_files $uri $uri/ =404;

        # 静态资源缓存
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
            expires 30d;
            add_header Cache-Control "public, immutable";
        }
    }

    # ============================================
    # 后端 API 反向代理
    # ============================================
    location /api/ {
        proxy_pass http://backend:40001;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;

        # Cookie 传递配置（验证码 session 需要）
        proxy_set_header Cookie $http_cookie;
        proxy_pass_header Set-Cookie;

        # 大文件上传超时配置（30分钟）
        proxy_connect_timeout 1800;
        proxy_send_timeout 1800;
        proxy_read_timeout 1800;
        send_timeout 1800;

        # 大文件上传缓冲优化
        proxy_request_buffering off;
        proxy_buffering off;
        client_body_buffer_size 128k;
    }

    # ============================================
    # 分享链接代理
    # ============================================
    location /s/ {
        proxy_pass http://backend:40001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}