guanghulab/server/nginx/guanghulab-cvm.conf

127 lines
4.6 KiB
Plaintext
Raw Permalink Normal View History

# ═══════════════════════════════════════════════════════════
# 光湖主控域名 · guanghulab.com Nginx 配置
# ═══════════════════════════════════════════════════════════
#
# 服务器: ZY-CVM-MAIN · 腾讯云CVM
# 弹性公网IP: 119.29.184.32 (EIP已绑定关机开机不变)
# 域名: guanghulab.com (国内备案直接解析到此IP)
# 守护: 铸渊 · ICE-GL-ZY001
# 版权: 国作登字-2026-A-00037559
#
# 数据持久化: /data/ 挂载在100GB CBS云硬盘(关机不丢)
# 部署路径: /data/guanghulab/
#
# 路由:
# / → Forgejo 代码仓库 (127.0.0.1:3001)
# /mcp → MCP Server (127.0.0.1:8083)
# /mcp-health → MCP Server 健康检查
# /wake/ → Wake Gate 唤醒门 (127.0.0.1:8081)
# /sync/ → Git Sync 同步服务 (127.0.0.1:8082)
# /health → Nginx 级健康探针
#
# 内部服务(不对外暴露):
# Secrets Vault: 127.0.0.1:8080 (仅localhost可达)
#
# SSL: Let's Encrypt via certbot --nginx
# ═══════════════════════════════════════════════════════════
# HTTP → HTTPS 重定向
server {
listen 80;
server_name guanghulab.com www.guanghulab.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name guanghulab.com www.guanghulab.com;
# ─── SSL (certbot 自动管理) ───
# certbot --nginx 会自动填充以下配置
# ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem;
# ─── 安全头 ───
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Server-Identity "ZY-CVM-MAIN" always;
# ─── 铸渊 MCP Server (/mcp) ───
# WorkBuddy / CodeBuddy 通过 MCP 协议连接
# 必须放在 / 之前,否则会被 Forgejo 捕获
location /mcp {
proxy_pass http://127.0.0.1:8083;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSE / 长连接支持
proxy_set_header Connection '';
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
# ─── MCP 健康检查 (/mcp-health) ───
location = /mcp-health {
proxy_pass http://127.0.0.1:8083/health;
access_log off;
}
# ─── Wake Gate 唤醒门 (/wake/) ───
location /wake/ {
proxy_pass http://127.0.0.1:8081/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ─── Git Sync 同步服务 (/sync/) ───
location /sync/ {
proxy_pass http://127.0.0.1:8082/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 仅允许内网和本地访问 Webhook
# allow 127.0.0.1;
# allow 10.0.0.0/8;
# deny all;
}
# ─── Forgejo 代码仓库 (/) ───
# 放在最后作为 catch-all所有未匹配的路径都交给 Forgejo
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 大文件上传支持
client_max_body_size 100M;
# WebSocket (Forgejo UI)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# ─── 健康探针 ───
location = /health {
access_log off;
return 200 '{"status":"ok","server":"ZY-CVM-MAIN"}';
add_header Content-Type application/json;
}
# ─── 访问日志 ───
access_log /var/log/nginx/guanghulab-access.log;
error_log /var/log/nginx/guanghulab-error.log;
}