# ═══════════════════════════════════════════════════════════ # 光湖主控域名 · guanghulab.com Nginx 配置 # ═══════════════════════════════════════════════════════════ # # 服务器: ZY-CVM-MAIN · 腾讯云CVM # 弹性公网IP: 119.29.184.32 (EIP已绑定,关机开机不变) # 域名: guanghulab.com (国内备案,直接解析到此IP) # 守护: 铸渊 · ICE-GL-ZY001 # 版权: 国作登字-2026-A-00037559 # # 数据持久化: /data/ 挂载在100GB CBS云硬盘(关机不丢) # 部署路径: /data/guanghulab/ # # 路由: # / → Forgejo 代码仓库 (127.0.0.1:3001) # /mcp → MCP Server (127.0.0.1:8083) # /mcp-health → MCP Server 健康检查 # /wake/ → Wake Gate 唤醒门 (127.0.0.1:8081) # /sync/ → Git Sync 同步服务 (127.0.0.1:8082) # /health → Nginx 级健康探针 # # 内部服务(不对外暴露): # Secrets Vault: 127.0.0.1:8080 (仅localhost可达) # # SSL: Let's Encrypt via certbot --nginx # ═══════════════════════════════════════════════════════════ # HTTP → HTTPS 重定向 server { listen 80; server_name guanghulab.com www.guanghulab.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name guanghulab.com www.guanghulab.com; # ─── SSL (certbot 自动管理) ─── # certbot --nginx 会自动填充以下配置 # ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem; # ─── 安全头 ─── add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Server-Identity "ZY-CVM-MAIN" always; # ─── 铸渊 MCP Server (/mcp) ─── # WorkBuddy / CodeBuddy 通过 MCP 协议连接 # 必须放在 / 之前,否则会被 Forgejo 捕获 location /mcp { proxy_pass http://127.0.0.1:8083; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # SSE / 长连接支持 proxy_set_header Connection ''; proxy_buffering off; proxy_cache off; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } # ─── MCP 健康检查 (/mcp-health) ─── location = /mcp-health { proxy_pass http://127.0.0.1:8083/health; access_log off; } # ─── Wake Gate 唤醒门 (/wake/) ─── location /wake/ { proxy_pass http://127.0.0.1:8081/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ─── Git Sync 同步服务 (/sync/) ─── location /sync/ { proxy_pass http://127.0.0.1:8082/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 仅允许内网和本地访问 Webhook # allow 127.0.0.1; # allow 10.0.0.0/8; # deny all; } # ─── Forgejo 代码仓库 (/) ─── # 放在最后作为 catch-all,所有未匹配的路径都交给 Forgejo location / { proxy_pass http://127.0.0.1:3001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 大文件上传支持 client_max_body_size 100M; # WebSocket (Forgejo UI) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # ─── 健康探针 ─── location = /health { access_log off; return 200 '{"status":"ok","server":"ZY-CVM-MAIN"}'; add_header Content-Type application/json; } # ─── 访问日志 ─── access_log /var/log/nginx/guanghulab-access.log; error_log /var/log/nginx/guanghulab-error.log; }