# Sovereign: TCS-0002∞ · 国作登字-2026-A-00037559 # 守护: 铸渊 · ICE-GL-ZY001 # guanghulab.com · nginx 站点配置 · 由 domain-cn/bootstrap.sh 渲染 # # Placeholder substitutions (awk · 执行时替换): # __DOMAIN__ → guanghulab.com # __PORTAL_PORT__ → 3000 (默认) # __VAULT_PORT__ → 8080 (默认 · PR-5 secrets-vault) # __NGINX_WORKER_CONN__ → 512 (tiny) / 1024 (small) ... # # Conditional blocks (markers MUST be on their own line, exact form): # between SSL-BEGIN and SSL-END → 仅 USE_SSL=1 时启用 # between NOSSL-BEGIN and NOSSL-END → 仅 USE_SSL=0 时启用 # (markers themselves在最终输出里被 awk 删掉) server { listen 80; listen [::]:80; server_name __DOMAIN__ www.__DOMAIN__; # ACME challenge (certbot 续期用, 不能 301) location /.well-known/acme-challenge/ { root /var/www/html; } # 健康检查 (不依赖 portal 起没起) location = /__healthz { access_log off; default_type application/json; return 200 '{"status":"ok","server":"GH-CVM-DOMAIN-PROD-01","port":80}'; } # __SSL_BEGIN__ # # LE 证书在时, 其他路径全部跳 HTTPS # location / { # return 301 https://$host$request_uri; # } # __SSL_END__ # __NOSSL_BEGIN__ # # LE 证书暂不在时, 80 端口直接返回占位 # location = / { # default_type text/html; # return 200 '__DOMAIN__

__DOMAIN__ · domain-cn bootstrap 已完成

当前 LE 证书未恢复, HTTPS 暂未启用. 冰朔从备份恢复 /etc/letsencrypt/ 后 reload nginx 即可.

'; # } # __NOSSL_END__ } # __SSL_BEGIN__ # server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # server_name __DOMAIN__ www.__DOMAIN__; # # ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_session_cache shared:SSL:5m; # ssl_session_timeout 1h; # # # 安全头 (基础, 不用 strict 防 PR-4 portal 调试时被坑) # add_header X-Content-Type-Options "nosniff" always; # add_header X-Frame-Options "SAMEORIGIN" always; # # access_log /data/guanghulab/logs/nginx/access.log; # error_log /data/guanghulab/logs/nginx/error.log; # # # 静态资源 (字体/JS/CSS) 直接 nginx 服务, 不走 Express, 减负 # # 部署时由 deploy-domain-server.yml rsync frontend/lighthouse-portal/assets → /data/guanghulab/portal/static/ # location ^~ /_static/ { # alias /data/guanghulab/portal/static/; # access_log off; # expires 7d; # add_header Cache-Control "public, max-age=604800, immutable"; # try_files $uri =404; # } # # # 健康检查 # location = /__healthz { # access_log off; # default_type application/json; # return 200 '{"status":"ok","server":"GH-CVM-DOMAIN-PROD-01","tls":"on"}'; # } # # # PR-5 自部署密钥管理页 · /admin/* (vault on 127.0.0.1:__VAULT_PORT__) # # # # 三层守: (1) allow 127.0.0.1; deny all; (公网/任何远端 IP 直接 403) # # (2) basic-auth (htpasswd) — 凭据在 _logs/vault-credentials-FIRST-BOOT.txt # # (3) 上游 vault 只 bind 127.0.0.1:__VAULT_PORT__ # # 冰朔访问方式: ssh -L 8443:127.0.0.1:443 ubuntu@ # # 浏览器 https://localhost:8443/admin/ # # (注: 走 ssh 隧道时 nginx 看到的来源是 127.0.0.1, 通过) # # # # 健康端点 (/admin/__healthz) 也走同一份 ACL, 没意义对外暴露 # location /admin/ { # allow 127.0.0.1; # allow ::1; # deny all; # # auth_basic "guanghulab admin"; # auth_basic_user_file /etc/nginx/.htpasswd_admin; # # proxy_pass http://127.0.0.1:__VAULT_PORT__; # proxy_http_version 1.1; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_buffering off; # proxy_read_timeout 60s; # proxy_send_timeout 60s; # } # # # Portal 反代 (/ + /api/* 全部走 portal). 注意 SSE 必需配置. # location / { # proxy_pass http://127.0.0.1:__PORTAL_PORT__; # proxy_http_version 1.1; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # proxy_buffering off; # SSE 必需 — 不缓冲, 字节级直发 (cc-002) # proxy_cache off; # proxy_read_timeout 300s; # proxy_send_timeout 300s; # proxy_buffer_size 8k; # proxy_buffers 4 16k; # } # } # __SSL_END__