guanghulab/server/nginx/guanghulab-cvm.conf
Guanghu Domestic Migration d1e47f4565
Some checks are pending
自动更新代码和重启 / update-and-restart (push) Waiting to run
CI检查 + 自动部署 / check (push) Waiting to run
CI检查 + 自动部署 / deploy (push) Blocked by required conditions
重启聊天服务 / restart (push) Waiting to run
chore: import sanitized domestic snapshot for REPO-002
Source snapshot: ca48d3ddf926d79aa138306164169baf764bb829
2026-07-17 15:54:41 +08:00

127 lines
4.6 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ═══════════════════════════════════════════════════════════
# 光湖主控域名 · guanghulab.com Nginx 配置
# ═══════════════════════════════════════════════════════════
#
# 服务器: ZY-CVM-MAIN · 腾讯云CVM
# 弹性公网IP: 119.29.184.32 (EIP已绑定关机开机不变)
# 域名: guanghulab.com (国内备案直接解析到此IP)
# 守护: 铸渊 · ICE-GL-ZY001
# 版权: 国作登字-2026-A-00037559
#
# 数据持久化: /data/ 挂载在100GB CBS云硬盘(关机不丢)
# 部署路径: /data/guanghulab/
#
# 路由:
# / → Forgejo 代码仓库 (127.0.0.1:3001)
# /mcp → MCP Server (127.0.0.1:8083)
# /mcp-health → MCP Server 健康检查
# /wake/ → Wake Gate 唤醒门 (127.0.0.1:8081)
# /sync/ → Git Sync 同步服务 (127.0.0.1:8082)
# /health → Nginx 级健康探针
#
# 内部服务(不对外暴露):
# Secrets Vault: 127.0.0.1:8080 (仅localhost可达)
#
# SSL: Let's Encrypt via certbot --nginx
# ═══════════════════════════════════════════════════════════
# HTTP → HTTPS 重定向
server {
listen 80;
server_name guanghulab.com www.guanghulab.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name guanghulab.com www.guanghulab.com;
# ─── SSL (certbot 自动管理) ───
# certbot --nginx 会自动填充以下配置
# ssl_certificate /etc/letsencrypt/live/guanghulab.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/guanghulab.com/privkey.pem;
# ─── 安全头 ───
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Server-Identity "ZY-CVM-MAIN" always;
# ─── 铸渊 MCP Server (/mcp) ───
# WorkBuddy / CodeBuddy 通过 MCP 协议连接
# 必须放在 / 之前,否则会被 Forgejo 捕获
location /mcp {
proxy_pass http://127.0.0.1:8083;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSE / 长连接支持
proxy_set_header Connection '';
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
# ─── MCP 健康检查 (/mcp-health) ───
location = /mcp-health {
proxy_pass http://127.0.0.1:8083/health;
access_log off;
}
# ─── Wake Gate 唤醒门 (/wake/) ───
location /wake/ {
proxy_pass http://127.0.0.1:8081/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# ─── Git Sync 同步服务 (/sync/) ───
location /sync/ {
proxy_pass http://127.0.0.1:8082/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 仅允许内网和本地访问 Webhook
# allow 127.0.0.1;
# allow 10.0.0.0/8;
# deny all;
}
# ─── Forgejo 代码仓库 (/) ───
# 放在最后作为 catch-all所有未匹配的路径都交给 Forgejo
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 大文件上传支持
client_max_body_size 100M;
# WebSocket (Forgejo UI)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# ─── 健康探针 ───
location = /health {
access_log off;
return 200 '{"status":"ok","server":"ZY-CVM-MAIN"}';
add_header Content-Type application/json;
}
# ─── 访问日志 ───
access_log /var/log/nginx/guanghulab-access.log;
error_log /var/log/nginx/guanghulab-error.log;
}