guanghulab/server/nginx/zhiku-guanghu-online.conf
Guanghu Domestic Migration d1e47f4565
Some checks are pending
自动更新代码和重启 / update-and-restart (push) Waiting to run
CI检查 + 自动部署 / check (push) Waiting to run
CI检查 + 自动部署 / deploy (push) Blocked by required conditions
重启聊天服务 / restart (push) Waiting to run
chore: import sanitized domestic snapshot for REPO-002
Source snapshot: ca48d3ddf926d79aa138306164169baf764bb829
2026-07-17 15:54:41 +08:00

90 lines
3.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ═══════════════════════════════════════════════════════════
# Nginx 配置 · 光湖智库 · guanghu.online
# ═══════════════════════════════════════════════════════════
#
# 项目编号: ZY-PROJ-006
# 服务器: ZY-SVR-006 (43.153.203.105 · 新加坡)
# 守护: 铸渊 · ICE-GL-ZY001
# 版权: 国作登字-2026-A-00037559
#
# 安装位置: /etc/nginx/sites-available/zhiku
# 软链接: /etc/nginx/sites-enabled/zhiku
#
# ═══════════════════════════════════════════════════════════
# HTTP → HTTPS 重定向
server {
listen 80;
listen [::]:80;
server_name guanghu.online www.guanghu.online;
# Let's Encrypt ACME 验证
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS 主配置
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name guanghu.online www.guanghu.online;
# SSL 证书Let's Encrypt
ssl_certificate /etc/letsencrypt/live/guanghu.online/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/guanghu.online/privkey.pem;
# SSL 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# 安全头
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 日志
access_log /var/log/nginx/zhiku.access.log;
error_log /var/log/nginx/zhiku.error.log;
# 静态文件根目录 · 霜砚 UI 迭代区域
root /opt/zhiku/public;
index index.html;
# API 反向代理 → Node.js 127.0.0.1:3006
location /api/ {
proxy_pass http://127.0.0.1:3006;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 30s;
proxy_connect_timeout 10s;
}
# 静态资源缓存
location /assets/ {
expires 7d;
add_header Cache-Control "public, immutable";
}
# SPA fallback · 所有非 API、非静态文件请求都返回 index.html
location / {
try_files $uri $uri/ /index.html;
}
# 禁止访问隐藏文件
location ~ /\. {
deny all;
return 404;
}
}