guanghulab/server/setup/domain-cn/nginx/guanghulab.conf.template
Guanghu Domestic Migration d1e47f4565
Some checks failed
自动更新代码和重启 / update-and-restart (push) Has been cancelled
CI检查 + 自动部署 / check (push) Has been cancelled
重启聊天服务 / restart (push) Has been cancelled
CI检查 + 自动部署 / deploy (push) Has been cancelled
chore: import sanitized domestic snapshot for REPO-002
Source snapshot: ca48d3ddf926d79aa138306164169baf764bb829
2026-07-17 15:54:41 +08:00

134 lines
5.1 KiB
Plaintext

# Sovereign: TCS-0002∞ · 国作登字-2026-A-00037559
# 守护: 铸渊 · ICE-GL-ZY001
# guanghulab.com · nginx 站点配置 · 由 domain-cn/bootstrap.sh 渲染
#
# Placeholder substitutions (awk · 执行时替换):
# __DOMAIN__ → guanghulab.com
# __PORTAL_PORT__ → 3000 (默认)
# __VAULT_PORT__ → 8080 (默认 · PR-5 secrets-vault)
# __NGINX_WORKER_CONN__ → 512 (tiny) / 1024 (small) ...
#
# Conditional blocks (markers MUST be on their own line, exact form):
# between SSL-BEGIN and SSL-END → 仅 USE_SSL=1 时启用
# between NOSSL-BEGIN and NOSSL-END → 仅 USE_SSL=0 时启用
# (markers themselves在最终输出里被 awk 删掉)
server {
listen 80;
listen [::]:80;
server_name __DOMAIN__ www.__DOMAIN__;
# ACME challenge (certbot 续期用, 不能 301)
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# 健康检查 (不依赖 portal 起没起)
location = /__healthz {
access_log off;
default_type application/json;
return 200 '{"status":"ok","server":"GH-CVM-DOMAIN-PROD-01","port":80}';
}
# __SSL_BEGIN__
# # LE 证书在时, 其他路径全部跳 HTTPS
# location / {
# return 301 https://$host$request_uri;
# }
# __SSL_END__
# __NOSSL_BEGIN__
# # LE 证书暂不在时, 80 端口直接返回占位
# location = / {
# default_type text/html;
# return 200 '<!doctype html><html lang="zh-CN"><head><meta charset="utf-8"><title>__DOMAIN__</title></head><body><h1>__DOMAIN__ · domain-cn bootstrap 已完成</h1><p>当前 LE 证书未恢复, HTTPS 暂未启用. 冰朔从备份恢复 /etc/letsencrypt/ 后 reload nginx 即可.</p></body></html>';
# }
# __NOSSL_END__
}
# __SSL_BEGIN__
# server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name __DOMAIN__ www.__DOMAIN__;
#
# ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_session_cache shared:SSL:5m;
# ssl_session_timeout 1h;
#
# # 安全头 (基础, 不用 strict 防 PR-4 portal 调试时被坑)
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-Frame-Options "SAMEORIGIN" always;
#
# access_log /data/guanghulab/logs/nginx/access.log;
# error_log /data/guanghulab/logs/nginx/error.log;
#
# # 静态资源 (字体/JS/CSS) 直接 nginx 服务, 不走 Express, 减负
# # 部署时由 deploy-domain-server.yml rsync frontend/lighthouse-portal/assets → /data/guanghulab/portal/static/
# location ^~ /_static/ {
# alias /data/guanghulab/portal/static/;
# access_log off;
# expires 7d;
# add_header Cache-Control "public, max-age=604800, immutable";
# try_files $uri =404;
# }
#
# # 健康检查
# location = /__healthz {
# access_log off;
# default_type application/json;
# return 200 '{"status":"ok","server":"GH-CVM-DOMAIN-PROD-01","tls":"on"}';
# }
#
# # PR-5 自部署密钥管理页 · /admin/* (vault on 127.0.0.1:__VAULT_PORT__)
# #
# # 三层守: (1) allow 127.0.0.1; deny all; (公网/任何远端 IP 直接 403)
# # (2) basic-auth (htpasswd) — 凭据在 _logs/vault-credentials-FIRST-BOOT.txt
# # (3) 上游 vault 只 bind 127.0.0.1:__VAULT_PORT__
# # 冰朔访问方式: ssh -L 8443:127.0.0.1:443 ubuntu@<host>
# # 浏览器 https://localhost:8443/admin/
# # (注: 走 ssh 隧道时 nginx 看到的来源是 127.0.0.1, 通过)
# #
# # 健康端点 (/admin/__healthz) 也走同一份 ACL, 没意义对外暴露
# location /admin/ {
# allow 127.0.0.1;
# allow ::1;
# deny all;
#
# auth_basic "guanghulab admin";
# auth_basic_user_file /etc/nginx/.htpasswd_admin;
#
# proxy_pass http://127.0.0.1:__VAULT_PORT__;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_buffering off;
# proxy_read_timeout 60s;
# proxy_send_timeout 60s;
# }
#
# # Portal 反代 (/ + /api/* 全部走 portal). 注意 SSE 必需配置.
# location / {
# proxy_pass http://127.0.0.1:__PORTAL_PORT__;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_buffering off; # SSE 必需 — 不缓冲, 字节级直发 (cc-002)
# proxy_cache off;
# proxy_read_timeout 300s;
# proxy_send_timeout 300s;
# proxy_buffer_size 8k;
# proxy_buffers 4 16k;
# }
# }
# __SSL_END__