134 lines
5.1 KiB
Plaintext
134 lines
5.1 KiB
Plaintext
# Sovereign: TCS-0002∞ · 国作登字-2026-A-00037559
|
|
# 守护: 铸渊 · ICE-GL-ZY001
|
|
# guanghulab.com · nginx 站点配置 · 由 domain-cn/bootstrap.sh 渲染
|
|
#
|
|
# Placeholder substitutions (awk · 执行时替换):
|
|
# __DOMAIN__ → guanghulab.com
|
|
# __PORTAL_PORT__ → 3000 (默认)
|
|
# __VAULT_PORT__ → 8080 (默认 · PR-5 secrets-vault)
|
|
# __NGINX_WORKER_CONN__ → 512 (tiny) / 1024 (small) ...
|
|
#
|
|
# Conditional blocks (markers MUST be on their own line, exact form):
|
|
# between SSL-BEGIN and SSL-END → 仅 USE_SSL=1 时启用
|
|
# between NOSSL-BEGIN and NOSSL-END → 仅 USE_SSL=0 时启用
|
|
# (markers themselves在最终输出里被 awk 删掉)
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name __DOMAIN__ www.__DOMAIN__;
|
|
|
|
# ACME challenge (certbot 续期用, 不能 301)
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
}
|
|
|
|
# 健康检查 (不依赖 portal 起没起)
|
|
location = /__healthz {
|
|
access_log off;
|
|
default_type application/json;
|
|
return 200 '{"status":"ok","server":"GH-CVM-DOMAIN-PROD-01","port":80}';
|
|
}
|
|
|
|
# __SSL_BEGIN__
|
|
# # LE 证书在时, 其他路径全部跳 HTTPS
|
|
# location / {
|
|
# return 301 https://$host$request_uri;
|
|
# }
|
|
# __SSL_END__
|
|
|
|
# __NOSSL_BEGIN__
|
|
# # LE 证书暂不在时, 80 端口直接返回占位
|
|
# location = / {
|
|
# default_type text/html;
|
|
# return 200 '<!doctype html><html lang="zh-CN"><head><meta charset="utf-8"><title>__DOMAIN__</title></head><body><h1>__DOMAIN__ · domain-cn bootstrap 已完成</h1><p>当前 LE 证书未恢复, HTTPS 暂未启用. 冰朔从备份恢复 /etc/letsencrypt/ 后 reload nginx 即可.</p></body></html>';
|
|
# }
|
|
# __NOSSL_END__
|
|
}
|
|
|
|
# __SSL_BEGIN__
|
|
# server {
|
|
# listen 443 ssl http2;
|
|
# listen [::]:443 ssl http2;
|
|
# server_name __DOMAIN__ www.__DOMAIN__;
|
|
#
|
|
# ssl_certificate /etc/letsencrypt/live/__DOMAIN__/fullchain.pem;
|
|
# ssl_certificate_key /etc/letsencrypt/live/__DOMAIN__/privkey.pem;
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_ciphers HIGH:!aNULL:!MD5;
|
|
# ssl_session_cache shared:SSL:5m;
|
|
# ssl_session_timeout 1h;
|
|
#
|
|
# # 安全头 (基础, 不用 strict 防 PR-4 portal 调试时被坑)
|
|
# add_header X-Content-Type-Options "nosniff" always;
|
|
# add_header X-Frame-Options "SAMEORIGIN" always;
|
|
#
|
|
# access_log /data/guanghulab/logs/nginx/access.log;
|
|
# error_log /data/guanghulab/logs/nginx/error.log;
|
|
#
|
|
# # 静态资源 (字体/JS/CSS) 直接 nginx 服务, 不走 Express, 减负
|
|
# # 部署时由 deploy-domain-server.yml rsync frontend/lighthouse-portal/assets → /data/guanghulab/portal/static/
|
|
# location ^~ /_static/ {
|
|
# alias /data/guanghulab/portal/static/;
|
|
# access_log off;
|
|
# expires 7d;
|
|
# add_header Cache-Control "public, max-age=604800, immutable";
|
|
# try_files $uri =404;
|
|
# }
|
|
#
|
|
# # 健康检查
|
|
# location = /__healthz {
|
|
# access_log off;
|
|
# default_type application/json;
|
|
# return 200 '{"status":"ok","server":"GH-CVM-DOMAIN-PROD-01","tls":"on"}';
|
|
# }
|
|
#
|
|
# # PR-5 自部署密钥管理页 · /admin/* (vault on 127.0.0.1:__VAULT_PORT__)
|
|
# #
|
|
# # 三层守: (1) allow 127.0.0.1; deny all; (公网/任何远端 IP 直接 403)
|
|
# # (2) basic-auth (htpasswd) — 凭据在 _logs/vault-credentials-FIRST-BOOT.txt
|
|
# # (3) 上游 vault 只 bind 127.0.0.1:__VAULT_PORT__
|
|
# # 冰朔访问方式: ssh -L 8443:127.0.0.1:443 ubuntu@<host>
|
|
# # 浏览器 https://localhost:8443/admin/
|
|
# # (注: 走 ssh 隧道时 nginx 看到的来源是 127.0.0.1, 通过)
|
|
# #
|
|
# # 健康端点 (/admin/__healthz) 也走同一份 ACL, 没意义对外暴露
|
|
# location /admin/ {
|
|
# allow 127.0.0.1;
|
|
# allow ::1;
|
|
# deny all;
|
|
#
|
|
# auth_basic "guanghulab admin";
|
|
# auth_basic_user_file /etc/nginx/.htpasswd_admin;
|
|
#
|
|
# proxy_pass http://127.0.0.1:__VAULT_PORT__;
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Host $host;
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
# proxy_buffering off;
|
|
# proxy_read_timeout 60s;
|
|
# proxy_send_timeout 60s;
|
|
# }
|
|
#
|
|
# # Portal 反代 (/ + /api/* 全部走 portal). 注意 SSE 必需配置.
|
|
# location / {
|
|
# proxy_pass http://127.0.0.1:__PORTAL_PORT__;
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Host $host;
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
# proxy_set_header Upgrade $http_upgrade;
|
|
# proxy_set_header Connection "upgrade";
|
|
# proxy_buffering off; # SSE 必需 — 不缓冲, 字节级直发 (cc-002)
|
|
# proxy_cache off;
|
|
# proxy_read_timeout 300s;
|
|
# proxy_send_timeout 300s;
|
|
# proxy_buffer_size 8k;
|
|
# proxy_buffers 4 16k;
|
|
# }
|
|
# }
|
|
# __SSL_END__
|