yizhisec/forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 🎉 complete maker nginx(app)

Browse Source
This commit is contained in:
zhaoyupeng
2025-11-26 21:03:41 +08:00
parent 4ec58ce4e5
commit 11523e3e48
26 changed files with 1458 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

242
pkg/resource/nginx/client.conf Normal file
View File

@@ -0,0 +1,242 @@
upstream hs-client-server {
least_conn;
server client-service:9129 max_fails=3 fail_timeout=10s;
}
upstream hs-client-without-auth-server {
least_conn;
server client-service:9024 max_fails=3 fail_timeout=10s;
}
upstream hs-client-message-server {
least_conn;
server client-service:9025 max_fails=3 fail_timeout=10s;
}
server {
listen 443 ssl
proxy_protocol;
server_name hs-client-api-server hs.client.api.server;
ssl_certificate /etc/nginx/ssl/client.server.crt;
ssl_certificate_key /etc/nginx/ssl/client.server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 50M;
location /api/v1/pkg/archive {
proxy_pass http://u-api-service/api/v2_2/client/download/check;
}
location /api/ {
proxy_pass http://hs-client-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/ {
proxy_pass http://hs-client-without-auth-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/dl/ {
proxy_pass http://hs-client-without-auth-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v2/admin/ {
proxy_pass http://hs-client-message-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
# location /app-store {
# auth_request /app-store-auth;
# rewrite ^/app-store(.*)$ $1 break;
# proxy_pass http://hs-resource-server:19980;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_read_timeout 300s;
# }
location /app-store-auth {
internal;
proxy_pass http://hs-client-server/auth$request_uri;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-IP $remote_addr;
proxy_set_header Query-Data $http_query_data;
}
# location /wm/api {
# proxy_pass http://hs-watermark-server;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_read_timeout 300s;
# }
location /static/config/ {
alias /static/config/;
}
location /static/resource/ {
alias /static/resource/;
}
location /user/avatar/ {
alias /static/avatar/;
add_header Cache-Control public;
}
}
server {
listen 443 ssl proxy_protocol;
server_name hs-client-update-server hs.client.update.server;
ssl_certificate /etc/nginx/ssl/client.server.crt;
ssl_certificate_key /etc/nginx/ssl/client.server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 50M;
# location /api/v1/pkg/config/setup {
# proxy_pass http://u-api-service/api/v2_2/client/download/version;
# }
location /api/v1/pkg/archive {
proxy_pass http://u-api-service/api/v2_2/client/download/check;
}
location /api/v1/pkg/archive/version {
proxy_pass http://u-api-service/api/v2_2/client/download/version;
}
location /static/config/rc.json {
proxy_pass http://u-api-service/api/v2_2/client/rc/json?os=win;
}
location = /api/v1/version {
proxy_pass http://hs-client-without-auth-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/pkg {
proxy_pass http://hs-client-without-auth-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/dl/ {
proxy_pass http://hs-client-without-auth-server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /user/avatar/ {
alias /static/avatar/;
expires 7d;
add_header Cache-Control public;
}
location /static/config/ {
alias /static/config/;
}
location /static/resource/ {
alias /static/resource/;
}
}
server {
listen 9118 ssl
proxy_protocol;
ssl_certificate /etc/nginx/ssl/client.server.crt;
ssl_certificate_key /etc/nginx/ssl/client.server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 50M;
location = /api/v1/version {
proxy_pass http://hs-client-without-auth-server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/pkg {
proxy_pass http://hs-client-without-auth-server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/dl/ {
proxy_pass http://hs-client-without-auth-server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}

213
pkg/resource/nginx/common.conf Normal file
View File

@@ -0,0 +1,213 @@
ssl_certificate /etc/nginx/ssl/web.server.crt;
ssl_certificate_key /etc/nginx/ssl/web.server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_header_buffer_size 1k;
client_max_body_size 50M;
location = /token_auth {
internal;
proxy_pass http://hs-api/api/tokenauth;
proxy_http_version 1.1;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
location /client/dl/android {
proxy_set_header Cookie $http_cookie;
default_type application/octet-stream;
alias /static/client/android;
if ($arg_attname ~ "^(.+)") {
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
}
}
location /client/dl/ {
# remove download client auth verify
# auth_request /token_auth;
proxy_set_header Cookie $http_cookie;
default_type application/octet-stream;
alias /static/client/;
if ($arg_attname ~ "^(.+)") {
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
}
}
location /user/avatar/ {
auth_request /token_auth;
proxy_set_header Cookie $http_cookie;
alias /static/avatar/;
expires 7d;
add_header Cache-Control public;
}
location /file/share/ {
auth_request /token_auth;
proxy_set_header Cookie $http_cookie;
alias /static/share_file/;
if ($arg_attname ~ "^(.+)") {
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
}
}
location /file/public/ {
auth_request /token_auth;
proxy_set_header Cookie $http_cookie;
alias /static/public_folder/;
if ($arg_attname ~ "^(.+)") {
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
}
}
location /file/clipboard/ {
auth_request /token_auth;
proxy_set_header Cookie $http_cookie;
alias /static/clipboard_file/;
}
location /file/uploaded/ {
auth_request /token_auth;
proxy_set_header Cookie $http_cookie;
alias /static/uploaded_files/;
if ($arg_attname ~ "^(.+)") {
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
}
}
location /resource/update_log.csv {
auth_request /token_auth;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Cookie $http_cookie;
default_type application/octet-stream;
alias /static/resource/update_log.csv;
}
location /resource/update_timestamp.txt {
auth_request /token_auth;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Cookie $http_cookie;
default_type application/octet-stream;
alias /static/resource/update_timestamp.txt;
}
location /resource/ {
default_type application/octet-stream;
alias /static/resource/;
}
location /api/ {
proxy_pass http://hs-api;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
# location /network-disk {
# set $arg_token ''; # 声明 $arg_token 变量
# if ($args ~* "token=(.*?)(&|$)") {
# set $arg_token $1;
# }
# auth_request /token_auth;
# set $auth $http_authorization;
# if ($http_authorization = "") {
# set $auth "token $arg_authorization";
# }
# rewrite ^/network-disk(.*)$ $1 break;
# proxy_pass http://hs-resource-server:19980;
# proxy_http_version 1.1;
# proxy_set_header Authorization $auth;
# }
# location /app-store {
# set $arg_token ''; # 声明 $arg_token 变量
# if ($args ~* "token=(.*?)(&|$)") {
# set $arg_token $1;
# }
# auth_request /app-store-auth;
# set $auth $http_authorization;
# if ($http_authorization = "") {
# set $auth "token $arg_authorization";
# }
# rewrite ^/app-store(.*)$ $1 break;
# proxy_pass http://hs-resource-server:19980;
# proxy_http_version 1.1;
# proxy_set_header Authorization $auth;
# }
location /app-store-auth {
internal;
set $hs_token $http_hs_token;
if ($hs_token = "") {
set $hs_token $arg_token;
}
proxy_set_header Hs-Token $hs_token;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-IP $remote_addr;
proxy_set_header Query-Data $http_query_data;
proxy_pass http://hs-api/api$request_uri;
}
error_page 502 /502.json;
error_page 503 /503.json;
location /503.json {
return 503 '{"code": -2, "msg": "服务器未响应", "err": "hs-nginx err"}';
}
error_page 504 /504.json;
location /504.json {
return 504 '{"code": -3, "msg": "服务器未响应", "err": "hs-nginx err"}';
}
error_page 497 301 =307 https://$http_host$request_uri;
error_page 401 @my_401;
error_page 403 @my_403;
error_page 404 @my_404;
error_page 502 @my_502;
location @my_401 {
default_type text/html;
return 401 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>401</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>401 Unauthorized</h1>';
}
location @my_403 {
default_type text/html;
return 403 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>403</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>403 Forbidden</h1>';
}
location @my_404 {
default_type text/html;
return 404 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>404</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>404 Not_Found</h1>';
}
location @my_502 {
default_type text/html;
return 502 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>502</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>502 Bad_Gateway</h1>';
}

75
pkg/resource/nginx/gateway.conf Normal file
View File

@@ -0,0 +1,75 @@
upstream hs-gateway-controller {
least_conn;
server gateway-service:9012 max_fails=3 fail_timeout=10s;
}
server {
listen 443 ssl proxy_protocol;
server_name hs-gateway-controller;
ssl_certificate /yizhisec/ssl/server.crt;
ssl_certificate_key /yizhisec/ssl/server.key;
ssl_client_certificate /yizhisec/ssl/ca.crt;
ssl_verify_client on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 50M;
location / {
proxy_pass http://hs-gateway-controller;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}
server {
listen 443 ssl proxy_protocol;
server_name hs-gateway-register-controller;
ssl_certificate /yizhisec/ssl/server.crt;
ssl_certificate_key /yizhisec/ssl/server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 50M;
location = /api/v1/gateway/setting {
if ($request_method != POST ) {
return 502 '{"code": -1, "msg": "invalid request"}';
}
proxy_pass http://hs-gateway-controller;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}

63
pkg/resource/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,63 @@
user root;
worker_processes auto;
events {
worker_connections 1024;
}
stream {
error_log /var/log/nginx/error.log error;
map $ssl_preread_server_name $backend {
mqtt.yizhisec.com 127.0.0.1:27443;
mqtt-yizhisec-com 127.0.0.1:27443;
default web;
}
upstream web {
server 127.0.0.1:443;
}
server {
listen 27443 ssl proxy_protocol;
# ssl_session_timeout 10m;
ssl_certificate /etc/nginx/ssl/mqtt.server.crt;
ssl_certificate_key /etc/nginx/ssl/mqtt.server.key;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
proxy_pass emqx-service.db-emqx:1883;
}
server {
listen 23443;
proxy_pass $backend;
ssl_preread on;
proxy_protocol on;
}
}
http {
log_format custom '$time_iso8601 - $remote_addr - $http_host - $status - $request_time - $request_method - $request_uri';
access_log /var/log/nginx/access.log custom;
include /etc/nginx/sites-enabled/*.conf;
include mime.types;
default_type application/octet-stream;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_vary on;
gzip_http_version 1.0;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_disable msie6;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml;
keepalive_timeout 65;
}

81
pkg/resource/nginx/seafile.conf Normal file
View File

@@ -0,0 +1,81 @@
server {
listen 443 ssl proxy_protocol;
server_name seafile.yizhisec.com cloud.hybridscope.com seafile-yizhise-com cloud-hybridscope-com;
ssl_certificate /etc/nginx/ssl/client.server.crt;
ssl_certificate_key /etc/nginx/ssl/client.server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /etc/nginx/ssl/client.ca.crt;
ssl_client_certificate /etc/nginx/ssl/client.ca.crt;
ssl_verify_client on;
client_max_body_size 500M;
# location = /auth-sharing {
# internal;
# proxy_pass http://client-service:9129/api/auth-sharing;
# proxy_http_version 1.1;
# proxy_pass_request_body off;
# proxy_set_header Content-Length "";
# proxy_set_header X-Original-URI $request_uri;
# }
location /f/ {
rewrite ^(.+[^/])$ $1/ last; # 补上末尾的 /,避免重定向两次
# auth_request /auth-sharing;
# proxy_pass http://hs-openresty:13381;
proxy_pass http://seafile-service.seafile;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v1/ {
proxy_pass http://backup-seafile-service.seafile:9027;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api2/ {
# proxy_pass http://hs-resource-server:19980;
proxy_pass http://seafile-service.seafile;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
location /api/v2.1/ {
# proxy_pass http://hs-resource-server:19980;
proxy_pass http://seafile-service.seafile;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_read_timeout 300s;
}
location /seafhttp/ {
# proxy_pass http://hs-resource-server:19980;
proxy_pass http://seafile-service.seafile;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}

17
pkg/resource/nginx/user.conf Normal file
View File

@@ -0,0 +1,17 @@
server {
listen 80;
server_name hs-user-management-controller;
add_header Strict-Transport-Security "max-age=63072000" always;
client_max_body_size 50M;
location / {
proxy_pass http://user-service:9013;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
}

153
pkg/resource/nginx/web.conf Normal file
View File

@@ -0,0 +1,153 @@
server {
listen 80;
return 301 https://$host$request_uri;
}
# upstream hs-backup-server {
# least_conn;
# server hs-backup-server:9349 max_fails=3 fail_timeout=10s;
# }
upstream hs-api {
server api-service:9002;
}
server {
listen 9002;
location / {
proxy_pass http://hs-api;
}
}
server {
listen 443 ssl default_server;
location /api/admin/ {
return 404;
}
location /oem {
proxy_pass http://oem-service;
}
location /api/my/sys/client/installer {
proxy_pass http://u-api-service/api/v2_2/client/download/list;
}
location /api/system/version {
proxy_pass http://u-api-service/api/v2_2/system/version;
}
location /api/v2_2/client {
proxy_pass http://u-api-service;
}
location / {
proxy_pass http://front-user-service;
}
include /etc/nginx/common/common.conf;
error_page 497 301 =307 https://$http_host$request_uri;
}
server {
listen 8443 ssl;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN"; # 或 "DENY"
add_header Content-Security-Policy "img-src * data:; frame-ancestors 'none';" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Permitted-Cross-Domain-Policies "none";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Download-Options "noopen" always;
add_header X-Content-Type-Options "nosniff" always;
server_tokens off;
location /api/system/version {
proxy_pass http://u-api-service/api/v2_2/system/version;
}
location /oem {
proxy_pass http://oem-service;
}
# location /wm/ {
# alias /data/wm/;
# expires 30d;
# add_header Cache-Control public;
# }
location / {
proxy_pass http://front-admin-service;
}
location /api/v2_1/user {
proxy_pass http://user-service:9013;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 300s;
}
include /etc/nginx/common/common.conf;
location /ws {
proxy_pass http://hs-api/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300s;
}
# location /backup {
# proxy_pass http://hs-backup-server;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_read_timeout 300s;
# }
location /api/local/user/import/template {
auth_request /token_auth;
alias /static/resource/local_user_import_template.xlsx;
}
# location /wm/api {
# proxy_pass http://hs-watermark-server;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_read_timeout 300s;
# }
location @my_401 {
default_type text/html;
return 401 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>401</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>401 Unauthorized</h1>';
}
location @my_403 {
default_type text/html;
return 403 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>403</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>403 Forbidden</h1>';
}
location @my_404 {
default_type text/html;
return 404 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>404</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>404 Not_Found</h1>';
}
location @my_502 {
default_type text/html;
return 502 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>502</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>502 Bad_Gateway</h1>';
}
error_page 497 301 =307 https://$http_host$request_uri;
error_page 401 @my_401;
error_page 403 @my_403;
error_page 404 @my_404;
error_page 502 @my_502;
}