ssl_certificate /etc/nginx/ssl/web.server.crt; ssl_certificate_key /etc/nginx/ssl/web.server.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=63072000" always; client_header_buffer_size 1k; client_max_body_size 50M; location = /token_auth { internal; proxy_pass http://hs-api/api/tokenauth; proxy_http_version 1.1; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; } location /client/dl/android { proxy_set_header Cookie $http_cookie; default_type application/octet-stream; alias /static/client/android; if ($arg_attname ~ "^(.+)") { add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; } } location /client/dl/ { # remove download client auth verify # auth_request /token_auth; proxy_set_header Cookie $http_cookie; default_type application/octet-stream; alias /static/client/; if ($arg_attname ~ "^(.+)") { add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; } } location /user/avatar/ { auth_request /token_auth; proxy_set_header Cookie $http_cookie; alias /static/avatar/; expires 7d; add_header Cache-Control public; } location /file/share/ { auth_request /token_auth; proxy_set_header Cookie $http_cookie; alias /static/share_file/; if ($arg_attname ~ "^(.+)") { add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; } } location /file/public/ { auth_request /token_auth; proxy_set_header Cookie $http_cookie; alias /static/public_folder/; if ($arg_attname ~ "^(.+)") { add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; } } location /file/clipboard/ { auth_request /token_auth; proxy_set_header Cookie $http_cookie; alias /static/clipboard_file/; } location /file/uploaded/ { auth_request /token_auth; proxy_set_header Cookie $http_cookie; alias /static/uploaded_files/; if ($arg_attname ~ "^(.+)") { add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; } } location /resource/update_log.csv { auth_request /token_auth; proxy_set_header X-Original-URI $request_uri; proxy_set_header Cookie $http_cookie; default_type application/octet-stream; alias /static/resource/update_log.csv; } location /resource/update_timestamp.txt { auth_request /token_auth; proxy_set_header X-Original-URI $request_uri; proxy_set_header Cookie $http_cookie; default_type application/octet-stream; alias /static/resource/update_timestamp.txt; } location /resource/ { default_type application/octet-stream; alias /static/resource/; } location /api/ { proxy_pass http://hs-api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 300s; } # location /network-disk { # set $arg_token ''; # 声明 $arg_token 变量 # if ($args ~* "token=(.*?)(&|$)") { # set $arg_token $1; # } # auth_request /token_auth; # set $auth $http_authorization; # if ($http_authorization = "") { # set $auth "token $arg_authorization"; # } # rewrite ^/network-disk(.*)$ $1 break; # proxy_pass http://hs-resource-server:19980; # proxy_http_version 1.1; # proxy_set_header Authorization $auth; # } # location /app-store { # set $arg_token ''; # 声明 $arg_token 变量 # if ($args ~* "token=(.*?)(&|$)") { # set $arg_token $1; # } # auth_request /app-store-auth; # set $auth $http_authorization; # if ($http_authorization = "") { # set $auth "token $arg_authorization"; # } # rewrite ^/app-store(.*)$ $1 break; # proxy_pass http://hs-resource-server:19980; # proxy_http_version 1.1; # proxy_set_header Authorization $auth; # } location /app-store-auth { internal; set $hs_token $http_hs_token; if ($hs_token = "") { set $hs_token $arg_token; } proxy_set_header Hs-Token $hs_token; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-IP $remote_addr; proxy_set_header Query-Data $http_query_data; proxy_pass http://hs-api/api$request_uri; } error_page 502 /502.json; error_page 503 /503.json; location /503.json { return 503 '{"code": -2, "msg": "服务器未响应", "err": "hs-nginx err"}'; } error_page 504 /504.json; location /504.json { return 504 '{"code": -3, "msg": "服务器未响应", "err": "hs-nginx err"}'; } error_page 497 301 =307 https://$http_host$request_uri; error_page 401 @my_401; error_page 403 @my_403; error_page 404 @my_404; error_page 502 @my_502; location @my_401 { default_type text/html; return 401 '401

401 Unauthorized

'; } location @my_403 { default_type text/html; return 403 '403

403 Forbidden

'; } location @my_404 { default_type text/html; return 404 '404

404 Not_Found

'; } location @my_502 { default_type text/html; return 502 '502

502 Bad_Gateway

'; }