214 lines
6.6 KiB
Plaintext
214 lines
6.6 KiB
Plaintext
ssl_certificate /etc/nginx/ssl/web.server.crt;
|
|
ssl_certificate_key /etc/nginx/ssl/web.server.key;
|
|
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
ssl_session_tickets off;
|
|
|
|
ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
client_header_buffer_size 1k;
|
|
|
|
client_max_body_size 50M;
|
|
|
|
location = /token_auth {
|
|
internal;
|
|
proxy_pass http://hs-api/api/tokenauth;
|
|
proxy_http_version 1.1;
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
}
|
|
|
|
location /client/dl/android {
|
|
proxy_set_header Cookie $http_cookie;
|
|
default_type application/octet-stream;
|
|
alias /static/client/android;
|
|
if ($arg_attname ~ "^(.+)") {
|
|
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
|
|
}
|
|
}
|
|
|
|
location /client/dl/ {
|
|
# remove download client auth verify
|
|
# auth_request /token_auth;
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
default_type application/octet-stream;
|
|
alias /static/client/;
|
|
if ($arg_attname ~ "^(.+)") {
|
|
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
|
|
}
|
|
}
|
|
|
|
location /user/avatar/ {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
alias /static/avatar/;
|
|
expires 7d;
|
|
add_header Cache-Control public;
|
|
}
|
|
|
|
location /file/share/ {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
alias /static/share_file/;
|
|
if ($arg_attname ~ "^(.+)") {
|
|
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
|
|
}
|
|
}
|
|
|
|
location /file/public/ {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
alias /static/public_folder/;
|
|
if ($arg_attname ~ "^(.+)") {
|
|
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
|
|
}
|
|
}
|
|
|
|
location /file/clipboard/ {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
alias /static/clipboard_file/;
|
|
}
|
|
|
|
location /file/uploaded/ {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header Cookie $http_cookie;
|
|
alias /static/uploaded_files/;
|
|
if ($arg_attname ~ "^(.+)") {
|
|
add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname";
|
|
}
|
|
}
|
|
|
|
location /resource/update_log.csv {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
proxy_set_header Cookie $http_cookie;
|
|
default_type application/octet-stream;
|
|
alias /static/resource/update_log.csv;
|
|
}
|
|
|
|
location /resource/update_timestamp.txt {
|
|
auth_request /token_auth;
|
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
proxy_set_header Cookie $http_cookie;
|
|
default_type application/octet-stream;
|
|
alias /static/resource/update_timestamp.txt;
|
|
}
|
|
|
|
location /resource/ {
|
|
default_type application/octet-stream;
|
|
alias /static/resource/;
|
|
}
|
|
|
|
location /api/ {
|
|
proxy_pass http://hs-api;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
|
|
|
|
# location /network-disk {
|
|
# set $arg_token ''; # 声明 $arg_token 变量
|
|
# if ($args ~* "token=(.*?)(&|$)") {
|
|
# set $arg_token $1;
|
|
# }
|
|
# auth_request /token_auth;
|
|
# set $auth $http_authorization;
|
|
# if ($http_authorization = "") {
|
|
# set $auth "token $arg_authorization";
|
|
# }
|
|
# rewrite ^/network-disk(.*)$ $1 break;
|
|
# proxy_pass http://hs-resource-server:19980;
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Authorization $auth;
|
|
# }
|
|
|
|
# location /app-store {
|
|
# set $arg_token ''; # 声明 $arg_token 变量
|
|
# if ($args ~* "token=(.*?)(&|$)") {
|
|
# set $arg_token $1;
|
|
# }
|
|
# auth_request /app-store-auth;
|
|
# set $auth $http_authorization;
|
|
# if ($http_authorization = "") {
|
|
# set $auth "token $arg_authorization";
|
|
# }
|
|
# rewrite ^/app-store(.*)$ $1 break;
|
|
# proxy_pass http://hs-resource-server:19980;
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Authorization $auth;
|
|
# }
|
|
|
|
location /app-store-auth {
|
|
internal;
|
|
set $hs_token $http_hs_token;
|
|
if ($hs_token = "") {
|
|
set $hs_token $arg_token;
|
|
}
|
|
proxy_set_header Hs-Token $hs_token;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
proxy_set_header X-Original-Method $request_method;
|
|
proxy_set_header X-Original-IP $remote_addr;
|
|
proxy_set_header Query-Data $http_query_data;
|
|
|
|
proxy_pass http://hs-api/api$request_uri;
|
|
}
|
|
|
|
error_page 502 /502.json;
|
|
error_page 503 /503.json;
|
|
location /503.json {
|
|
return 503 '{"code": -2, "msg": "服务器未响应", "err": "hs-nginx err"}';
|
|
}
|
|
|
|
error_page 504 /504.json;
|
|
location /504.json {
|
|
return 504 '{"code": -3, "msg": "服务器未响应", "err": "hs-nginx err"}';
|
|
}
|
|
error_page 497 301 =307 https://$http_host$request_uri;
|
|
error_page 401 @my_401;
|
|
error_page 403 @my_403;
|
|
error_page 404 @my_404;
|
|
error_page 502 @my_502;
|
|
|
|
location @my_401 {
|
|
default_type text/html;
|
|
return 401 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>401</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>401 Unauthorized</h1>';
|
|
}
|
|
|
|
location @my_403 {
|
|
default_type text/html;
|
|
return 403 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>403</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>403 Forbidden</h1>';
|
|
}
|
|
|
|
location @my_404 {
|
|
default_type text/html;
|
|
return 404 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>404</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>404 Not_Found</h1>';
|
|
}
|
|
|
|
location @my_502 {
|
|
default_type text/html;
|
|
return 502 '<!doctypehtml><html lang=en><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title>502</title><style>body{display:flex;flex-direction:column;align-items:center;justify-content:center}</style><h1>502 Bad_Gateway</h1>';
|
|
}
|