-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathnginx.conf
More file actions
276 lines (216 loc) · 6.34 KB
/
nginx.conf
File metadata and controls
276 lines (216 loc) · 6.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
# 限流区域
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_req_status 429;
##
# 基础配置
##
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
##
# 日志
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
##
# GZIP 压缩
##
gzip on;
gzip_comp_level 6;
gzip_min_length 1k;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_vary on;
gzip_proxied any;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/x-javascript
application/xml
application/xml+rss
application/rss+xml
image/svg+xml;
##
# Brotli 压缩(需要 nginx 安装 brotli 模块)
#
# Debian 默认 nginx 通常没有启用 brotli
# 需要安装:
#
# apt install nginx-module-brotli
#
# 或自行编译模块
##
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
application/atom+xml
image/svg+xml;
##
# upstream
##
upstream springboot_backend {
server 127.0.0.1:9527;
}
upstream websocket_backend {
server 127.0.0.1:8891;
}
##
# HTTP
##
server {
listen 80;
server_name fusionadmin.cn integration.net.cn syndra.cn;
##
# React 打包目录
##
root /home/syndra/web;
index index.html;
##
# React Router 支持
##
location / {
try_files $uri $uri/ /index.html;
}
# ==================================================
# 静态资源缓存
# ==================================================
location ~* \.(js|css|png|jpg|jpeg|gif|svg|woff|woff2)$ {
expires 30d;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
# ==================================================
# 登录接口
# 严格限流
# ==================================================
location /api/auth/login {
proxy_pass http://springboot_backend;
# 登录限流
limit_req zone=login_limit burst=5 nodelay;
# 并发限制
limit_conn conn_limit 5;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
##
# SpringBoot API 代理
##
location /api/ {
proxy_pass http://springboot_backend;
limit_req zone=api_limit burst=20 nodelay;
limit_conn conn_limit 20;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
##
# WebSocket 代理
# 后端 Netty 监听路径为 /ws/syndra(见 application.yml websocket.netty.path)。
# proxy_pass 带末尾路径 /ws/,Nginx 会用它替换匹配 location 的前缀:
# /api/ws/syndra -> http://websocket_backend/ws/syndra
##
location /api/ws/ {
proxy_pass http://websocket_backend/ws/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket 长连接需要禁用读超时(或设置较大值),否则空闲后会被 Nginx 主动断开
proxy_read_timeout 86400;
proxy_send_timeout 86400;
}
##
# 静态资源缓存
##
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf)$ {
expires 30d;
add_header Cache-Control "public, no-transform";
}
}
##
# HTTPS 配置(暂时注释)
##
# server {
#
# listen 443 ssl http2;
# server_name your-domain.com;
#
# root /home/syndra/web;
# index index.html;
#
# ssl_certificate /home/syndra/ssl/fullchain.pem;
# ssl_certificate_key /home/syndra/ssl/privkey.pem;
#
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers HIGH:!aNULL:!MD5;
#
# location / {
# try_files $uri $uri/ /index.html;
# }
#
# location /api/ {
#
# proxy_pass http://springboot_backend/;
#
# proxy_http_version 1.1;
#
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
#
# location /api/ws/ {
#
# proxy_pass http://websocket_backend/ws/;
#
# proxy_http_version 1.1;
#
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
#
# proxy_set_header Host $host;
# proxy_read_timeout 86400;
# proxy_send_timeout 86400;
# }
# }
}