chore: enhance nginx configuration and update environment settings

windbytes · windbytes · commit 6cbf4e4b0482 · 2026-05-20T22:08:41.000+08:00
- Updated .env.production to remove hardcoded WebSocket URL for production, allowing dynamic resolution.
- Modified nginx.conf to enable Brotli compression, implement rate limiting for login and API requests, and improve static resource caching.
- Adjusted upstream server configurations for better clarity and performance.
diff --git a/.env.production b/.env.production
@@ -1,7 +1,4 @@
-VITE_DEV_SERVER_PORT=8000
-VITE_API_PROXY_TARGET=http://localhost:9527
-# Netty WebSocket 端口（与后端 application.yml websocket.netty.port 一致；/api/ws 会 rewrite 到 /ws）
-VITE_WS_PROXY_TARGET=http://localhost:8891
-# 通过前端开发服务器：/api/ws 由 vite 转发到 Netty，其余 /api 仍走 Spring
-VITE_WS_URL=ws://localhost:8891/api/ws/syndra
+# 生产环境：WebSocket 走当前页面同源（由 Nginx 反代到 Netty），不要硬编码 localhost:8891
+# 留空时，前端 resolveWebSocketUrl 会自动拼出 ws(s)://<host>/api/ws/syndra
+VITE_WS_URL=
 VITE_ENABLE_MONITOR_CONSOLE=true
diff --git a/nginx.conf b/nginx.conf
@@ -1,5 +1,5 @@
-# load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
-# load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
+load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
+load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
@@ -9,7 +9,12 @@ events {
 }
 
 http {
+    # 限流区域
+    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+    limit_req_zone $binary_remote_addr zone=login_limit:10m rate=1r/s;
 
+    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
+    limit_req_status 429;
     ##
     # 基础配置
     ##
@@ -89,11 +94,11 @@ http {
     ##
 
     upstream springboot_backend {
-        server ip:port; # 后端 API 服务地址
+        server 127.0.0.1:9527;
     }
 
     upstream websocket_backend {
-        server ip:port; # 后端 WebSocket 服务地址
+        server 127.0.0.1:8891;
     }
 
     ##
@@ -120,13 +125,52 @@ http {
             try_files $uri $uri/ /index.html;
         }
 
+	# ==================================================
+        # 静态资源缓存
+        # ==================================================
+
+        location ~* \.(js|css|png|jpg|jpeg|gif|svg|woff|woff2)$ {
+
+            expires 30d;
+
+            add_header Cache-Control "public, immutable";
+
+            try_files $uri =404;
+        }
+
+	# ==================================================
+        # 登录接口
+        # 严格限流
+        # ==================================================
+
+        location /api/auth/login {
+
+            proxy_pass http://springboot_backend;
+
+            # 登录限流
+            limit_req zone=login_limit burst=5 nodelay;
+
+            # 并发限制
+            limit_conn conn_limit 5;
+
+            proxy_http_version 1.1;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
         ##
         # SpringBoot API 代理
         ##
 
         location /api/ {
 
-            proxy_pass http://springboot_backend/;
+            proxy_pass http://springboot_backend;
+
+	        limit_req zone=api_limit burst=20 nodelay;
+
+	        limit_conn conn_limit 20;
 
             proxy_http_version 1.1;
 
@@ -135,18 +179,24 @@ http {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
 
+	        proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
             proxy_connect_timeout 60s;
             proxy_send_timeout 60s;
             proxy_read_timeout 60s;
-        }
+ 	}
 
         ##
         # WebSocket 代理
+        # 后端 Netty 监听路径为 /ws/syndra（见 application.yml websocket.netty.path）。
+        # proxy_pass 带末尾路径 /ws/，Nginx 会用它替换匹配 location 的前缀：
+        #   /api/ws/syndra  -> http://websocket_backend/ws/syndra
         ##
 
         location /api/ws/ {
 
-            proxy_pass http://websocket_backend/;
+            proxy_pass http://websocket_backend/ws/;
 
             proxy_http_version 1.1;
 
@@ -157,7 +207,9 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
+            # WebSocket 长连接需要禁用读超时（或设置较大值），否则空闲后会被 Nginx 主动断开
             proxy_read_timeout 86400;
+            proxy_send_timeout 86400;
         }
 
         ##
@@ -208,14 +260,16 @@ http {
     #
     #     location /api/ws/ {
     #
-    #         proxy_pass http://websocket_backend/;
+    #         proxy_pass http://websocket_backend/ws/;
     #
     #         proxy_http_version 1.1;
     #
     #         proxy_set_header Upgrade $http_upgrade;
     #         proxy_set_header Connection "upgrade";
     #
     #         proxy_set_header Host $host;
+    #         proxy_read_timeout 86400;
+    #         proxy_send_timeout 86400;
     #     }
     # }
 
