assistant-todo/docker/nginx-yun.conf

# 全局配置
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# 事件处理
events {
    worker_connections 1024;
}

# HTTP 服务器
http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

    limit_req_zone $binary_remote_addr zone=general_limit:10m rate=20r/s;
    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=5r/s;
    log_format blocked '$time_local|$remote_addr|$request|$status|$http_referer';

	# HTTPS 服务器监听端口
	# 443
    # HTTP 服务器监听端口
    server {
        listen 80;
        # start 启用https
        listen 443 ssl;
        # 服务器名称
        server_name www.huaruyu.com;
        # 将所有HTTP请求通过rewrite指令重定向到HTTPS。
        # rewrite ^(.*)$ https://$host$1;
        # 填写证书文件绝对路径
        ssl_certificate /usr/local/software/nginx-1.28.0/cert/www.huaruyu.com.pem;
        # 填写证书私钥文件绝对路径
        ssl_certificate_key /usr/local/software/nginx-1.28.0/cert/www.huaruyu.com.key;

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;

        # 自定义设置使用的TLS协议的类型以及加密套件（以下为配置示例，请您自行评估是否需要配置）
        # TLS协议版本越高，HTTPS通信的安全性越高，但是相较于低版本TLS协议，高版本TLS协议对浏览器的兼容性较差。
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        # 表示优先使用服务端加密套件。默认开启
        ssl_prefer_server_ciphers on;
        # end 启用https

        # 启用 ETag 头，Nginx 会为每个资源生成一个唯一的 ETag 值，当资源更新时，ETag 值会改变。
        etag on;

        # 设置允许跨域的域，* 表示允许任何域，也可以设置特定的域,has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed.
        add_header 'Access-Control-Allow-Origin' '*';
        # 允许的方法
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        # 允许的头信息字段
        add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type,Authorization,Origin,source-client' always;
        # 缓存时间
        add_header 'Access-Control-Max-Age' 1728000 always;
        # 安全头部
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;

        # 确保不会重定向到带端口的URL
        add_header X-Forwarded-Host $host;
        add_header X-Forwarded-Port 443;
        add_header X-Forwarded-Proto https;
        # 预检请求的处理
        if ($request_method = 'OPTIONS') {
            return 204;
        }
        # 访问日志路径
        access_log /var/log/nginx/access.log;
        # 站点根目录
        root /usr/share/nginx/html;
        # 代理配置
        location / {
            # 默认页面
            index index.html index.htm;
            try_files $uri $uri.html $uri/ =404;
            # try_files $uri $uri/ =404;
        }
        # 第二个页面的配置
        location /todo {
            # 关键配置：禁用重定向中的端口和绝对路径
            absolute_redirect off;
            port_in_redirect off;

            # 指定根目录
            alias /usr/share/nginx/html/todo;
            index index.html index.htm;

            # 正确的文件查找逻辑：所有路由都返回 index.html
            try_files $uri $uri.html $uri/ /todo/index.html;

            # 安全头部
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-Content-Type-Options "nosniff" always;

            # 确保不会重定向到带端口的URL
            add_header X-Forwarded-Host $host;
            add_header X-Forwarded-Port 443;
            add_header X-Forwarded-Proto https;
        }
        # 第二个页面的配置
        location ^~ /mobile/ {
#             index index.html index.htm;
#             try_files $uri $uri.html $uri/ =404;
            alias /usr/share/nginx/html/mobile/;
            index index.html index.htm;
            try_files $uri $uri/ /mobile/index.html;
        }

        location ^~ /todo-server/ {
            # 预检请求的处理
            if ($request_method = 'OPTIONS') {
                return 204;
            }
            # rewrite ^/todo-server/(.*)$ /$1 break;
            proxy_pass              http://localhost:8092/;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            client_body_buffer_size 16k;
            client_max_body_size  100M;
        }



        location ^~ /security-server/ {
            # 预检请求的处理
            if ($request_method = 'OPTIONS') {
                return 204;
            }
            # rewrite ^/security-server/(.*)$ /$1 break;
            proxy_pass              http://localhost:8091/;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            client_body_buffer_size 16k;
            client_max_body_size  100M;

        }
        location ^~ /securityWeb/ {
            # 预检请求的处理
            if ($request_method = 'OPTIONS') {
                return 204;
            }
            # rewrite ^/security-server/(.*)$ /$1 break;
            proxy_pass              http://localhost:8091/;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            client_body_buffer_size 16k;
            client_max_body_size  100M;

        }
        location /task/ {
            # 预检请求的处理
            if ($request_method = 'OPTIONS') {
                return 204;
            }
            rewrite ^/task/(.*)$ /task/$1.html break;
        }
        # 静态文件缓存配置
        location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
            expires 7d;
            access_log off;
        }
    }
}