# 锡林郭勒盟智慧养殖平台API服务 - Nginx配置 # 域名: xlapi.jiebanke.com # 后端服务: localhost:3350 server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name xlapi.jiebanke.com; # SSL证书配置 - 需要替换为实际证书路径 ssl_certificate /etc/ssl/certs/xlapi.jiebanke.com.crt; ssl_certificate_key /etc/ssl/private/xlapi.jiebanke.com.key; # SSL优化配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; # 安全头部 add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; # 静态资源缓存 location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; } # API代理配置 location / { proxy_pass http://localhost:3350; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; # 超时设置 proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # 缓冲区设置 proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; } # 健康检查端点 location /health { proxy_pass http://localhost:3350/health; access_log off; allow 127.0.0.1; allow ::1; deny all; } # 禁止访问隐藏文件 location ~ /\. { deny all; access_log off; log_not_found off; } # 访问日志 access_log /var/log/nginx/xlxumu-api.access.log main; error_log /var/log/nginx/xlxumu-api.error.log warn; } # HTTP重定向到HTTPS server { listen 80; listen [::]:80; server_name xlapi.jiebanke.com; # 重定向所有HTTP请求到HTTPS return 301 https://$server_name$request_uri; access_log off; error_log /dev/null; }