worker_processes 1;
|
|
error_log /var/log/nginx/error.log warn;
|
pid /var/run/nginx.pid;
|
|
events {
|
# 可以根据业务并发量适当调高
|
worker_connections 1024;
|
}
|
|
http {
|
include mime.types;
|
default_type application/octet-stream;
|
# 高效传输文件
|
sendfile on;
|
# 长连接超时时间
|
keepalive_timeout 65;
|
# 单连接最大请求数,提高长连接复用率
|
keepalive_requests 100000;
|
# 限制body大小
|
client_max_body_size 100m;
|
client_header_buffer_size 32k;
|
client_body_buffer_size 512k;
|
# 开启静态资源压缩
|
gzip_static on;
|
# 连接数限制 (防御类配置) 10m 一般够用了,能存储上万 IP 的计数
|
limit_conn_zone $binary_remote_addr zone=perip:10m;
|
limit_conn_zone $server_name zone=perserver:10m;
|
# 隐藏 nginx 版本号,防止暴露版本信息
|
server_tokens off;
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
'$status $body_bytes_sent "$http_referer" '
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
access_log /var/log/nginx/access.log main;
|
|
upstream server {
|
ip_hash;
|
server 127.0.0.1:8080;
|
server 127.0.0.1:8081;
|
}
|
|
upstream monitor-admin {
|
server 127.0.0.1:9090;
|
}
|
|
upstream snailjob-server {
|
server 127.0.0.1:8800;
|
}
|
|
server {
|
listen 80;
|
server_name localhost;
|
|
# https配置参考 start
|
#listen 443 ssl;
|
|
# 证书直接存放 /docker/nginx/cert/ 目录下即可 更改证书名称即可 无需更改证书路径
|
#ssl on;
|
#ssl_certificate /etc/nginx/cert/xxx.local.crt; # /etc/nginx/cert/ 为docker映射路径 不允许更改
|
#ssl_certificate_key /etc/nginx/cert/xxx.local.key; # /etc/nginx/cert/ 为docker映射路径 不允许更改
|
#ssl_session_timeout 5m;
|
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
|
#ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
|
#ssl_prefer_server_ciphers on;
|
# https配置参考 end
|
|
# 演示环境配置 拦截除 GET POST 之外的所有请求
|
# if ($request_method !~* GET|POST) {
|
# rewrite ^/(.*)$ /403;
|
# }
|
|
# location = /403 {
|
# default_type application/json;
|
# return 200 '{"msg":"演示模式,不允许操作","code":500}';
|
# }
|
|
# 限制外网访问内网 actuator 相关路径
|
location ~ ^(/[^/]*)?/actuator.*(/.*)?$ {
|
return 403;
|
}
|
|
location / {
|
root /usr/share/nginx/html; # docker映射路径 不允许更改
|
try_files $uri $uri/ /index.html;
|
index index.html index.htm;
|
}
|
|
location /prod-api/ {
|
# 设置客户端请求头中的 Host 信息(保持原始 Host)
|
proxy_set_header Host $http_host;
|
# 获取客户端真实 IP
|
proxy_set_header X-Real-IP $remote_addr;
|
# 自定义头 REMOTE-HOST,记录客户端 IP
|
proxy_set_header REMOTE-HOST $remote_addr;
|
# 获取完整的客户端 IP 链(经过多级代理时)
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
# 设置后端响应超时时间(这里是 24 小时,适合长连接/SSE)
|
proxy_read_timeout 86400s;
|
# SSE (Server-Sent Events) 与 WebSocket 支持参数
|
proxy_http_version 1.1;
|
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Connection "upgrade";
|
# 禁用代理缓冲,数据直接传给客户端
|
proxy_buffering off;
|
# 禁用代理缓存
|
proxy_cache off;
|
proxy_pass http://server/;
|
}
|
|
# https 会拦截内链所有的 http 请求 造成功能无法使用
|
# 解决方案1 将 admin 服务 也配置成 https
|
# 解决方案2 将菜单配置为外链访问 走独立页面 http 访问
|
location /admin/ {
|
# 设置客户端请求头中的 Host 信息(保持原始 Host)
|
proxy_set_header Host $http_host;
|
# 获取客户端真实 IP
|
proxy_set_header X-Real-IP $remote_addr;
|
# 自定义头 REMOTE-HOST,记录客户端 IP
|
proxy_set_header REMOTE-HOST $remote_addr;
|
# 获取完整的客户端 IP 链(经过多级代理时)
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
# 禁用代理缓冲,数据直接传给客户端
|
proxy_buffering off;
|
# 禁用代理缓存
|
proxy_cache off;
|
proxy_pass http://monitor-admin/admin/;
|
}
|
|
location /snail-job/ {
|
# 设置客户端请求头中的 Host 信息(保持原始 Host)
|
proxy_set_header Host $http_host;
|
# 获取客户端真实 IP
|
proxy_set_header X-Real-IP $remote_addr;
|
# 自定义头 REMOTE-HOST,记录客户端 IP
|
proxy_set_header REMOTE-HOST $remote_addr;
|
# 获取完整的客户端 IP 链(经过多级代理时)
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
# SSE (Server-Sent Events) 与 WebSocket 支持参数
|
proxy_http_version 1.1;
|
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Connection "upgrade";
|
# 禁用代理缓冲,直接传输给客户端
|
proxy_buffering off;
|
# 禁用代理缓存
|
proxy_cache off;
|
proxy_pass http://snailjob-server/snail-job/;
|
}
|
|
error_page 500 502 503 504 /50x.html;
|
location = /50x.html {
|
root html;
|
}
|
}
|
}
|
