nginx.conf

# =============================================================================
# 企微IT智能服务台 — Nginx 配置（公司内网服务器版）
# =============================================================================
# 适用场景：独立域名 itsupport.servyou.com.cn，公司内网 DNS 解析
# 与 NAS 版的区别：
#   1. 移除 Cloudflare 相关头（X-Forwarded-Proto https 等）
#   2. server_name 改为正式域名
#   3. 真实 IP 直接从 $remote_addr 获取（无 CF 代理层）
#   4. 预留 HTTPS 配置注释（如公司有统一 SSL 终端）
# =============================================================================

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # ------------------------------------------------------------------
    # 日志格式
    # ------------------------------------------------------------------
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent"';

    access_log /var/log/nginx/access.log main;
    error_log  /var/log/nginx/error.log warn;

    # ------------------------------------------------------------------
    # 基础配置
    # ------------------------------------------------------------------
    sendfile           on;
    tcp_nopush        on;
    tcp_nodelay       on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 50m;   # 支持文件上传（企微媒体文件）

    # ------------------------------------------------------------------
    # Gzip 压缩（前端静态资源）
    # ------------------------------------------------------------------
    gzip            on;
    gzip_vary      on;
    gzip_min_length 1024;
    gzip_types      text/plain text/css text/xml text/javascript
                   application/javascript application/xml+rss
                   application/json application/ld+json;

    # =================================================================
    # 上游服务定义（Docker 内部网络）
    # =================================================================
    upstream backend_api {
        server backend:8000;
    }

    # =================================================================
    # HTTP 服务（监听 80 端口）
    # =================================================================
    # 如果公司有统一 SSL 终端（如 F5/Nginx 反代），此服务器只需监听 80
    # 如果需要本机 HTTPS，取消下方 server 块注释，并配置证书路径
    # =================================================================
    server {
        listen 80;
        server_name itsupport.servyou.com.cn;

        # ------------------------------------------------------------------
        # 安全头
        # ------------------------------------------------------------------
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # ------------------------------------------------------------------
        # 健康检查端点
        # ------------------------------------------------------------------
        location = /health {
            access_log off;
            return 200 "healthy\n";
            add_header Content-Type text/plain;
        }

        # ------------------------------------------------------------------
        # H5 员工端 — /itdesk/
        # ------------------------------------------------------------------
        location /itdesk/ {
            alias /usr/share/nginx/html/itdesk/;
            index index.html;
            try_files $uri /itdesk/index.html;
        }

        # ------------------------------------------------------------------
        # 坐席工作台 — /itagent/
        # ------------------------------------------------------------------
        location /itagent/ {
            alias /usr/share/nginx/html/itagent/;
            index index.html;
            try_files $uri /itagent/index.html;
        }

        # ------------------------------------------------------------------
        # 管理后台 — /itadmin/
        # ------------------------------------------------------------------
        location /itadmin/ {
            alias /usr/share/nginx/html/itadmin/;
            index index.html;
            try_files $uri /itadmin/index.html;
        }

        # ------------------------------------------------------------------
        # 统一入口 Portal — /itportal/
        # ------------------------------------------------------------------
        location /itportal/ {
            alias /usr/share/nginx/html/itportal/;
            index index.html;
            try_files $uri /itportal/index.html;
        }

        # ------------------------------------------------------------------
        # 后端 API — /api/
        # ------------------------------------------------------------------
        location /api/ {
            proxy_pass http://backend_api/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # 内网直连，如前端有 SSL 终端则改为 https
            proxy_set_header X-Forwarded-Proto $scheme;

            # 超时设置（AI 回复可能较慢）
            proxy_connect_timeout 60s;
            proxy_send_timeout    300s;
            proxy_read_timeout    300s;
        }

        # ------------------------------------------------------------------
        # WebSocket — /ws/（坐席端实时通信）
        # ------------------------------------------------------------------
        location /ws/ {
            proxy_pass http://backend_api;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_read_timeout 86400s;  # WebSocket 长连接
        }

        # ------------------------------------------------------------------
        # 企微回调 — /api/wecom/callback（接收企微消息推送）
        # ------------------------------------------------------------------
        # 企微验证回调 URL 时使用 GET，后续消息推送使用 POST
        # 此路径已包含在 /api/ 的代理规则中，无需单独配置

        # ------------------------------------------------------------------
        # 默认路径 — 重定向到 H5 员工端
        # ------------------------------------------------------------------
        location = / {
            return 302 /itdesk/;
        }
    }

    # =================================================================
    # HTTPS 配置（按需启用）
    # =================================================================
    # 如果需要本机直接提供 HTTPS（不走公司统一 SSL 终端），
    # 取消下方注释并配置 SSL 证书路径
    #
    # server {
    #     listen 443 ssl;
    #     server_name itsupport.servyou.com.cn;
    #
    #     ssl_certificate     /etc/nginx/ssl/itsupport.servyou.com.cn.crt;
    #     ssl_certificate_key /etc/nginx/ssl/itsupport.servyou.com.cn.key;
    #     ssl_protocols       TLSv1.2 TLSv1.3;
    #     ssl_ciphers         HIGH:!aNULL:!MD5;
    #
    #     # 其余 location 配置与上方 HTTP server 相同
    #     ...
    # }
}
chore: initial baseline with P0-safety .gitignore 2026-06-14 16:49:18 +08:00			`# =============================================================================`
			`# 企微IT智能服务台 — Nginx 配置（公司内网服务器版）`
			`# =============================================================================`
			`# 适用场景：独立域名 itsupport.servyou.com.cn，公司内网 DNS 解析`
			`# 与 NAS 版的区别：`
			`# 1. 移除 Cloudflare 相关头（X-Forwarded-Proto https 等）`
			`# 2. server_name 改为正式域名`
			`# 3. 真实 IP 直接从 $remote_addr 获取（无 CF 代理层）`
			`# 4. 预留 HTTPS 配置注释（如公司有统一 SSL 终端）`
			`# =============================================================================`

			`events {`
			`worker_connections 1024;`
			`}`

			`http {`
			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`

			`# ------------------------------------------------------------------`
			`# 日志格式`
			`# ------------------------------------------------------------------`
			`log_format main '$remote_addr - $remote_user [$time_local] "$request" '`
			`'$status $body_bytes_sent "$http_referer" '`
			`'"$http_user_agent"';`

			`access_log /var/log/nginx/access.log main;`
			`error_log /var/log/nginx/error.log warn;`

			`# ------------------------------------------------------------------`
			`# 基础配置`
			`# ------------------------------------------------------------------`
			`sendfile on;`
			`tcp_nopush on;`
			`tcp_nodelay on;`
			`keepalive_timeout 65;`
			`types_hash_max_size 2048;`
			`client_max_body_size 50m; # 支持文件上传（企微媒体文件）`

			`# ------------------------------------------------------------------`
			`# Gzip 压缩（前端静态资源）`
			`# ------------------------------------------------------------------`
			`gzip on;`
			`gzip_vary on;`
			`gzip_min_length 1024;`
			`gzip_types text/plain text/css text/xml text/javascript`
			`application/javascript application/xml+rss`
			`application/json application/ld+json;`

			`# =================================================================`
			`# 上游服务定义（Docker 内部网络）`
			`# =================================================================`
			`upstream backend_api {`
			`server backend:8000;`
			`}`

			`# =================================================================`
			`# HTTP 服务（监听 80 端口）`
			`# =================================================================`
			`# 如果公司有统一 SSL 终端（如 F5/Nginx 反代），此服务器只需监听 80`
			`# 如果需要本机 HTTPS，取消下方 server 块注释，并配置证书路径`
			`# =================================================================`
			`server {`
			`listen 80;`
			`server_name itsupport.servyou.com.cn;`

			`# ------------------------------------------------------------------`
			`# 安全头`
			`# ------------------------------------------------------------------`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`

			`# ------------------------------------------------------------------`
			`# 健康检查端点`
			`# ------------------------------------------------------------------`
			`location = /health {`
			`access_log off;`
			`return 200 "healthy\n";`
			`add_header Content-Type text/plain;`
			`}`

			`# ------------------------------------------------------------------`
			`# H5 员工端 — /itdesk/`
			`# ------------------------------------------------------------------`
			`location /itdesk/ {`
			`alias /usr/share/nginx/html/itdesk/;`
			`index index.html;`
			`try_files $uri /itdesk/index.html;`
			`}`

			`# ------------------------------------------------------------------`
			`# 坐席工作台 — /itagent/`
			`# ------------------------------------------------------------------`
			`location /itagent/ {`
			`alias /usr/share/nginx/html/itagent/;`
			`index index.html;`
			`try_files $uri /itagent/index.html;`
			`}`

			`# ------------------------------------------------------------------`
			`# 管理后台 — /itadmin/`
			`# ------------------------------------------------------------------`
			`location /itadmin/ {`
			`alias /usr/share/nginx/html/itadmin/;`
			`index index.html;`
			`try_files $uri /itadmin/index.html;`
			`}`

			`# ------------------------------------------------------------------`
			`# 统一入口 Portal — /itportal/`
			`# ------------------------------------------------------------------`
			`location /itportal/ {`
			`alias /usr/share/nginx/html/itportal/;`
			`index index.html;`
			`try_files $uri /itportal/index.html;`
			`}`

			`# ------------------------------------------------------------------`
			`# 后端 API — /api/`
			`# ------------------------------------------------------------------`
			`location /api/ {`
			`proxy_pass http://backend_api/;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`# 内网直连，如前端有 SSL 终端则改为 https`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# 超时设置（AI 回复可能较慢）`
			`proxy_connect_timeout 60s;`
			`proxy_send_timeout 300s;`
			`proxy_read_timeout 300s;`
			`}`

			`# ------------------------------------------------------------------`
			`# WebSocket — /ws/（坐席端实时通信）`
			`# ------------------------------------------------------------------`
			`location /ws/ {`
			`proxy_pass http://backend_api;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_read_timeout 86400s; # WebSocket 长连接`
			`}`

			`# ------------------------------------------------------------------`
			`# 企微回调 — /api/wecom/callback（接收企微消息推送）`
			`# ------------------------------------------------------------------`
			`# 企微验证回调 URL 时使用 GET，后续消息推送使用 POST`
			`# 此路径已包含在 /api/ 的代理规则中，无需单独配置`

			`# ------------------------------------------------------------------`
			`# 默认路径 — 重定向到 H5 员工端`
			`# ------------------------------------------------------------------`
			`location = / {`
			`return 302 /itdesk/;`
			`}`
			`}`

			`# =================================================================`
			`# HTTPS 配置（按需启用）`
			`# =================================================================`
			`# 如果需要本机直接提供 HTTPS（不走公司统一 SSL 终端），`
			`# 取消下方注释并配置 SSL 证书路径`
			`#`
			`# server {`
			`# listen 443 ssl;`
			`# server_name itsupport.servyou.com.cn;`
			`#`
			`# ssl_certificate /etc/nginx/ssl/itsupport.servyou.com.cn.crt;`
			`# ssl_certificate_key /etc/nginx/ssl/itsupport.servyou.com.cn.key;`
			`# ssl_protocols TLSv1.2 TLSv1.3;`
			`# ssl_ciphers HIGH:!aNULL:!MD5;`
			`#`
			`# # 其余 location 配置与上方 HTTP server 相同`
			`# ...`
			`# }`
			`}`