139 lines
5.9 KiB
Plaintext
139 lines
5.9 KiB
Plaintext
|
# =============================================================================
|
|||
|
|
# 企微IT智能服务台 — Nginx 配置(NAS + Cloudflare Tunnel 版)
|
|||
|
|
# =============================================================================
|
|||
|
|
# 与标准 nginx.conf 的区别:
|
|||
|
|
# 1. 移除 / 根路径反代到 IT 数据查询平台(NAS 上没有此服务)
|
|||
|
|
# 2. 增加 Cloudflare 真实 IP 还原(CF-Connecting-IP)
|
|||
|
|
# 3. 增加 HSTS 和安全头(通过 Tunnel 时客户端是 HTTPS)
|
|||
|
|
# 4. 增加 /api/wecom/callback 路径用于企微消息回调
|
|||
|
|
# =============================================================================
|
|||
|
|
|
|||
|
|
events {
|
|||
|
|
worker_connections 1024;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
http {
|
|||
|
|
include /etc/nginx/mime.types;
|
|||
|
|
default_type application/octet-stream;
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 日志格式(增加 CF 真实 IP)
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
|
|||
|
|
'$status $body_bytes_sent "$http_referer" '
|
|||
|
|
'"$http_user_agent"';
|
|||
|
|
|
|||
|
|
access_log /var/log/nginx/access.log main;
|
|||
|
|
error_log /var/log/nginx/error.log warn;
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 基础配置
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
sendfile on;
|
|||
|
|
tcp_nopush on;
|
|||
|
|
tcp_nodelay on;
|
|||
|
|
keepalive_timeout 65;
|
|||
|
|
types_hash_max_size 2048;
|
|||
|
|
client_max_body_size 50m; # 支持文件上传(企微媒体文件)
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# Gzip 压缩(前端静态资源)
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
gzip on;
|
|||
|
|
gzip_vary on;
|
|||
|
|
gzip_min_length 1024;
|
|||
|
|
gzip_types text/plain text/css text/xml text/javascript
|
|||
|
|
application/javascript application/xml+rss
|
|||
|
|
application/json application/ld+json;
|
|||
|
|
|
|||
|
|
# =================================================================
|
|||
|
|
# 上游服务定义(Docker 内部网络)
|
|||
|
|
# =================================================================
|
|||
|
|
upstream backend_api {
|
|||
|
|
server backend:8000;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# =================================================================
|
|||
|
|
# 主服务:监听 80 端口(Cloudflare Tunnel 终止 SSL,容器内走 HTTP)
|
|||
|
|
# =================================================================
|
|||
|
|
server {
|
|||
|
|
listen 80;
|
|||
|
|
server_name itdesk.amanzac.com;
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 安全头(通过 Cloudflare Tunnel 时客户端是 HTTPS)
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 告诉浏览器只通过 HTTPS 访问(通过 Cloudflare 的 HSTS 配置更佳)
|
|||
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|||
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|||
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 健康检查端点(用于 Docker healthcheck)
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
location = /itdesk/health {
|
|||
|
|
access_log off;
|
|||
|
|
return 200 "healthy\n";
|
|||
|
|
add_header Content-Type text/plain;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# H5 员工端 — /itdesk/
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
location /itdesk/ {
|
|||
|
|
alias /usr/share/nginx/html/itdesk/;
|
|||
|
|
index index.html;
|
|||
|
|
try_files $uri /itdesk/index.html;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 坐席工作台 — /itagent/
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
location /itagent/ {
|
|||
|
|
alias /usr/share/nginx/html/itagent/;
|
|||
|
|
index index.html;
|
|||
|
|
try_files $uri /itagent/index.html;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 后端 API — /api/
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
location /api/ {
|
|||
|
|
proxy_pass http://backend_api/;
|
|||
|
|
proxy_set_header Host $host;
|
|||
|
|
# Cloudflare 真实 IP 还原
|
|||
|
|
proxy_set_header X-Real-IP $http_cf_connecting_ip;
|
|||
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|||
|
|
# Cloudflare Tunnel 终止 SSL,告知后端原始协议是 HTTPS
|
|||
|
|
proxy_set_header X-Forwarded-Proto https;
|
|||
|
|
|
|||
|
|
# 超时设置(AI 回复可能较慢)
|
|||
|
|
proxy_connect_timeout 60s;
|
|||
|
|
proxy_send_timeout 300s;
|
|||
|
|
proxy_read_timeout 300s;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# WebSocket — /ws/(坐席端实时通信)
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
location /ws/ {
|
|||
|
|
proxy_pass http://backend_api;
|
|||
|
|
proxy_http_version 1.1;
|
|||
|
|
proxy_set_header Upgrade $http_upgrade;
|
|||
|
|
proxy_set_header Connection "upgrade";
|
|||
|
|
proxy_set_header Host $host;
|
|||
|
|
proxy_set_header X-Real-IP $http_cf_connecting_ip;
|
|||
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|||
|
|
proxy_set_header X-Forwarded-Proto https;
|
|||
|
|
proxy_read_timeout 86400s; # WebSocket 长连接
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
# 默认路径 — 重定向到 H5 员工端
|
|||
|
|
# ------------------------------------------------------------------
|
|||
|
|
location = / {
|
|||
|
|
return 302 /itdesk/;
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
}
|