v0.5.5: 应急页 v0.5.4 + 移除IT设备升级 + admin登录修复 + 内容审核架构 + 知识库

deploy-server/nginx/nginx.conf

@@ -27,6 +27,21 @@ http {
     access_log /var/log/nginx/access.log main;
     error_log  /var/log/nginx/error.log warn;
 
+    # ------------------------------------------------------------------
+    # 真实 IP 还原(2026-06-15 v0.5.1 修复)
+    # ------------------------------------------------------------------
+    # 问题:公司有 WAF/堡垒机/反向代理,nginx 看到的 $remote_addr
+    #       是代理 IP(不在白名单),allow/deny 因此误判 403
+    # 修法:信任内网段代理透传的 X-Forwarded-For 头,用真实 IP 做白名单
+    # 注意:set_real_ip_from 是"我信任的代理",不是"我允许的客户端"
+    #       必须精确,否则攻击者可伪造 X-Forwarded-For 绕过白名单
+    set_real_ip_from 10.0.0.0/8;          # 内网 A 类(代理/WAF 出口)
+    set_real_ip_from 172.16.0.0/12;       # 内网 B 类
+    set_real_ip_from 192.168.0.0/16;      # 内网 C 类
+    set_real_ip_from 10.212.0.0/16;       # VPN 网段
+    real_ip_header    X-Forwarded-For;    # 从 X-Forwarded-For 取最后一个非信任 IP
+    real_ip_recursive on;                 # 递归剥离已信任代理 IP
+
     # ------------------------------------------------------------------
     # 基础配置
     # ------------------------------------------------------------------
@@ -60,29 +75,58 @@ http {
     # 如果公司有统一 SSL 终端（如 F5/Nginx 反代），此服务器只需监听 80
     # 如果需要本机 HTTPS，取消下方 server 块注释，并配置证书路径
     # =================================================================
+    # HTTP — 80 端口强制 301 跳 HTTPS
+    # =================================================================
     server {
         listen 80;
         server_name itsupport.servyou.com.cn;
 
+        # ACME http-01 验证用（如果以后用 Let's Encrypt）
+        location /.well-known/acme-challenge/ {
+            root /usr/share/nginx/html;
+        }
+
+        # 其他全部 301 跳 https
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # =================================================================
+    # HTTPS — 443 端口(主服务)
+    # =================================================================
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name itsupport.servyou.com.cn;
+
+        # SSL 证书(通配符 *.servyou.com.cn,fullchain 含 leaf+intermediate+root)
+        ssl_certificate     /etc/nginx/ssl/itsupport.servyou.com.cn.crt;
+        ssl_certificate_key /etc/nginx/ssl/itsupport.servyou.com.cn.key;
+        ssl_protocols       TLSv1.2 TLSv1.3;
+        ssl_ciphers         HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache   shared:SSL:10m;
+        ssl_session_timeout 1d;
+
         # ------------------------------------------------------------------
         # 安全头
         # ------------------------------------------------------------------
-        # 基础安全头
         add_header X-Content-Type-Options "nosniff" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-XSS-Protection "1; mode=block" always;
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
         add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-        
+
         # CSP 收紧: 去掉 unsafe-inline(生产不需要,只有 dev HMR 需要)
         add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' https://res.wx.qq.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https: http:; connect-src 'self' https://qyapi.weixin.qq.com wss://*; font-src 'self' data:;" always;
-        
+
         # 隐私与跨域控制
         add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
         add_header Cross-Origin-Opener-Policy "same-origin" always;
         add_header Cross-Origin-Embedder-Policy "require-corp" always;
         add_header Cross-Origin-Resource-Policy "same-origin" always;
-        
+
         # 隐藏服务器版本
         server_tokens off;
 
@@ -150,7 +194,7 @@ http {
                 allow 10.212.0.0/16;
                 deny all;
 
-                proxy_pass http://backend_api/;
+                proxy_pass http://backend_api;
                 proxy_set_header Host $host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -195,29 +239,10 @@ http {
         # 此路径已包含在 /api/ 的代理规则中，无需单独配置
 
         # ------------------------------------------------------------------
-        # 默认路径 — 重定向到 H5 员工端
+        # 默认路径 — 重定向到统一入口
         # ------------------------------------------------------------------
         location = / {
-            return 302 /itdesk/;
+            return 302 /itportal/;
         }
     }
-
-    # =================================================================
-    # HTTPS 配置（按需启用）
-    # =================================================================
-    # 如果需要本机直接提供 HTTPS（不走公司统一 SSL 终端），
-    # 取消下方注释并配置 SSL 证书路径
-    #
-    # server {
-    #     listen 443 ssl;
-    #     server_name itsupport.servyou.com.cn;
-    #
-    #     ssl_certificate     /etc/nginx/ssl/itsupport.servyou.com.cn.crt;
-    #     ssl_certificate_key /etc/nginx/ssl/itsupport.servyou.com.cn.key;
-    #     ssl_protocols       TLSv1.2 TLSv1.3;
-    #     ssl_ciphers         HIGH:!aNULL:!MD5;
-    #
-    #     # 其余 location 配置与上方 HTTP server 相同
-    #     ...
-    # }
 }