# ============================================================================= # 企微IT智能服务台 — Nginx 配置(公司内网服务器版) # ============================================================================= # 适用场景:独立域名 itsupport.servyou.com.cn,公司内网 DNS 解析 # 与 NAS 版的区别: # 1. 移除 Cloudflare 相关头(X-Forwarded-Proto https 等) # 2. server_name 改为正式域名 # 3. 真实 IP 直接从 $remote_addr 获取(无 CF 代理层) # 4. 预留 HTTPS 配置注释(如公司有统一 SSL 终端) # ============================================================================= events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # ------------------------------------------------------------------ # 日志格式 # ------------------------------------------------------------------ log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log warn; # ------------------------------------------------------------------ # 基础配置 # ------------------------------------------------------------------ sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; client_max_body_size 50m; # 支持文件上传(企微媒体文件) # ------------------------------------------------------------------ # Gzip 压缩(前端静态资源) # ------------------------------------------------------------------ gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json application/ld+json; # ================================================================= # 上游服务定义(Docker 内部网络) # ================================================================= upstream backend_api { server backend:8000; } # ================================================================= # HTTP 服务(监听 80 端口) # ================================================================= # 如果公司有统一 SSL 终端(如 F5/Nginx 反代),此服务器只需监听 80 # 如果需要本机 HTTPS,取消下方 server 块注释,并配置证书路径 # ================================================================= server { listen 80; server_name itsupport.servyou.com.cn; # ------------------------------------------------------------------ # 安全头 # ------------------------------------------------------------------ add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # ------------------------------------------------------------------ # 健康检查端点 # ------------------------------------------------------------------ location = /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } # ------------------------------------------------------------------ # H5 员工端 — /itdesk/ # ------------------------------------------------------------------ location /itdesk/ { alias /usr/share/nginx/html/itdesk/; index index.html; try_files $uri /itdesk/index.html; } # ------------------------------------------------------------------ # 坐席工作台 — /itagent/ # ------------------------------------------------------------------ location /itagent/ { alias /usr/share/nginx/html/itagent/; index index.html; try_files $uri /itagent/index.html; } # ------------------------------------------------------------------ # 管理后台 — /itadmin/(仅限内网/VPN 访问) # ------------------------------------------------------------------ location /itadmin/ { # IP 白名单:仅允许内网网段 allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; allow 10.212.0.0/16; # VPN 网段 deny all; alias /usr/share/nginx/html/itadmin/; index index.html; try_files $uri /itadmin/index.html; } # ------------------------------------------------------------------ # 统一入口 Portal — /itportal/ # ------------------------------------------------------------------ location /itportal/ { alias /usr/share/nginx/html/itportal/; index index.html; try_files $uri /itportal/index.html; } # ------------------------------------------------------------------ # 后端 API — /api/(管理端 API 仅限内网/VPN) # ------------------------------------------------------------------ location /api/ { # 管理端 API 路径需要 IP 白名单 location ~ ^/api/admin/ { allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; allow 10.212.0.0/16; deny all; proxy_pass http://backend_api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 60s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # 其他 API 路径 proxy_pass http://backend_api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 超时设置(AI 回复可能较慢) proxy_connect_timeout 60s; proxy_send_timeout 300s; proxy_read_timeout 300s; } # ------------------------------------------------------------------ # WebSocket — /ws/(坐席端实时通信) # ------------------------------------------------------------------ location /ws/ { proxy_pass http://backend_api; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 86400s; # WebSocket 长连接 } # ------------------------------------------------------------------ # 企微回调 — /api/wecom/callback(接收企微消息推送) # ------------------------------------------------------------------ # 企微验证回调 URL 时使用 GET,后续消息推送使用 POST # 此路径已包含在 /api/ 的代理规则中,无需单独配置 # ------------------------------------------------------------------ # 默认路径 — 重定向到 H5 员工端 # ------------------------------------------------------------------ location = / { return 302 /itdesk/; } } # ================================================================= # HTTPS 配置(按需启用) # ================================================================= # 如果需要本机直接提供 HTTPS(不走公司统一 SSL 终端), # 取消下方注释并配置 SSL 证书路径 # # server { # listen 443 ssl; # server_name itsupport.servyou.com.cn; # # ssl_certificate /etc/nginx/ssl/itsupport.servyou.com.cn.crt; # ssl_certificate_key /etc/nginx/ssl/itsupport.servyou.com.cn.key; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers HIGH:!aNULL:!MD5; # # # 其余 location 配置与上方 HTTP server 相同 # ... # } }