wecom_it_smart_desk/deploy-server/nginx.conf

# =============================================================================
# 企微智能IT支持服务台 — Nginx 配置（公司内网服务器版 + HTTPS）
# =============================================================================
# 目标服务器：10.90.5.110
# 域名：itsupport.servyou.com.cn
#
# 路由规则：
#   HTTP  → 自动重定向到 HTTPS
#   HTTPS → { /itdesk/, /itagent/, /itadmin/, /api/, /ws/ }
# =============================================================================

events {
    worker_connections 1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # ------------------------------------------------------------------
    # 日志格式
    # ------------------------------------------------------------------
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;
    error_log  /var/log/nginx/error.log warn;

    # ------------------------------------------------------------------
    # 基础配置
    # ------------------------------------------------------------------
    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;
    keepalive_timeout  65;
    types_hash_max_size 2048;
    client_max_body_size 50m;   # 支持文件上传（企微媒体文件）

    # ------------------------------------------------------------------
    # Gzip 压缩（前端静态资源）
    # ------------------------------------------------------------------
    gzip            on;
    gzip_vary       on;
    gzip_min_length 1024;
    gzip_types      text/plain text/css text/xml text/javascript
                    application/javascript application/xml+rss
                    application/json application/ld+json;

    # ------------------------------------------------------------------
    # 安全响应头
    # ------------------------------------------------------------------
    # 隐藏 nginx 版本号
    server_tokens off;

    # 基础安全头（应用到所有响应）
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-XSS-Protection "0" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;

    # API 路径特殊处理（不加 CSP，只加基础安全头）
    # 前端路径的 CSP 在各前端 index.html 中单独配置

    # =================================================================
    # 上游服务定义（Docker 内部网络）
    # =================================================================
    upstream backend_api {
        server backend:8000;
    }

    # =================================================================
    # HTTP → HTTPS 重定向
    # =================================================================
    server {
        listen 80;
        server_name itsupport.servyou.com.cn;

        # 企微域名验证文件（HTTP 也需要，企微验证可能走 HTTP）
        location /WW_verify_lxWC7WJDjTQuutBE.txt {
            alias /usr/share/nginx/html/itdesk/WW_verify_lxWC7WJDjTQuutBE.txt;
        }

        # 其余全部重定向到 HTTPS
        location / {
            return 301 https://$host$request_uri;
        }
    }

    # =================================================================
    # HTTPS 主服务
    # =================================================================
    server {
        listen 443 ssl;
        server_name itsupport.servyou.com.cn;

        # ------------------------------------------------------------------
        # SSL 证书配置
        # ------------------------------------------------------------------
        ssl_certificate     /etc/nginx/ssl/servyou.com.cn.crt;
        ssl_certificate_key /etc/nginx/ssl/servyou.com.cn.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;

        # ------------------------------------------------------------------
        # 安全头
        # ------------------------------------------------------------------
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # ------------------------------------------------------------------
        # 健康检查端点（用于 Docker healthcheck）
        # ------------------------------------------------------------------
        location = /itdesk/health {
            access_log off;
            return 200 "healthy\n";
            add_header Content-Type text/plain;
        }

        # ------------------------------------------------------------------
        # H5 员工端 — /itdesk/
        # ------------------------------------------------------------------
        location /itdesk/ {
            alias /usr/share/nginx/html/itdesk/;
            index index.html;
            try_files $uri /itdesk/index.html;
        }

        # ------------------------------------------------------------------
        # 坐席工作台 — /itagent/
        # ------------------------------------------------------------------
        location /itagent/ {
            alias /usr/share/nginx/html/itagent/;
            index index.html;
            try_files $uri /itagent/index.html;
        }

        # ------------------------------------------------------------------
        # 统一入口 Portal — /itportal/
        # ------------------------------------------------------------------
        location /itportal/ {
            alias /usr/share/nginx/html/itportal/;
            index index.html;
            try_files $uri /itportal/index.html;
        }

        # ------------------------------------------------------------------
        # 管理后台 — /itadmin/
        # ------------------------------------------------------------------
        location /itadmin/ {
            alias /usr/share/nginx/html/itadmin/;
            index index.html;
            try_files $uri /itadmin/index.html;
        }

        # ------------------------------------------------------------------
        # 后端 API — /api/
        # ------------------------------------------------------------------
        location /api/ {
            proxy_pass http://backend_api/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;

            # 超时设置（AI 回复可能较慢）
            proxy_connect_timeout 60s;
            proxy_send_timeout    300s;
            proxy_read_timeout    300s;
        }

        # ------------------------------------------------------------------
        # WebSocket — /ws/（坐席端实时通信）
        # ------------------------------------------------------------------
        location /ws/ {
            access_log off;  # P0-#4: 关闭 WS 路径日志，避免 token 泄露
            proxy_pass http://backend_api;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_read_timeout 86400s;  # WebSocket 长连接
        }

        # ------------------------------------------------------------------
        # 企微域名验证文件
        # ------------------------------------------------------------------
        location /WW_verify_lxWC7WJDjTQuutBE.txt {
            alias /usr/share/nginx/html/itdesk/WW_verify_lxWC7WJDjTQuutBE.txt;
        }

        # ------------------------------------------------------------------
        # 默认路径 — 重定向到统一入口 Portal
        # ------------------------------------------------------------------
        location = / {
            return 302 /itportal/;
        }
    }
}