ng的配置
#user nobody;
worker_processes 1;
# 错误日志配置
error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# Gzip压缩配置
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# WebSocket变量定义
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# 【核心优化1】扩展本地源匹配 + 兼容空Origin场景
map $http_origin $allow_origin {
default "";
# 匹配:业务域名 + localhost/127.0.0.1任意端口 + 本地IP
~^https?://(.*\.your-domain\.com|localhost:\d+|127\.0\.0\.1:\d+|192\.168\.\d+\.\d+:\d+|new-domain\.your-company\.cn:\d+)$ $http_origin;
# 兼容无Origin的请求(如curl)
"" $http_origin;
}
# ========== 负载均衡池配置 ==========
# 非API请求使用(仅单节点)
upstream java_apps {
server localhost:8666 weight=1 max_fails=3 fail_timeout=30s;
}
# API请求专用(多节点负载)
upstream java_apps_api {
server localhost:8666 weight=1 max_fails=3 fail_timeout=30s;
server localhost:8667 weight=1 max_fails=3 fail_timeout=30s;
}
# ========== 原有业务域名 HTTP 9000端口跳转 ==========
server {
listen 9000;
server_name *.your-domain.com admin.your-domain.com api.your-domain.com static.your-domain.com;
return 301 https://$host:9443$request_uri;
}
# ========== 新业务域名 HTTP 9000端口跳转 ==========
server {
listen 9000;
server_name new-domain.your-company.cn;
return 301 https://$host:9443$request_uri;
}
# ========== 原有业务域名 HTTPS 9443端口配置 ==========
server {
listen 9443 ssl;
server_name *.your-domain.com;
# SSL证书配置(替换为实际证书路径)
ssl_certificate /opt/nginx/conf/cert/business.pem;
ssl_certificate_key /opt/nginx/conf/cert/business.key;
# SSL安全优化
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# 全局跨域头控制:非静态资源请求生效
set $cors_headers 0;
if ($request_uri !~* ^/(images|page/mobile)) {
set $cors_headers 1;
}
# ========== /images 图片访问配置 ==========
location ^~ /images/ {
alias /opt/nginx/html/images/;
autoindex off;
expires 30d;
add_header Cache-Control "public, max-age=2592000";
types {
image/jpeg jpg jpeg jpe;
image/png png;
image/gif gif;
image/bmp bmp;
image/webp webp;
image/svg+xml svg;
image/tiff tif tiff;
image/x-icon ico;
}
# 图片专属跨域头(仅图片请求生效,无重复)
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
try_files $uri $uri/ =404;
}
# ========== /page/mobile 静态页面配置 ==========
location /page/mobile {
alias /opt/nginx/html/mobile/;
index index.html index.htm;
autoindex off;
expires 7d;
add_header Cache-Control "public, max-age=604800";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
types {
text/html html htm;
text/css css;
application/javascript js;
application/json json;
}
}
# ========== 业务域名API请求配置(优先匹配) ==========
location ^~ /api/ {
# 跨域头配置
if ($cors_headers = 1) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
}
# 处理OPTIONS预检请求
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# API请求指向多节点负载池
proxy_pass http://java_apps_api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
# 禁止后端返回跨域头,避免重复
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# ========== 业务域名非API动态请求配置 ==========
location ^~ / {
# 仅当cors_headers=1时添加跨域头
if ($cors_headers = 1) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
}
# 处理OPTIONS预检请求
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# 非API请求指向单节点池
proxy_pass http://java_apps;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# 50x错误页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# 禁止访问敏感文件
location ~ /\.ht {
deny all;
}
}
# ========== 新业务域名 HTTPS 9443端口配置 ==========
server {
listen 9443 ssl;
server_name new-domain.your-company.cn;
# 新业务域名SSL证书配置
ssl_certificate /opt/nginx/conf/cert/new-business.pem;
ssl_certificate_key /opt/nginx/conf/cert/new-business.key;
# SSL安全优化
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# 全局跨域头控制:非静态资源请求生效
set $cors_headers 0;
if ($request_uri !~* ^/(images|page/mobile)) {
set $cors_headers 1;
}
# ========== /images 图片访问配置 ==========
location ^~ /images/ {
alias /opt/nginx/html/images/;
autoindex off;
expires 30d;
add_header Cache-Control "public, max-age=2592000";
types {
image/jpeg jpg jpeg jpe;
image/png png;
image/gif gif;
image/bmp bmp;
image/webp webp;
image/svg+xml svg;
image/tiff tif tiff;
image/x-icon ico;
}
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
try_files $uri $uri/ =404;
}
# ========== /page/mobile 静态页面配置 ==========
location /page/mobile {
alias /opt/nginx/html/mobile/;
index index.html index.htm;
autoindex off;
expires 7d;
add_header Cache-Control "public, max-age=604800";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
types {
text/html html htm;
text/css css;
application/javascript js;
application/json json;
}
}
# ========== 新业务域名API请求配置(仅保留这个动态请求块) ==========
location ^~ /api/ {
# 跨域头配置
if ($cors_headers = 1) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
}
# 处理OPTIONS预检请求
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $allow_origin always;
add_header Access-Control-Allow-Credentials true always;
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type,Authorization,Token,Accept,Origin,X-Requested-With" always;
add_header Content-Length 0;
add_header Content-Type text/plain;
return 204;
}
# API请求指向多节点负载池
proxy_pass http://java_apps_api;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;
proxy_hide_header Access-Control-Allow-Origin;
proxy_hide_header Access-Control-Allow-Credentials;
proxy_hide_header Access-Control-Allow-Methods;
proxy_hide_header Access-Control-Allow-Headers;
}
# ========== 新业务域名非API动态请求直接返回404 ==========
location / {
return 404;
}
# 50x错误页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# 禁止访问敏感文件
location ~ /\.ht {
deny all;
}
}
}