user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Headers' '*'; add_header 'Access-Control-Allow-Methods' '*'; access_log /var/log/nginx/access.log main; sendfile on; keepalive_timeout 65; # HTTP重定向到HTTPS server { listen 80; listen [::]:80; server_name mosr.feashow.cn; return 301 https://$host$request_uri; # 强制跳转HTTPS } # 新增HTTPS服务器块 server { listen 443 ssl; listen [::]:443 ssl; server_name mosr.feashow.cn; # SSL证书配置 ssl_certificate /etc/nginx/mosr.feashow.cn_chain.crt; ssl_certificate_key /etc/nginx/private.key; # 优化SSL配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; ssl_session_tickets off; location /api { proxy_pass http://gateway.$PROFILES.svc.cluster.local:8080; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $host; rewrite "^/api/(.*)$" /$1 break; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; client_max_body_size 30m; } location / { root /home/clay; index index.html index.htm; try_files $uri $uri/ /index.html; } } }