add 20251112 report

jiao77.cn.conf

@@ -0,0 +1,323 @@
+############################################################
+# Apache 子域名反向代理配置（jiao77.cn）
+#
+# 说明：
+# - 避免子路径带来的静态资源/重写/WS 问题，每个服务独立子域名
+# - 统一在 443 终止 TLS，Apache 反代到本地端口服务
+# - 主站 jiao77.cn 使用 Docker 容器部署（端口 3001）
+# - API 后端服务使用 Docker 容器部署（端口 3000）
+#
+# 前置：
+# - DNS 为以下子域名添加 A/AAAA 记录 -> 服务器 IP
+# - 证书需覆盖所有子域（通配符 *.jiao77.cn 或 SAN 多域名证书）
+# - 启用模块：ssl headers proxy proxy_http proxy_wstunnel rewrite deflate cache cache_disk expires
+#
+# 部署：
+# - 放置到 /etc/apache2/sites-available/jiao77-subdomains.conf
+# - sudo a2enmod ssl headers proxy proxy_http proxy_wstunnel rewrite deflate cache cache_disk expires
+# - sudo a2ensite jiao77-subdomains && sudo systemctl reload apache2
+############################################################
+
+# ============ 主站（前端 Docker 容器） ============
+<VirtualHost *:80>
+    ServerName jiao77.cn
+    ServerAlias www.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName jiao77.cn
+    ServerAlias www.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite HIGH:!aNULL:!MD5
+
+    # 安全头配置
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set Referrer-Policy "no-referrer-when-downgrade"
+
+    # 代理配置
+    ProxyPreserveHost On
+    ProxyRequests Off
+    RequestHeader set X-Forwarded-Proto "https"
+    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
+
+    # 缓存策略（VirtualHost 级别）
+    # 注意：一些缓存指令（如 CacheIgnoreHeaders）不允许放在 <LocationMatch> 中
+    # 因此在虚拟主机级别声明，以便对下方的缓存生效
+    CacheIgnoreHeaders Set-Cookie
+
+    # ============ API 后端代理 ============
+    # 暂时注释掉 API 代理，如果需要可以取消注释
+    # 健康检查（不记录日志）
+    # <Location /health>
+    #     ProxyPass http://127.0.0.1:3000/health
+    #     ProxyPassReverse http://127.0.0.1:3000/health
+    #     SetEnv no-log 1
+    # </Location>
+
+    # API 接口代理
+    # 关键：使用 <Location> 并带尾部斜杠，确保路径正确传递
+    # <Location /api/>
+    #     ProxyPass http://127.0.0.1:3000/api/
+    #     ProxyPassReverse http://127.0.0.1:3000/api/
+    #
+    #     # API 缓存配置（10分钟）
+    #     CacheEnable disk
+    #     CacheHeader on
+    #     CacheDefaultExpire 600
+    #     CacheMaxExpire 600
+    # </Location>
+
+    # ============ 静态资源缓存 ============
+    # 由于现在直接使用静态文件服务，这个 LocationMatch 可以移除
+    # 静态资源缓存已在下面的 Directory 配置中处理
+
+    # ============ 前端应用代理（默认） ============
+    # 直接提供静态文件服务，不使用 Docker 容器
+    DocumentRoot /var/www/jiao77.cn
+    DirectoryIndex index.html
+
+    # 静态文件处理
+    <Directory /var/www/jiao77.cn>
+        Options -Indexes +FollowSymLinks
+        AllowOverride All
+        Require all granted
+    </Directory>
+
+    # 对静态资源启用缓存
+    <LocationMatch "\.(js|css|png|jpg|jpeg|gif|ico|woff|woff2|svg|webp)$">
+        ExpiresActive On
+        ExpiresDefault "access plus 30 days"
+        Header set Cache-Control "public, max-age=2592000, immutable"
+    </LocationMatch>
+
+    # Gzip 压缩配置
+    <IfModule mod_deflate.c>
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
+        AddOutputFilterByType DEFLATE application/javascript application/json
+        AddOutputFilterByType DEFLATE application/xml application/rss+xml
+    </IfModule>
+
+    ErrorLog ${APACHE_LOG_DIR}/jiao77-main-error.log
+    CustomLog ${APACHE_LOG_DIR}/jiao77-main-access.log combined
+</VirtualHost>
+</IfModule>
+
+# 公共代理选项
+<IfModule mod_ssl.c>
+    SSLProxyEngine on
+</IfModule>
+
+# ============ Gitea ============
+<VirtualHost *:80>
+    ServerName gitea.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://gitea.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName gitea.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass        / http://127.0.0.1:3012/
+    ProxyPassReverse / http://127.0.0.1:3012/
+
+    ErrorLog ${APACHE_LOG_DIR}/gitea-error.log
+    CustomLog ${APACHE_LOG_DIR}/gitea-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ AList ============
+<VirtualHost *:80>
+    ServerName alist.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://alist.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName alist.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+    # 如果 AList 后端是 HTTPS（如 52443），保持 https 代理；若是 http，改为 http://127.0.0.1:<port>
+    ProxyPass        / https://127.0.0.1:52443/
+    ProxyPassReverse / https://127.0.0.1:52443/
+
+    ErrorLog ${APACHE_LOG_DIR}/alist-error.log
+    CustomLog ${APACHE_LOG_DIR}/alist-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ Q-Nas ============
+<VirtualHost *:80>
+    ServerName qnas.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://qnas.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName qnas.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass        / http://127.0.0.1:5666/
+    ProxyPassReverse / http://127.0.0.1:5666/
+
+    ErrorLog ${APACHE_LOG_DIR}/qnas-error.log
+    CustomLog ${APACHE_LOG_DIR}/qnas-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ nuc-Nas ============
+<VirtualHost *:80>
+    ServerName nucnas.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://nucnas.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName nucnas.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass        / http://127.0.0.1:56661/
+    ProxyPassReverse / http://127.0.0.1:56661/
+
+    ErrorLog ${APACHE_LOG_DIR}/nucnas-error.log
+    CustomLog ${APACHE_LOG_DIR}/nucnas-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ RAGflow ============
+<VirtualHost *:80>
+    ServerName ragflow.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://ragflow.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName ragflow.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass        / http://127.0.0.1:28081/
+    ProxyPassReverse / http://127.0.0.1:28081/
+
+    ErrorLog ${APACHE_LOG_DIR}/ragflow-error.log
+    CustomLog ${APACHE_LOG_DIR}/ragflow-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ Open WebUI ============
+<VirtualHost *:80>
+    ServerName ai.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://ai.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName ai.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass        / http://127.0.0.1:38080/
+    ProxyPassReverse / http://127.0.0.1:38080/
+    # 常见 WebSocket 路径（按需调整）
+    ProxyPass        /ws ws://127.0.0.1:38080/ws
+    ProxyPassReverse /ws ws://127.0.0.1:38080/ws
+
+    ErrorLog ${APACHE_LOG_DIR}/ai-error.log
+    CustomLog ${APACHE_LOG_DIR}/ai-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ Navidrome ============
+<VirtualHost *:80>
+    ServerName music.jiao77.cn
+    RewriteEngine On
+    RewriteRule ^/(.*)$ https://music.jiao77.cn/$1 [R=301,L]
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+    ServerName music.jiao77.cn
+
+    SSLEngine on
+    SSLCertificateFile /etc/ssl/jiao77/cert.pem
+    SSLCertificateKeyFile /etc/ssl/jiao77/key.pem
+    SSLCertificateChainFile /etc/ssl/jiao77/chain.pem
+
+    ProxyPreserveHost On
+    RequestHeader set X-Forwarded-Proto "https"
+
+    ProxyPass        / http://127.0.0.1:45332/
+    ProxyPassReverse / http://127.0.0.1:45332/
+
+    ErrorLog ${APACHE_LOG_DIR}/music-error.log
+    CustomLog ${APACHE_LOG_DIR}/music-access.log combined
+</VirtualHost>
+</IfModule>
+
+# ============ 缓存配置 ============
+<IfModule mod_cache.c>
+    CacheRoot /var/cache/apache2/jiao77
+    CacheDirLevels 2
+    CacheDirLength 1
+    CacheMaxFileSize 10000000
+    CacheMinFileSize 1
+    CacheReadSize 0
+    CacheReadTime 3000
+</IfModule>
+
+