diff --git a/deploy-nginx.sh b/deploy-nginx.sh new file mode 100644 index 0000000..03767c0 --- /dev/null +++ b/deploy-nginx.sh @@ -0,0 +1,277 @@ +#!/bin/bash + +# 🚀 Jiao77.cn 一键部署脚本 (Nginx 版本) +# 自动构建并部署 Astro 网站到 10.126.126.31 服务器 +# +# 用法: +# ./deploy-nginx.sh # 交互模式(需确认) +# ./deploy-nginx.sh --skip # 跳过确认直接部署 +# ./deploy-nginx.sh --build-only # 仅构建 +# ./deploy-nginx.sh --config-only # 仅上传配置 + +set -e + +# 服务器配置 +SERVER_IP="10.126.126.31" +USERNAME="root" +PASSWORD="20160406-Jts" +WEB_ROOT="/var/www/jiao77.cn" + +# 解析参数 +SKIP_CONFIRM=false +BUILD_ONLY=false +CONFIG_ONLY=false + +while [[ $# -gt 0 ]]; do + case $1 in + --skip) + SKIP_CONFIRM=true + shift + ;; + --build-only) + BUILD_ONLY=true + shift + ;; + --config-only) + CONFIG_ONLY=true + shift + ;; + *) + echo "未知参数: $1" + exit 1 + ;; + esac +done + +echo "🌟 ==================================" +echo "🌟 Jiao77.cn 网站部署工具 (Nginx)" +echo "🌟 ==================================" +echo "" +echo "📋 部署信息:" +echo " 服务器: ${SERVER_IP}" +echo " 用户名: ${USERNAME}" +echo " 网站目录: ${WEB_ROOT}" +echo "" + +# 检查是否安装了 sshpass +check_sshpass() { + if ! command -v sshpass &> /dev/null; then + echo "⚠️ sshpass 未安装,正在安装..." + if command -v apt-get &> /dev/null; then + sudo apt-get update && sudo apt-get install -y sshpass + elif command -v yum &> /dev/null; then + sudo yum install -y sshpass + else + echo "❌ 无法自动安装 sshpass,请手动安装后重试" + exit 1 + fi + fi + echo "✅ sshpass 已就绪" +} + +# 构建项目 +build_project() { + echo "" + echo "📦 构建生产版本..." + + if [ ! -f "package.json" ]; then + echo "❌ 错误: 当前目录不是 Astro 项目根目录" + exit 1 + fi + + # 清理之前的构建 + if [ -d "dist" ]; then + rm -rf dist + fi + + # 构建项目 + npm run build + + if [ ! -d "dist" ]; then + echo "❌ 错误: 构建失败,dist 目录不存在" + exit 1 + fi + + echo "✅ 构建完成" +} + +# 部署到服务器 +deploy_to_server() { + echo "" + echo "🚀 开始部署到服务器..." + + # 检查 SSH 连接 + echo "🔍 测试 SSH 连接..." + if sshpass -p "${PASSWORD}" ssh -o StrictHostKeyChecking=no ${USERNAME}@${SERVER_IP} "echo 'SSH 连接成功'" 2>/dev/null; then + echo "✅ SSH 连接成功" + else + echo "❌ SSH 连接失败" + exit 1 + fi + + # 创建网站目录 + echo "📁 创建网站目录..." + sshpass -p "${PASSWORD}" ssh -o StrictHostKeyChecking=no ${USERNAME}@${SERVER_IP} " + sudo mkdir -p ${WEB_ROOT} + sudo chown -R ${USERNAME}:${USERNAME} ${WEB_ROOT} + echo '✅ 目录创建完成' + " + + # 上传文件 + echo "📡 上传网站文件..." + if command -v rsync &> /dev/null; then + sshpass -p "${PASSWORD}" rsync -avz --delete --progress \ + -e "ssh -o StrictHostKeyChecking=no" \ + dist/ ${USERNAME}@${SERVER_IP}:${WEB_ROOT}/ + else + # 使用 scp 上传 + cd dist + tar -czf ../deploy-temp.tar.gz * + cd .. + sshpass -p "${PASSWORD}" scp -o StrictHostKeyChecking=no deploy-temp.tar.gz ${USERNAME}@${SERVER_IP}:/tmp/ + sshpass -p "${PASSWORD}" ssh -o StrictHostKeyChecking=no ${USERNAME}@${SERVER_IP} " + cd ${WEB_ROOT} && tar -xzf /tmp/deploy-temp.tar.gz && rm /tmp/deploy-temp.tar.gz + " + rm -f deploy-temp.tar.gz + fi + echo "✅ 文件上传完成" +} + +# 配置 Nginx +config_nginx() { + echo "" + echo "⚙️ 配置 Nginx..." + + # 检查配置文件是否存在 + if [ ! -f "jiao77.cn.nginx.conf" ]; then + echo "❌ 错误: jiao77.cn.nginx.conf 文件不存在" + exit 1 + fi + + # 上传 nginx 配置文件 + sshpass -p "${PASSWORD}" scp -o StrictHostKeyChecking=no jiao77.cn.nginx.conf ${USERNAME}@${SERVER_IP}:/tmp/jiao77.cn.conf + + # 在服务器上配置 nginx + sshpass -p "${PASSWORD}" ssh -o StrictHostKeyChecking=no ${USERNAME}@${SERVER_IP} ' + # 备份原有配置 + if [ -f /etc/nginx/sites-available/jiao77.cn.conf ]; then + cp /etc/nginx/sites-available/jiao77.cn.conf /etc/nginx/sites-available/jiao77.cn.conf.backup.$(date +%Y%m%d_%H%M%S) + echo "✅ 原配置已备份" + fi + + # 移动新配置文件 + mv /tmp/jiao77.cn.conf /etc/nginx/sites-available/jiao77.cn.conf + + # 创建软链接 + if [ ! -L /etc/nginx/sites-enabled/jiao77.cn.conf ]; then + ln -s /etc/nginx/sites-available/jiao77.cn.conf /etc/nginx/sites-enabled/ + fi + + # 移除默认配置(可选) + if [ -L /etc/nginx/sites-enabled/default ]; then + rm /etc/nginx/sites-enabled/default + fi + + # 测试 nginx 配置 + if nginx -t; then + echo "✅ Nginx 配置测试通过" + else + echo "❌ Nginx 配置测试失败" + exit 1 + fi + + # 重新加载 nginx + systemctl reload nginx + echo "✅ Nginx 已重新加载" + + # 设置文件权限 + chown -R www-data:www-data /var/www/jiao77.cn + find /var/www/jiao77.cn -type d -exec chmod 755 {} \; + find /var/www/jiao77.cn -type f -exec chmod 644 {} \; + echo "✅ 文件权限已设置" + ' + + echo "✅ Nginx 配置完成" +} + +# 测试部署 +test_deployment() { + echo "" + echo "🧪 测试部署结果..." + + # 测试 HTTP + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://${SERVER_IP}/ 2>/dev/null || echo "000") + + if [ "$HTTP_CODE" = "200" ]; then + echo "✅ 网站访问正常 (HTTP $HTTP_CODE)" + else + echo "⚠️ 网站可能存在问题 (HTTP $HTTP_CODE)" + fi + + # 测试 HTTPS + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" https://${SERVER_IP}/ 2>/dev/null || echo "000") + echo "🌐 HTTPS 测试: HTTP $HTTP_CODE" +} + +# 显示结果 +show_results() { + echo "" + echo "🎉 ==================================" + echo "🎉 部署完成!" + echo "🎉 ==================================" + echo "" + echo "🌐 网站地址:" + echo " https://${SERVER_IP}" + echo " https://jiao77.cn" + echo "" + echo "📋 服务器管理命令:" + echo " 查看 nginx 状态: systemctl status nginx" + echo " 重启 nginx: systemctl restart nginx" + echo " 查看日志: tail -f /var/log/nginx/jiao77-error.log" + echo " 测试配置: nginx -t" + echo "" + echo "🔧 后续步骤:" + echo " 1. 访问网站确认页面正常显示" + echo " 2. 测试各子域名是否正常" +} + +# 确认部署 +confirm_deploy() { + echo "" + read -p "❓ 确认开始部署到 ${SERVER_IP}? (y/N): " CONFIRM + if [[ ! $CONFIRM =~ ^[Yy]$ ]]; then + echo "❌ 部署已取消" + exit 0 + fi +} + +# 主函数 +main() { + check_sshpass + + if [ "$BUILD_ONLY" = true ]; then + build_project + exit 0 + fi + + if [ "$CONFIG_ONLY" = true ]; then + config_nginx + exit 0 + fi + + if [ "$SKIP_CONFIRM" = false ]; then + confirm_deploy + fi + + build_project + deploy_to_server + config_nginx + test_deployment + show_results +} + +# 错误处理 +trap 'echo "❌ 部署过程中出现错误,请检查输出信息"; exit 1' ERR + +# 执行部署 +main diff --git a/jiao77.cn.nginx.conf b/jiao77.cn.nginx.conf new file mode 100644 index 0000000..ea30eb6 --- /dev/null +++ b/jiao77.cn.nginx.conf @@ -0,0 +1,521 @@ +############################################################ +# Nginx 服务器配置(jiao77.cn)- HTTPS 完全版 +# 支持多个子域名 HTTPS +# +# 域名列表: +# - jiao77.cn (主站) + www.jiao77.cn +# - ai.jiao77.cn (AI 服务) +# - aliyun.jiao77.cn (阿里云服务) +# - gitea.jiao77.cn (Gitea 代码托管) +# +# SSL 证书:Let's Encrypt 自动申请并配置 +############################################################ + +# ========================================== +# HTTP 重定向到 HTTPS (主站) +# ========================================== +server { + listen 80; + server_name jiao77.cn www.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (AI) +# ========================================== +server { + listen 80; + server_name ai.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (阿里云) +# ========================================== +server { + listen 80; + server_name aliyun.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (Gitea) +# ========================================== +server { + listen 80; + server_name gitea.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (QNas) +# ========================================== +server { + listen 80; + server_name qnas.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (Ollama API) +# ========================================== +server { + listen 80; + server_name ollama.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (WebDev WebDAV) +# ========================================== +server { + listen 80; + server_name webdev.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (AList) +# ========================================== +server { + listen 80; + server_name alist.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (Upsnap) +# ========================================== +server { + listen 80; + server_name upsnap.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (SunPanel) +# ========================================== +server { + listen 80; + server_name sunpanel.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (AudioBook) +# ========================================== +server { + listen 80; + server_name audiobook.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (Divination) +# ========================================== +server { + listen 80; + server_name divination.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTPS 主站配置 (jiao77.cn + www.jiao77.cn) +# ========================================== +server { + listen 443 ssl http2; + server_name jiao77.cn www.jiao77.cn; + + # SSL 证书 (Let's Encrypt) + ssl_certificate /etc/letsencrypt/live/jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + root /var/www/jiao77.cn; + index index.html; + + # 安全头 + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + + # 日志 + access_log /var/log/nginx/jiao77-access.log; + error_log /var/log/nginx/jiao77-error.log; + + # Gzip 压缩 + gzip on; + gzip_vary on; + gzip_min_length 1024; + gzip_proxied any; + gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss application/atom+xml image/svg+xml; + + # 静态资源缓存 (30天) + location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|otf|webp)$ { + expires 30d; + add_header Cache-Control "public, immutable, max-age=2592000"; + } + + # HTML 不缓存 + location ~* \.html$ { + expires -1; + add_header Cache-Control "no-store, no-cache, must-revalidate"; + } + + # SPA 路由支持 + location / { + try_files $uri $uri/ /index.html; + } + + # 禁止访问敏感文件 + location ~ /\.(?!well-known).* { deny all; } + location ~* \.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])$ { deny all; } +} + +# ========================================== +# HTTPS AI 服务配置 (ai.jiao77.cn) +# ========================================== +server { + listen 443 ssl http2; + server_name ai.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/ai.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ai.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + root /var/www/jiao77.cn; + index index.html; + + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + access_log /var/log/nginx/ai-access.log; + error_log /var/log/nginx/ai-error.log; + + location / { + try_files $uri $uri/ /index.html; + } +} + +# ========================================== +# HTTPS 阿里云配置 (aliyun.jiao77.cn) +# ========================================== +server { + listen 443 ssl http2; + server_name aliyun.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/aliyun.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/aliyun.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + root /var/www/jiao77.cn; + index index.html; + + access_log /var/log/nginx/aliyun-access.log; + error_log /var/log/nginx/aliyun-error.log; + + location / { + try_files $uri $uri/ /index.html; + } +} + +# ========================================== +# HTTPS Gitea 配置 (gitea.jiao77.cn) +# ========================================== +server { + listen 443 ssl http2; + server_name gitea.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/gitea.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # Gitea 反向代理 (转发到 10.126.126.2:3012) + location / { + proxy_pass http://10.126.126.2:3012/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket 支持 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + access_log /var/log/nginx/gitea-access.log; + error_log /var/log/nginx/gitea-error.log; +} + +# ========================================== +# HTTPS QNas 配置 (qnas.jiao77.cn) - 反向代理到 10.126.126.2:5666 +# ========================================== +server { + listen 443 ssl http2; + server_name qnas.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/qnas.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/qnas.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # 反向代理到 10.126.126.2:5666 + location / { + proxy_pass http://10.126.126.2:5666/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket 支持 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + access_log /var/log/nginx/qnas-access.log; + error_log /var/log/nginx/qnas-error.log; +} + +# ========================================== +# HTTPS Ollama API 配置 (ollama.jiao77.cn) - 反向代理到 10.126.126.8:11435 +# ========================================== +server { + listen 443 ssl http2; + server_name ollama.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/ollama.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ollama.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # Ollama API 反向代理 + location / { + proxy_pass http://10.126.126.8:11435/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # API 特殊配置 + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_buffering off; + proxy_read_timeout 300s; + } + + access_log /var/log/nginx/ollama-access.log; + error_log /var/log/nginx/ollama-error.log; +} + +# ========================================== +# HTTPS WebDev WebDAV 配置 (webdev.jiao77.cn) - 反向代理到 10.126.126.2:5006 +# ========================================== +server { + listen 443 ssl http2; + server_name webdev.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/webdev.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/webdev.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # WebDAV 反向代理 + location / { + proxy_pass https://10.126.126.2:5006/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebDAV 需要的方法 + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # 保持 WebDAV 方法 + proxy_pass_request_headers on; + } + + access_log /var/log/nginx/webdev-access.log; + error_log /var/log/nginx/webdev-error.log; +} + +# ========================================== +# HTTPS AList 配置 (alist.jiao77.cn) - 反向代理到 10.126.126.2:5244 +# ========================================== +server { + listen 443 ssl http2; + server_name alist.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/alist.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/alist.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # AList 反向代理 + location / { + proxy_pass http://10.126.126.2:5244/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # AList WebSocket 支持 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + access_log /var/log/nginx/alist-access.log; + error_log /var/log/nginx/alist-error.log; +} + +# ========================================== +# HTTPS Upsnap 配置 (upsnap.jiao77.cn) -> 10.126.126.2:8090 +# ========================================== +server { + listen 443 ssl http2; + server_name upsnap.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/upsnap.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/upsnap.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + location / { + proxy_pass http://10.126.126.2:8090/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log /var/log/nginx/upsnap-access.log; + error_log /var/log/nginx/upsnap-error.log; +} + +# ========================================== +# HTTPS SunPanel 配置 (sunpanel.jiao77.cn) -> 10.126.126.2:13002 +# ========================================== +server { + listen 443 ssl http2; + server_name sunpanel.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/sunpanel.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/sunpanel.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + location / { + proxy_pass http://10.126.126.2:13002/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log /var/log/nginx/sunpanel-access.log; + error_log /var/log/nginx/sunpanel-error.log; +} + +# ========================================== +# HTTPS AudioBook 配置 (audiobook.jiao77.cn) -> 10.126.126.2:1081 +# ========================================== +server { + listen 443 ssl http2; + server_name audiobook.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/audiobook.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/audiobook.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + location / { + proxy_pass http://10.126.126.2:1081/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log /var/log/nginx/audiobook-access.log; + error_log /var/log/nginx/audiobook-error.log; +} + +# ========================================== +# HTTPS Divination 配置 (divination.jiao77.cn) -> 10.126.126.2:5001 +# ========================================== +server { + listen 443 ssl http2; + server_name divination.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/divination.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/divination.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + location / { + proxy_pass http://10.126.126.2:5001/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log /var/log/nginx/divination-access.log; + error_log /var/log/nginx/divination-error.log; +}