From c71a5f81003089b912852bc0e9a47fe8b0481aa0 Mon Sep 17 00:00:00 2001 From: Jiao77 Date: Wed, 28 Jan 2026 10:58:15 +0800 Subject: [PATCH] update nginx deploy scripts --- jiao77.cn.nginx.conf | 156 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) diff --git a/jiao77.cn.nginx.conf b/jiao77.cn.nginx.conf index ea30eb6..36003e5 100644 --- a/jiao77.cn.nginx.conf +++ b/jiao77.cn.nginx.conf @@ -119,6 +119,42 @@ server { return 301 https://$server_name$request_uri; } +# ========================================== +# HTTP 重定向到 HTTPS (Halo) +# ========================================== +server { + listen 80; + server_name halo.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (WordPress) +# ========================================== +server { + listen 80; + server_name wp.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (Blog) - 待配置 +# ========================================== +server { + listen 80; + server_name blog.jiao77.cn; + return 301 https://$server_name$request_uri; +} + +# ========================================== +# HTTP 重定向到 HTTPS (salary) +# ========================================== +server { + listen 80; + server_name salary.jiao77.cn; + return 301 https://$server_name$request_uri; +} + # ========================================== # HTTPS 主站配置 (jiao77.cn + www.jiao77.cn) # ========================================== @@ -519,3 +555,123 @@ server { access_log /var/log/nginx/divination-access.log; error_log /var/log/nginx/divination-error.log; } + +# ========================================== +# HTTPS Halo 配置 (halo.jiao77.cn) -> 10.126.126.2:8083 +# ========================================== +server { + listen 443 ssl http2; + server_name halo.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/halo.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/halo.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # Halo 反向代理 + location / { + proxy_pass http://10.126.126.2:8083/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WebSocket 支持 + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + access_log /var/log/nginx/halo-access.log; + error_log /var/log/nginx/halo-error.log; +} + +# ========================================== +# HTTPS WordPress 配置 (wp.jiao77.cn) -> 10.126.126.2:8080 +# ========================================== +server { + listen 443 ssl http2; + server_name wp.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/wp.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wp.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # WordPress 反向代理 + location / { + proxy_pass http://10.126.126.2:8080/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # WordPress 需要 + proxy_set_header X-Forwarded-Host $host; + } + + access_log /var/log/nginx/wp-access.log; + error_log /var/log/nginx/wp-error.log; +} + +# ========================================== +# HTTPS Blog 配置 (blog.jiao77.cn) - 待配置 +# ========================================== +server { + listen 443 ssl http2; + server_name blog.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/blog.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/blog.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # 待配置 - 当前返回 503 + location / { + return 503 "Service not configured"; + } + + access_log /var/log/nginx/blog-access.log; + error_log /var/log/nginx/blog-error.log; +} + +# ========================================== +# HTTPS Salary 配置 (salary.jiao77.cn) -> 10.126.126.2:5053 +# ========================================== +server { + listen 443 ssl http2; + server_name salary.jiao77.cn; + + ssl_certificate /etc/letsencrypt/live/salary.jiao77.cn/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/salary.jiao77.cn/privkey.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 1d; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + + # 反向代理到 10.126.126.2:5053 + location / { + proxy_pass http://10.126.126.2:5053/; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + access_log /var/log/nginx/salary-access.log; + error_log /var/log/nginx/salary-error.log; +}