############################################################ # Apache 子域名反向代理配置（jiao77.cn） # # 说明： # - 避免子路径带来的静态资源/重写/WS 问题，每个服务独立子域名 # - 统一在 443 终止 TLS，Apache 反代到本地端口服务 # - 主站 jiao77.cn 使用 Docker 容器部署（端口 3001） # - API 后端服务使用 Docker 容器部署（端口 3000） # # 前置： # - DNS 为以下子域名添加 A/AAAA 记录 -> 服务器 IP # - 证书需覆盖所有子域（通配符 *.jiao77.cn 或 SAN 多域名证书） # - 启用模块：ssl headers proxy proxy_http proxy_wstunnel rewrite deflate cache cache_disk expires # # 部署： # - 放置到 /etc/apache2/sites-available/jiao77-subdomains.conf # - sudo a2enmod ssl headers proxy proxy_http proxy_wstunnel rewrite deflate cache cache_disk expires # - sudo a2ensite jiao77-subdomains && sudo systemctl reload apache2 ############################################################ # ============ 主站（前端 Docker 容器） ============ ServerName jiao77.cn ServerAlias www.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://jiao77.cn/$1 [R=301,L] ServerName jiao77.cn ServerAlias www.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5 # 安全头配置 Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set Referrer-Policy "no-referrer-when-downgrade" # 代理配置 ProxyPreserveHost On ProxyRequests Off RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s" # 缓存策略（VirtualHost 级别） # 注意：一些缓存指令（如 CacheIgnoreHeaders）不允许放在中 # 因此在虚拟主机级别声明，以便对下方的缓存生效 CacheIgnoreHeaders Set-Cookie # ============ API 后端代理 ============ # 暂时注释掉 API 代理，如果需要可以取消注释 # 健康检查（不记录日志） # # ProxyPass http://127.0.0.1:3000/health # ProxyPassReverse http://127.0.0.1:3000/health # SetEnv no-log 1 # # API 接口代理 # 关键：使用并带尾部斜杠，确保路径正确传递 # # ProxyPass http://127.0.0.1:3000/api/ # ProxyPassReverse http://127.0.0.1:3000/api/ # # # API 缓存配置（10分钟） # CacheEnable disk # CacheHeader on # CacheDefaultExpire 600 # CacheMaxExpire 600 # # ============ 静态资源缓存 ============ # 由于现在直接使用静态文件服务，这个 LocationMatch 可以移除 # 静态资源缓存已在下面的 Directory 配置中处理 # ============ 前端应用代理（默认） ============ # 直接提供静态文件服务，不使用 Docker 容器 DocumentRoot /var/www/jiao77.cn DirectoryIndex index.html # 静态文件处理 Options -Indexes +FollowSymLinks AllowOverride All Require all granted # 对静态资源启用缓存 ExpiresActive On ExpiresDefault "access plus 30 days" Header set Cache-Control "public, max-age=2592000, immutable" # Gzip 压缩配置 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css AddOutputFilterByType DEFLATE application/javascript application/json AddOutputFilterByType DEFLATE application/xml application/rss+xml ErrorLog ${APACHE_LOG_DIR}/jiao77-main-error.log CustomLog ${APACHE_LOG_DIR}/jiao77-main-access.log combined # 公共代理选项 SSLProxyEngine on # ============ Gitea ============ ServerName gitea.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://gitea.jiao77.cn/$1 [R=301,L] ServerName gitea.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:3012/ ProxyPassReverse / http://127.0.0.1:3012/ ErrorLog ${APACHE_LOG_DIR}/gitea-error.log CustomLog ${APACHE_LOG_DIR}/gitea-access.log combined # ============ AList ============ ServerName alist.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://alist.jiao77.cn/$1 [R=301,L] ServerName alist.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" # 如果 AList 后端是 HTTPS（如 52443），保持 https 代理；若是 http，改为 http://127.0.0.1: ProxyPass / https://127.0.0.1:52443/ ProxyPassReverse / https://127.0.0.1:52443/ ErrorLog ${APACHE_LOG_DIR}/alist-error.log CustomLog ${APACHE_LOG_DIR}/alist-access.log combined # ============ Q-Nas ============ ServerName qnas.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://qnas.jiao77.cn/$1 [R=301,L] ServerName qnas.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:5666/ ProxyPassReverse / http://127.0.0.1:5666/ ErrorLog ${APACHE_LOG_DIR}/qnas-error.log CustomLog ${APACHE_LOG_DIR}/qnas-access.log combined # ============ nuc-Nas ============ ServerName nucnas.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://nucnas.jiao77.cn/$1 [R=301,L] ServerName nucnas.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:56661/ ProxyPassReverse / http://127.0.0.1:56661/ ErrorLog ${APACHE_LOG_DIR}/nucnas-error.log CustomLog ${APACHE_LOG_DIR}/nucnas-access.log combined # ============ RAGflow ============ ServerName ragflow.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://ragflow.jiao77.cn/$1 [R=301,L] ServerName ragflow.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:28081/ ProxyPassReverse / http://127.0.0.1:28081/ ErrorLog ${APACHE_LOG_DIR}/ragflow-error.log CustomLog ${APACHE_LOG_DIR}/ragflow-access.log combined # ============ Open WebUI ============ ServerName ai.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://ai.jiao77.cn/$1 [R=301,L] ServerName ai.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:38080/ ProxyPassReverse / http://127.0.0.1:38080/ # 常见 WebSocket 路径（按需调整） ProxyPass /ws ws://127.0.0.1:38080/ws ProxyPassReverse /ws ws://127.0.0.1:38080/ws ErrorLog ${APACHE_LOG_DIR}/ai-error.log CustomLog ${APACHE_LOG_DIR}/ai-access.log combined # ============ Navidrome ============ ServerName music.jiao77.cn RewriteEngine On RewriteRule ^/(.*)$ https://music.jiao77.cn/$1 [R=301,L] ServerName music.jiao77.cn SSLEngine on SSLCertificateFile /etc/ssl/jiao77/cert.pem SSLCertificateKeyFile /etc/ssl/jiao77/key.pem SSLCertificateChainFile /etc/ssl/jiao77/chain.pem ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:45332/ ProxyPassReverse / http://127.0.0.1:45332/ ErrorLog ${APACHE_LOG_DIR}/music-error.log CustomLog ${APACHE_LOG_DIR}/music-access.log combined # ============ 缓存配置 ============ CacheRoot /var/cache/apache2/jiao77 CacheDirLevels 2 CacheDirLength 1 CacheMaxFileSize 10000000 CacheMinFileSize 1 CacheReadSize 0 CacheReadTime 3000