worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; # 限制body大小 client_max_body_size 100m; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; upstream ultra_api_server { ip_hash; # gateway 地址(HTTPS端口443显式配置) server qdintc.com:443; # server 127.0.0.1:8081; } server { listen 80; server_name localhost; # 核心新增:HTTPS反向代理必备配置(解决502错误,必须加) proxy_ssl_verify off; # 跳过SSL证书验证(自签名/内网证书必加,公网证书可保留) proxy_ssl_server_name on; # 启用SNI扩展(HTTPS代理强制要求,否则无法正常握手) proxy_ssl_protocols TLSv1.2 TLSv1.3; # 限定安全的HTTPS协议版本,避免低版本漏洞 # https配置参考 start #listen 443 ssl; # 证书直接存放 /docker/nginx/cert/ 目录下即可 更改证书名称即可 无需更改证书路径 #ssl on; #ssl_certificate /etc/nginx/cert/xxx.local.crt; # /etc/nginx/cert/ 为docker映射路径 不允许更改 #ssl_certificate_key /etc/nginx/cert/xxx.local.key; # /etc/nginx/cert/ 为docker映射路径 不允许更改 #ssl_session_timeout 5m; #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_prefer_server_ciphers on; # https配置参考 end # 演示环境配置 拦截除 GET POST 之外的所有请求 # if ($request_method !~* GET|POST) { # rewrite ^/(.*)$ /403; # } # location = /403 { # default_type application/json; # return 200 '{"msg":"演示模式,不允许操作","code":500}'; # } # 限制外网访问内网 actuator 相关路径 location ~ ^(/[^/]*)?/actuator.*(/.*)?$ { return 403; } location / { root /usr/share/nginx/html; # docker映射路径 不允许更改 try_files $uri $uri/ /index.html; index index.html index.htm; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /ultra-api/ { # 1. 处理OPTIONS预检请求:直接返回204,无需转发到后端(跨域必备) if ($request_method = OPTIONS) { return 204; } # 2. WebSocket必备配置(保留原有,无需修改) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # 3. 路径重写:移除/ultra-api/前缀,消除双斜杠(保留原有,核心) rewrite ^/ultra-api/(.*) /$1 break; # 4. 反向代理:指向上游服务,结尾/保证路径拼接无重复(消除双斜杠) proxy_pass https://ultra_api_server/; # 5. 基础反向代理头(保留原有,保证上游获取真实客户端信息) proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # 6. 核心CORS跨域允许配置(解决前端拦截问题,重点!) add_header Access-Control-Allow-Origin * always; # 你的前端源站,必须指定具体地址(比*安全) add_header Access-Control-Allow-Methods 'GET,POST,PUT,DELETE,OPTIONS' always; # 允许前端的请求方法 add_header Access-Control-Allow-Headers 'Content-Type,Authorization,Token,X-Requested-With' always; # 允许前端的自定义请求头(根据实际需求补充) # add_header Access-Control-Allow-Credentials true always; # 允许跨域携带Cookie/Token(登录必备) add_header Access-Control-Max-Age 3600 always; # 预检请求缓存时间(1小时,减少OPTIONS请求) } location /file/ { rewrite ^/file/(.*) /$1 break; proxy_pass http://140.249.24.92:9000; } location /model/ { rewrite ^/model/(.*) /$1 break; proxy_pass http://140.249.24.92:3101; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }