Services/shop-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

feat(nginx): Add configuration for dev.aigc-quickapp.com with SSL and WebSocket support

Browse Source 
This commit introduces a new Nginx configuration file for the development environment of the AIGC QuickApp. It includes settings for SSL, HTTP to HTTPS redirection, WebSocket support, and various security headers. Additionally, it implements rate limiting and error handling for improved performance and security.
This commit is contained in:
ZF Sun
2026-01-22 09:05:21 +08:00
parent 266f810508
commit e263f3bd58
2 changed files with 180 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
docs/nginx/dev.aigc-quickapp.com.conf Normal file
View File

@@ -0,0 +1,178 @@
proxy_cache_path /www/dk_project/sites/dev.aigc-quickapp.com/proxy_cache_dir levels=1:2 keys_zone=dev_aigc-quickapp_com_cache:20m inactive=1d max_size=5g;
# 连接升级变量,避免 $connection_upgrade 未定义(用于 WebSocket
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# 轻量限速/并发控制(全局定义,按需调整阈值)
limit_req_zone $binary_remote_addr zone=perip:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
# HTTP -> HTTPS 跳转独立 server避免与业务混配
server {
listen 80;
server_name dev.aigc-quickapp.com;
return 301 https://$host$request_uri;
}
server {
listen 443 quic;
listen 443 ssl;
http2 on;
server_name dev.aigc-quickapp.com;
index index.php index.html index.htm default.php default.htm default.html;
root /www/dk_project/wwwroot/dev.aigc-quickapp.com;
#CERT-APPLY-CHECK--START
# 用于SSL证书申请时的文件验证相关配置 -- 请勿删除
include /www/server/panel/vhost/nginx/well-known/dev.aigc-quickapp.com.conf;
#CERT-APPLY-CHECK--END
#SSL-START SSL相关配置请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
ssl_certificate /www/server/panel/vhost/cert/dev.aigc-quickapp.com/fullchain.pem;
ssl_certificate_key /www/server/panel/vhost/cert/dev.aigc-quickapp.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # 暂保留 TLSv1.1 兼容老端,后续可下线
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
# CSP 先以 Report-Only 方式上线,避免误杀;按前端依赖逐步收紧
add_header Content-Security-Policy-Report-Only "default-src 'self' data: blob:; img-src * data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob:; style-src 'self' 'unsafe-inline' https:; connect-src *; font-src 'self' data: https:; frame-ancestors 'self';" always;
server_tokens off;
error_page 497 https://$host$request_uri;
#SSL-END
#REDIRECT START
#REDIRECT END
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END
#WEBSOCKET-SUPPORT START
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
#WEBSOCKET-SUPPORT END
# 上传/超时治理(根据业务需要调整大小与时限)
client_max_body_size 100m;
client_body_timeout 15s;
client_header_timeout 10s;
send_timeout 30s;
#PROXY-CONF-START
location ^~ / {
proxy_pass http://127.0.0.1:8050;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Real-Port $remote_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_redirect off;
proxy_buffering off;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# 轻量限速:降低扫描/撞库/爆破效率(按需调大/关闭)
limit_req zone=perip burst=20 nodelay;
limit_conn perip_conn 50;
}
#PROXY-CONF-END
#SERVER-BLOCK START
location ~* ^/ws/(.*)$ {
# 先尝试直接转发,不修改路径
proxy_pass http://localhost:8050;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 禁用缓冲确保WebSocket数据实时传输
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_busy_buffers_size 4k;
proxy_max_temp_file_size 0;
# 可选设置超时WebSocket 是长连接)
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
# WebSocket 连接数可选限速:如需限制每 IP 并发,解除注释
# limit_conn perip_conn 20;
}
# 可设置server|location等所有server字段
# location /web {
# try_files $uri $uri/ /index.php$is_args$args;
# }
# error_page 404 /diy_404.html;
# 如果反代网站访问异常且这里已经配置了内容,请优先排查此处的配置是否正确
#SERVER-BLOCK END
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md) {
return 404;
}
# 追加敏感路径/文件快速阻断
location ~* /(composer\.(json|lock)|package(-lock)?\.json|pnpm-lock\.yaml|yarn\.lock|phpunit\.xml|\.ssh/|id_rsa|id_dsa|\.DS_Store) {
return 404;
}
# 禁止直连 phpinfo/adminer 等常见探测
location ~* /(phpinfo|adminer)\.php$ {
return 404;
}
# 禁止可疑备份/数据库/压缩文件下载(如需放行请删除本段)
location ~* \.(bak|sql|tar|tar\.gz|rar|7z|zip)$ {
return 404;
}
#一键申请SSL证书验证目录相关设置
location /.well-known {
allow all;
}
#禁止在证书验证目录放入敏感文件
if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
return 403;
}
#LOG START
access_log /www/wwwlogs/dev.aigc-quickapp.com.log;
error_log /www/wwwlogs/dev.aigc-quickapp.com.error.log;
#LOG END
}

2
src/app/common.php
View File

@@ -2163,6 +2163,8 @@ function log_write(string $message, string $level = 'info', string $filename = '
// 生成日志文件名
if (empty($filename)) {
$filename = date('Y-m-d') . '.log';
} else {
$filename = date('Y-m-d') . '-' . $filename;
}
// 日志文件路径