From e263f3bd58b9fe36fc9035126269221f1a352f48 Mon Sep 17 00:00:00 2001
From: ZF sun <34314687@qq.com>
Date: Thu, 22 Jan 2026 09:05:21 +0800
Subject: [PATCH] feat(nginx): Add configuration for dev.aigc-quickapp.com with
 SSL and WebSocket support

This commit introduces a new Nginx configuration file for the development environment of the AIGC QuickApp. It includes settings for SSL, HTTP to HTTPS redirection, WebSocket support, and various security headers. Additionally, it implements rate limiting and error handling for improved performance and security.
---
 docs/nginx/dev.aigc-quickapp.com.conf | 178 ++++++++++++++++++++++++++
 src/app/common.php                    |   2 +
 2 files changed, 180 insertions(+)
 create mode 100644 docs/nginx/dev.aigc-quickapp.com.conf

diff --git a/docs/nginx/dev.aigc-quickapp.com.conf b/docs/nginx/dev.aigc-quickapp.com.conf
new file mode 100644
index 000000000..2d524703f
--- /dev/null
+++ b/docs/nginx/dev.aigc-quickapp.com.conf
@@ -0,0 +1,178 @@
+proxy_cache_path /www/dk_project/sites/dev.aigc-quickapp.com/proxy_cache_dir levels=1:2 keys_zone=dev_aigc-quickapp_com_cache:20m inactive=1d max_size=5g;
+
+# 连接升级变量，避免 $connection_upgrade 未定义（用于 WebSocket）
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+# 轻量限速/并发控制（全局定义，按需调整阈值）
+limit_req_zone $binary_remote_addr zone=perip:10m rate=10r/s;
+limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
+
+# HTTP -> HTTPS 跳转独立 server，避免与业务混配
+server {
+    listen 80;
+    server_name dev.aigc-quickapp.com;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 quic;
+    listen 443 ssl;
+
+    http2 on;
+    server_name dev.aigc-quickapp.com;
+    index index.php index.html index.htm default.php default.htm default.html;
+    root /www/dk_project/wwwroot/dev.aigc-quickapp.com;
+
+
+    #CERT-APPLY-CHECK--START
+    # 用于SSL证书申请时的文件验证相关配置 -- 请勿删除
+    include /www/server/panel/vhost/nginx/well-known/dev.aigc-quickapp.com.conf;
+    #CERT-APPLY-CHECK--END
+
+    #SSL-START SSL相关配置，请勿删除或修改下一行带注释的404规则
+    #error_page 404/404.html;
+    ssl_certificate /www/server/panel/vhost/cert/dev.aigc-quickapp.com/fullchain.pem;
+    ssl_certificate_key /www/server/panel/vhost/cert/dev.aigc-quickapp.com/privkey.pem;
+    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # 暂保留 TLSv1.1 兼容老端，后续可下线
+    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_session_tickets off;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
+    # CSP 先以 Report-Only 方式上线，避免误杀；按前端依赖逐步收紧
+    add_header Content-Security-Policy-Report-Only "default-src 'self' data: blob:; img-src * data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob:; style-src 'self' 'unsafe-inline' https:; connect-src *; font-src 'self' data: https:; frame-ancestors 'self';" always;
+    server_tokens off;
+    error_page 497 https://$host$request_uri;
+    #SSL-END
+    #REDIRECT START
+
+
+    #REDIRECT END
+    #ERROR-PAGE-START  错误页配置，可以注释、删除或修改
+    error_page 404 /404.html;
+    #error_page 502 /502.html;
+    #ERROR-PAGE-END
+
+    #WEBSOCKET-SUPPORT START
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    #WEBSOCKET-SUPPORT END
+
+    # 上传/超时治理（根据业务需要调整大小与时限）
+    client_max_body_size 100m;
+    client_body_timeout 15s;
+    client_header_timeout 10s;
+    send_timeout 30s;
+
+    #PROXY-CONF-START
+    location ^~ / {
+        proxy_pass http://127.0.0.1:8050;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Real-Port $remote_port;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header REMOTE-HOST $remote_addr;
+        proxy_redirect off;
+
+        proxy_buffering off;
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 600s;
+        proxy_read_timeout 600s;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+
+        # 轻量限速：降低扫描/撞库/爆破效率（按需调大/关闭）
+        limit_req zone=perip burst=20 nodelay;
+        limit_conn perip_conn 50;
+    }
+    #PROXY-CONF-END
+
+    #SERVER-BLOCK START
+    location ~* ^/ws/(.*)$ {
+        # 先尝试直接转发，不修改路径
+        proxy_pass http://localhost:8050;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # 禁用缓冲，确保WebSocket数据实时传输
+        proxy_buffering off;
+        proxy_buffer_size 4k;
+        proxy_buffers 4 4k;
+        proxy_busy_buffers_size 4k;
+        proxy_max_temp_file_size 0;
+        
+        # 可选：设置超时（WebSocket 是长连接）
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s; 
+
+        # WebSocket 连接数可选限速：如需限制每 IP 并发，解除注释
+        # limit_conn perip_conn 20;
+    }
+    # 可设置server|location等所有server字段，如：
+    # location /web {
+    #     try_files $uri $uri/ /index.php$is_args$args;
+    # }
+    # error_page 404 /diy_404.html;
+    # 如果反代网站访问异常且这里已经配置了内容，请优先排查此处的配置是否正确
+
+    #SERVER-BLOCK END
+
+    #禁止访问的文件或目录
+    location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md) {
+        return 404;
+    }
+
+    # 追加敏感路径/文件快速阻断
+    location ~* /(composer\.(json|lock)|package(-lock)?\.json|pnpm-lock\.yaml|yarn\.lock|phpunit\.xml|\.ssh/|id_rsa|id_dsa|\.DS_Store) {
+        return 404;
+    }
+
+    # 禁止直连 phpinfo/adminer 等常见探测
+    location ~* /(phpinfo|adminer)\.php$ {
+        return 404;
+    }
+
+    # 禁止可疑备份/数据库/压缩文件下载（如需放行请删除本段）
+    location ~* \.(bak|sql|tar|tar\.gz|rar|7z|zip)$ {
+        return 404;
+    }
+
+    #一键申请SSL证书验证目录相关设置
+    location /.well-known {
+        allow all;
+    }
+
+    #禁止在证书验证目录放入敏感文件
+    if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
+        return 403;
+    }
+
+    #LOG START
+
+    access_log /www/wwwlogs/dev.aigc-quickapp.com.log;
+    error_log /www/wwwlogs/dev.aigc-quickapp.com.error.log;
+
+    #LOG END
+}
\ No newline at end of file
diff --git a/src/app/common.php b/src/app/common.php
index 1cb06d991..ecb780efd 100644
--- a/src/app/common.php
+++ b/src/app/common.php
@@ -2163,6 +2163,8 @@ function log_write(string $message, string $level = 'info', string $filename = '
     // 生成日志文件名
     if (empty($filename)) {
         $filename = date('Y-m-d') . '.log';
+    } else {
+        $filename = date('Y-m-d') . '-' . $filename;
     }
     
     // 日志文件路径