Some checks failed
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 2m25s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
201 lines
7.3 KiB
Plaintext
201 lines
7.3 KiB
Plaintext
# =============================================================================
|
||
# AWOOOI Nginx Reverse Proxy Configuration
|
||
# =============================================================================
|
||
# 域名: awoooi.wooo.work
|
||
# 用途: 新版前端 + API Gateway 反向代理
|
||
# 負責人: CIO (CIO-002)
|
||
# 日期: 2026-03-21
|
||
#
|
||
# 後端架構:
|
||
# - 前端 (Next.js): K3s NodePort 192.168.0.120:32335
|
||
# - API (FastAPI): K3s NodePort 192.168.0.120:32334
|
||
#
|
||
# ⚠️ 警告: 絕對不允許出現 Legacy 系統的 Port (31234/31235)
|
||
# =============================================================================
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# Upstream 定義 (K3s NodePort)
|
||
# -----------------------------------------------------------------------------
|
||
upstream awoooi_web {
|
||
server 192.168.0.120:32335;
|
||
keepalive 32;
|
||
}
|
||
|
||
upstream awoooi_api {
|
||
server 192.168.0.120:32334;
|
||
keepalive 64;
|
||
}
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# HTTP → HTTPS 重導向
|
||
# -----------------------------------------------------------------------------
|
||
server {
|
||
listen 80;
|
||
listen [::]:80;
|
||
server_name awoooi.wooo.work;
|
||
|
||
# Let's Encrypt ACME Challenge
|
||
location /.well-known/acme-challenge/ {
|
||
root /var/www/certbot;
|
||
}
|
||
|
||
# 強制 HTTPS
|
||
location / {
|
||
return 301 https://$host$request_uri;
|
||
}
|
||
}
|
||
|
||
# -----------------------------------------------------------------------------
|
||
# HTTPS 主配置
|
||
# -----------------------------------------------------------------------------
|
||
server {
|
||
listen 443 ssl http2;
|
||
listen [::]:443 ssl http2;
|
||
server_name awoooi.wooo.work;
|
||
|
||
# =========================================================================
|
||
# SSL 配置 (Let's Encrypt)
|
||
# =========================================================================
|
||
ssl_certificate /etc/letsencrypt/live/awoooi.wooo.work/fullchain.pem;
|
||
ssl_certificate_key /etc/letsencrypt/live/awoooi.wooo.work/privkey.pem;
|
||
ssl_session_timeout 1d;
|
||
ssl_session_cache shared:SSL:50m;
|
||
ssl_session_tickets off;
|
||
|
||
# Modern SSL 配置 (TLS 1.2+)
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||
ssl_prefer_server_ciphers off;
|
||
|
||
# HSTS (2 年)
|
||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||
|
||
# =========================================================================
|
||
# 安全 Headers
|
||
# =========================================================================
|
||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||
add_header X-Content-Type-Options "nosniff" always;
|
||
add_header X-XSS-Protection "1; mode=block" always;
|
||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||
|
||
# =========================================================================
|
||
# 通用 Proxy 設定
|
||
# =========================================================================
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_set_header X-Forwarded-Host $host;
|
||
proxy_set_header X-Forwarded-Port $server_port;
|
||
|
||
# L0 public maintenance fallback:攔截 upstream 502/503/504,
|
||
# 避免主機或 K3s rollout 期間把 Nginx raw 5xx 直接給使用者。
|
||
proxy_intercept_errors on;
|
||
|
||
# =========================================================================
|
||
# API 路由 (/api/)
|
||
# =========================================================================
|
||
# 標準 REST API
|
||
location /api/ {
|
||
proxy_pass http://awoooi_api;
|
||
proxy_connect_timeout 60s;
|
||
proxy_send_timeout 60s;
|
||
proxy_read_timeout 60s;
|
||
|
||
# Connection 重用
|
||
proxy_set_header Connection "";
|
||
}
|
||
|
||
# -------------------------------------------------------------------------
|
||
# SSE 端點專用配置 (Server-Sent Events)
|
||
# -------------------------------------------------------------------------
|
||
# /api/v1/dashboard/stream - 戰情室即時串流
|
||
# /api/v1/agent/thinking - AI 思考過程串流
|
||
location ~ ^/api/v1/(dashboard/stream|agent/thinking) {
|
||
proxy_pass http://awoooi_api;
|
||
|
||
# SSE 必要設定: 禁用緩衝
|
||
proxy_buffering off;
|
||
proxy_cache off;
|
||
|
||
# SSE 長連線 (24 小時)
|
||
proxy_read_timeout 86400s;
|
||
proxy_send_timeout 86400s;
|
||
|
||
# 保持連線
|
||
proxy_set_header Connection "";
|
||
|
||
# 禁用 gzip (SSE 不需要壓縮)
|
||
gzip off;
|
||
|
||
# Chunked Transfer Encoding
|
||
chunked_transfer_encoding on;
|
||
}
|
||
|
||
# -------------------------------------------------------------------------
|
||
# WebSocket 端點 (預留)
|
||
# -------------------------------------------------------------------------
|
||
location /api/v1/ws {
|
||
proxy_pass http://awoooi_api;
|
||
|
||
# WebSocket 升級
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection "upgrade";
|
||
|
||
# WebSocket 長連線
|
||
proxy_read_timeout 86400s;
|
||
proxy_send_timeout 86400s;
|
||
}
|
||
|
||
# =========================================================================
|
||
# 前端路由 (/)
|
||
# =========================================================================
|
||
location / {
|
||
proxy_pass http://awoooi_web;
|
||
proxy_connect_timeout 60s;
|
||
proxy_send_timeout 60s;
|
||
proxy_read_timeout 60s;
|
||
|
||
# Connection 重用
|
||
proxy_set_header Connection "";
|
||
}
|
||
|
||
# -------------------------------------------------------------------------
|
||
# Next.js 靜態資源快取
|
||
# -------------------------------------------------------------------------
|
||
location /_next/static/ {
|
||
proxy_pass http://awoooi_web;
|
||
proxy_cache_valid 200 365d;
|
||
add_header Cache-Control "public, max-age=31536000, immutable";
|
||
}
|
||
|
||
# =========================================================================
|
||
# 健康檢查端點 (Nginx 層級)
|
||
# =========================================================================
|
||
location /nginx-health {
|
||
access_log off;
|
||
return 200 "OK";
|
||
add_header Content-Type text/plain;
|
||
}
|
||
|
||
# =========================================================================
|
||
# Public maintenance fallback
|
||
# =========================================================================
|
||
error_page 502 503 504 /__awoooi-maintenance.html;
|
||
location = /__awoooi-maintenance.html {
|
||
internal;
|
||
root /var/www/maintenance;
|
||
try_files /maintenance.html =503;
|
||
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
||
add_header Retry-After "120" always;
|
||
add_header X-AWOOOI-Fallback "local-maintenance" always;
|
||
}
|
||
|
||
# =========================================================================
|
||
# 日誌配置
|
||
# =========================================================================
|
||
access_log /var/log/nginx/awoooi.wooo.work.access.log;
|
||
error_log /var/log/nginx/awoooi.wooo.work.error.log warn;
|
||
}
|