Files
awoooi/ops/nginx/awoooi.wooo.work.conf
Your Name 5b0c77495b
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 2m25s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
fix(reboot): apply l0 maintenance fallback source
2026-07-02 21:39:30 +08:00

201 lines
7.3 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# =============================================================================
# AWOOOI Nginx Reverse Proxy Configuration
# =============================================================================
# 域名: awoooi.wooo.work
# 用途: 新版前端 + API Gateway 反向代理
# 負責人: CIO (CIO-002)
# 日期: 2026-03-21
#
# 後端架構:
# - 前端 (Next.js): K3s NodePort 192.168.0.120:32335
# - API (FastAPI): K3s NodePort 192.168.0.120:32334
#
# ⚠️ 警告: 絕對不允許出現 Legacy 系統的 Port (31234/31235)
# =============================================================================
# -----------------------------------------------------------------------------
# Upstream 定義 (K3s NodePort)
# -----------------------------------------------------------------------------
upstream awoooi_web {
server 192.168.0.120:32335;
keepalive 32;
}
upstream awoooi_api {
server 192.168.0.120:32334;
keepalive 64;
}
# -----------------------------------------------------------------------------
# HTTP → HTTPS 重導向
# -----------------------------------------------------------------------------
server {
listen 80;
listen [::]:80;
server_name awoooi.wooo.work;
# Let's Encrypt ACME Challenge
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# 強制 HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# -----------------------------------------------------------------------------
# HTTPS 主配置
# -----------------------------------------------------------------------------
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name awoooi.wooo.work;
# =========================================================================
# SSL 配置 (Let's Encrypt)
# =========================================================================
ssl_certificate /etc/letsencrypt/live/awoooi.wooo.work/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/awoooi.wooo.work/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Modern SSL 配置 (TLS 1.2+)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (2 年)
add_header Strict-Transport-Security "max-age=63072000" always;
# =========================================================================
# 安全 Headers
# =========================================================================
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# =========================================================================
# 通用 Proxy 設定
# =========================================================================
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# L0 public maintenance fallback攔截 upstream 502/503/504
# 避免主機或 K3s rollout 期間把 Nginx raw 5xx 直接給使用者。
proxy_intercept_errors on;
# =========================================================================
# API 路由 (/api/)
# =========================================================================
# 標準 REST API
location /api/ {
proxy_pass http://awoooi_api;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Connection 重用
proxy_set_header Connection "";
}
# -------------------------------------------------------------------------
# SSE 端點專用配置 (Server-Sent Events)
# -------------------------------------------------------------------------
# /api/v1/dashboard/stream - 戰情室即時串流
# /api/v1/agent/thinking - AI 思考過程串流
location ~ ^/api/v1/(dashboard/stream|agent/thinking) {
proxy_pass http://awoooi_api;
# SSE 必要設定: 禁用緩衝
proxy_buffering off;
proxy_cache off;
# SSE 長連線 (24 小時)
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
# 保持連線
proxy_set_header Connection "";
# 禁用 gzip (SSE 不需要壓縮)
gzip off;
# Chunked Transfer Encoding
chunked_transfer_encoding on;
}
# -------------------------------------------------------------------------
# WebSocket 端點 (預留)
# -------------------------------------------------------------------------
location /api/v1/ws {
proxy_pass http://awoooi_api;
# WebSocket 升級
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# WebSocket 長連線
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
# =========================================================================
# 前端路由 (/)
# =========================================================================
location / {
proxy_pass http://awoooi_web;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Connection 重用
proxy_set_header Connection "";
}
# -------------------------------------------------------------------------
# Next.js 靜態資源快取
# -------------------------------------------------------------------------
location /_next/static/ {
proxy_pass http://awoooi_web;
proxy_cache_valid 200 365d;
add_header Cache-Control "public, max-age=31536000, immutable";
}
# =========================================================================
# 健康檢查端點 (Nginx 層級)
# =========================================================================
location /nginx-health {
access_log off;
return 200 "OK";
add_header Content-Type text/plain;
}
# =========================================================================
# Public maintenance fallback
# =========================================================================
error_page 502 503 504 /__awoooi-maintenance.html;
location = /__awoooi-maintenance.html {
internal;
root /var/www/maintenance;
try_files /maintenance.html =503;
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
add_header Retry-After "120" always;
add_header X-AWOOOI-Fallback "local-maintenance" always;
}
# =========================================================================
# 日誌配置
# =========================================================================
access_log /var/log/nginx/awoooi.wooo.work.access.log;
error_log /var/log/nginx/awoooi.wooo.work.error.log warn;
}