diff --git a/nginx/cnnl.newassetchain.io.conf b/nginx/cnnl.newassetchain.io.conf new file mode 100644 index 0000000..cede22d --- /dev/null +++ b/nginx/cnnl.newassetchain.io.conf @@ -0,0 +1,64 @@ +# NAC CNNL HTTP Service - Nginx 反向代理配置 +# 域名: cnnl.newassetchain.io +# 后端: http://localhost:8765 + +server { + listen 80; + server_name cnnl.newassetchain.io; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + http2 on; + server_name cnnl.newassetchain.io; + + # 通配符证书(*.newassetchain.io,有效期至 2027-01-31) + ssl_certificate /etc/ssl/certs/_.newassetchain.io.pem; + ssl_certificate_key /etc/ssl/certs/_.newassetchain.io.key; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # 安全头 + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options nosniff always; + add_header X-Frame-Options SAMEORIGIN always; + + # 请求体大小限制(CNNL 源码最大 1MB) + client_max_body_size 2m; + + location / { + proxy_pass http://127.0.0.1:8765; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 30s; + proxy_connect_timeout 5s; + + # CORS 支持(供立法 IDE、宪法沙箱等工具调用) + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always; + add_header Access-Control-Allow-Headers 'Content-Type, Authorization, X-Requested-With' always; + + # OPTIONS 预检请求直接返回 + if ($request_method = OPTIONS) { + return 204; + } + } + + # 健康检查端点(不记录日志) + location = /api/v1/health { + proxy_pass http://127.0.0.1:8765; + proxy_set_header Host $host; + access_log off; + } + + access_log /www/wwwlogs/cnnl.newassetchain.io.log; + error_log /www/wwwlogs/cnnl.newassetchain.io.error.log; +}