feat(nginx): 添加 cnnl.newassetchain.io 反向代理配置（HTTPS/SSL）

- 域名: cnnl.newassetchain.io - 后端: http://localhost:8765 (nac-cnnl-service) - SSL: 通配符证书 *.newassetchain.io（有效期至 2027-01-31） - HTTP → HTTPS 强制跳转 - CORS 支持（供立法 IDE、宪法沙箱调用） - 请求体限制: 2MB
2026-02-28 08:04:02 +08:00 · 2026-02-28 08:04:02 +08:00 · fccdc8d851
parent 3bab4cd957
commit fccdc8d851
1 changed files with 64 additions and 0 deletions
--- a/nginx/cnnl.newassetchain.io.conf
+++ b/nginx/cnnl.newassetchain.io.conf
@ -0,0 +1,64 @@
 # NAC CNNL HTTP Service - Nginx 反向代理配置
 # 域名: cnnl.newassetchain.io
 # 后端: http://localhost:8765
 server {
    listen 80;
    server_name cnnl.newassetchain.io;
    return 301 https://$server_name$request_uri;
 }
 server {
    listen 443 ssl;
    http2 on;
    server_name cnnl.newassetchain.io;
    # 通配符证书（*.newassetchain.io，有效期至 2027-01-31）
    ssl_certificate     /etc/ssl/certs/_.newassetchain.io.pem;
    ssl_certificate_key /etc/ssl/certs/_.newassetchain.io.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    # 安全头
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;
    # 请求体大小限制（CNNL 源码最大 1MB）
    client_max_body_size 2m;
    location / {
        proxy_pass         http://127.0.0.1:8765;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout 30s;
        proxy_connect_timeout 5s;
        # CORS 支持（供立法 IDE、宪法沙箱等工具调用）
        add_header Access-Control-Allow-Origin  * always;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
        add_header Access-Control-Allow-Headers 'Content-Type, Authorization, X-Requested-With' always;
        # OPTIONS 预检请求直接返回
        if ($request_method = OPTIONS) {
            return 204;
        }
    }
    # 健康检查端点（不记录日志）
    location = /api/v1/health {
        proxy_pass         http://127.0.0.1:8765;
        proxy_set_header   Host $host;
        access_log off;
    }
    access_log  /www/wwwlogs/cnnl.newassetchain.io.log;
    error_log   /www/wwwlogs/cnnl.newassetchain.io.error.log;
 }